The ISO 27000 family of standards acts as an information security management framework for institutions around the world. ISO 27001 is a cybersecurity standard that consists of best practices and controls organizations can use to implement an information security management system (ISMS) and the CIA (confidentiality, integrity and availability) triad to protect their data.
In this blog, we'll be taking a look at:
ISO 27001 is a cybersecurity standard and framework which helps organizations put an ISMS in place. It is a risk-based approach, and helps organizations gauge their security posture.
The legacy version of ISO 27001, BS 7799, originally written by the United Kingdom's Department of Trade and Industry (DTI), was published by the British Standards Institution (BSI) in 1995. One part of BS 7799 that dealt with information security management best practices was revised in 1998. In 2000, this was adopted by ISO as the ISO/EC 17799 and was termed Information Technology: Code of Practice for Information Security Management. The second part of BS 7799 with the title Information Security Management System released in 1999 that was later adopted as part of risk management and assessment in the ISO 27000 series, called ISO 27001.
The latest version of ISO 27001 was published in 2013 with minor updates implemented in 2017.
It is divided into two major parts.
The rest of the 18 sections in Annexure A are:
ISO 27001 is not a compliance mandate. As its structure suggests, the standard focuses on the individual requirements of each organization and recognizes that the ISMS put in place has to focus on these unique needs and security risks. Organizations that aim to obtain an ISO 27001 certification must comply with the standard, however.
An ISMS defines an organization's approach to information security, and the controls and specifications it has in place to ensure the safety of its data. Having an ISO 27001 compliant ISMS helps organizations adhere to other security standards, like the GDPR, as well.
The objective of an ISMS is to facilitate organizations to implement the CIA triad of protecting data. The CIA triad consists of:
Implementing all three parts of the CIA triad significantly increases cyber resilience and improves the capability of organizations to handle threats.
Apart from being compliant with ISO 27001, having an ISMS in place provides several advantages for an organization:
In simple terms, while ISO 27001 is a cybersecurity framework and organizations can obtain a certification, ISO 27002 is more of a best practices guide, which provides tricks and tips to help organizations implement and understand the ISO 27001 controls in Annexure A. While organizations can choose which best practices to implement from ISO 27002, there is no certification provided for the standard.
Before understanding how ISO 27001 helps you comply with the GDPR, it is important to note that the objective of each standard is different. While the aim of the GDPR is to protect the privacy of the personal information collected from European Union citizens, ISO 27001 works towards helping organizations create an ISMS that helps organizations process the data they collect.
The following are the commonalities between ISO 27001 and the GDPR:
While both standards have similar controls, it is in the best interest of organizations to comply with the measures put forth by both the GDPR and ISO 27001 to meet their respective objectives.
In order to obtain the coveted ISO 27001 certification, an organization will have to show that it has successfully implemented an ISMS and has taken the necessary steps to address risks.
The audit for an ISO 27001 certification takes place in two stages:
Stage 1: This is when an auditor does a review of the documented ISMS and assesses whether it meets the requirements stated in the standard. Organizations need to produce a Statement of Applicability (SoA), which is a vital requirement for certification. It consists of the chosen controls from the list of 114 controls in Annexure A, the implementation procedure of each of them, and the list of omitted controls and why they have been omitted. This is mostly a desktop exercise and there is minimal interaction with the people tasked with overseeing the implementation of the ISMS.
Stage 2:The organization is audited to see if the processes it has in place are as documented in the ISMS. The auditors also interview those responsible for operations, look into the evidence for all the documentation, and review the controls implemented to address risk. Usually three months' worth of proof is required.
Once acquired, an ISO 27001 certification is valid for three years after which a re-certification assessment is conducted. After certification, organizations can expect surveillance visits at least once every year to ensure they are evolving and adding the latest security measures to stay vigilant and up-to-date.
ISO 27002 underwent significant modifications in February 2022. The most relevant for organizations implementing ISO 27001 is the decrease in the number of controls listed in ISO 27002, to 93 from the 114.
This might lead to ISO 27001 certified organizations having to compare the previous Annexure A controls to the new 2022 control set in ISO 27002 as if they were a new or different set of security controls. This might continue until an updated version of ISO 27001 is published, which is expected in October 2022.
Implementing an ISO 27001 compliant ISMS means implementing strict access control measures to upkeep the confidentiality, integrity, and availability of sensitive data. Organizations need to record and regularly review event logs, protect them from unauthorized access, and ensure secure log-on procedures are followed.
ManageEngine Log360, a SIEM solution with extensive log management capabilities, automates collection of logs in terabytes. It ensures that collected logs are securely archived for analysis through file integrity monitoring and helps organizations maintain access control measures through its out-of-the-box security reports. These help keep track of successful and unsuccessful logon attempts, user activity, and authorization access to critical devices and applications. Log360 also helps keep track of changes made to user, domain, and audit policies that organizations can use to make sure reliable logon procedures are in place. These changes can be monitored, analyzed, and generated as real time, audit-ready reports that can contribute significantly to compliance procedures.
To learn more about how Log360 can help you comply with ISO 27001, sign up for a free, 30-day trial to check it out yourself, or request a personalized demo with our product experts.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.