ISO 27001 includes management system specific requirements as well as an annex with 114 information security controls divided into 14 different categories.
Below we explain the requirements of ISO/IEC 27001:2013 as well as the security controls from Annex A of this standard.
In order to obtain conformity with ISO 27001 the organization is required to fulfill the requirements of the standard including the information security controls from Annex A that are applicable to its specific. The organization is free to develop and implement supplementary information security controls to those in Annex A, if it considers necessary.
The requirements of ISO 27001 are grouped into 7 major chapters: context of the organization, leadership, planning, support, operation, performance evaluation and improvement.
Context of the organization
– The organization is required to identify internal and external issues that are relevant to its purpose and can affect its information security management system. Some examples of internal issues include – the structure of the organization, equipment and technology used, competence of personnel, organization culture, etc while external issues can include: information security related legislation, trends in information security, market and competition, financial and economic issues, etc.
– The standard requires the organization to identify the interested parties (parties having an interest in the organization’s information security management system) along with their relevant needs and expectations. Some examples of interested parties are: clients, employees, suppliers, community, business partners, users of the organization’s products and services, etc.
– The organization has to define the scope of its ISMS – activities and locations included in the information security management system. The company can decide to include all its activities and locations in the ISMS or apply the system only to some activities and/ or some locations.
– Top management is required to support the management system and demonstrate its commitment with respect to information security.
– Top management is also required to define an information security policy that is communicated inside the organization and made public to interested parties, as appropriate.
– It is also the task of top management to assign responsibilities and authorities to staff with regards to information security.
In order to have a functional information security management system and to obtain benefits from its implementation the involvement and support of top management is key.
– ISO/IEC 27001:2013 requires for an information security risk assessment. The methodology used for this assessment is at the choice of the organization. The risk assessment needs to be updated whenever needed (ex. in case of changes in the organization structure, following information security incidents, etc).
– Starting from the risk assessment results the company has to apply a risk treatment process and implement information security controls.
– A statement of applicability is required by the standard that contains the information security controls from Annex A of ISO 27001 along with justification of the decision to implement or not each control.
– ISO/IEC 27001:2013 requires that the organization defines information security objectives and plan actions for their achievement.
– The resources needed for the implementation of the information security management system have to be available.
– The organization is required to determine the competence needed for persons having an impact on information security. The company should ensure that persons are competent and, whenever needed, actions are taken to acquire the competence required (e.g. information security training).
– Persons doing work under the organization’s control have to be aware of the information security policy, their contribution to the information security management system, the benefits of improved information security performance as well as the implications of not conforming with information security requirements.
– The organization has to ensure that efficient communication (internal and external) processes are implemented.
– The information security management system shall include documented information. The extent of the documentation differs from one organization to the other depending on structure, size and specifics of activity. Controls for creating and updating the ISMS documented information have to be established (defining a format for the documents, the media – paper and/ or electronic, controls for the review and approval of documents). Also controls with regards to access, distribution, retrieval, use, storage, preservation, control of changes, retention and disposition of documented information have to be implemented. Those controls refer to both documents elaborated inside the organization and documents of external origin (e.g. documents from clients, external suppliers, etc.).
– The requirements are for the organization to plan, implement and control the processes needed to fulfill information security requirements.
– Planned changes have to be controlled to mitigate any adverse effects on information security, while the organization is also required to control any outsourced processes that may impact security.
– ISO 27001:2013 requires the organization to evaluate its information security performance as well as the effectiveness of the information security management system.
– At planned intervals the organization has to perform internal audits to ensure that the ISMS conforms to its own security requirements as well as the requirements of ISO/IEC 27001; it is effectively implemented and maintained.
– Top management shall review periodically the information security management system to ensure its continuing suitability, adequacy and effectiveness.
– Whenever information security related nonconformities are identified the organization has to react by implementing corrections (meant to control the nonconformity and its consequences) and corrective actions (that eliminate the root cause of the nonconformity).
– ISO/IEC 27001:2013 requires that the organization improves continually its information security management system.
Annex A of ISO/IEC 27001:2013
A5 – Information security policies
– The standard requires the organization to define a set of information security policy, approved by top management and communicated to employees and to relevant interested parties. The policies have to be reviewed periodically and whenever significant changes occur in the organization, to confirm their suitability, adequacy and effectiveness.
A6 – Organization of information security
– Responsibilities with regards to information security have to be assigned to company’s personnel. Conflicting duties and areas of responsibility shall be segregated (e.g. initiation and approval of transactions).
– The organization is required to maintain adequate contacts with authorities on information security aspects. Appropriate contacts with special interest groups, security forums or associations should be kept.
– Information security needs to be addressed in project management, regardless of the type of the project.
– The use of mobile devices involves significant information security risks so the standard requires a policy and supporting security measures to manage those risks.
– If the organization uses teleworking (work from remote locations – e.g. work from home, public places, etc) then a policy and security measures have to be established to address teleworking.
A7 – Human resource security
– The organization is required to perform background verification on all candidates for employment. The level of detail should be in line with the access to information and security risks associated to the position. Contractual agreements and other employment documents should specify information security related requirements.
– The management of the organization should require employees and contractors to apply information security in accordance with the policies and procedures of the organization. All employees and contractors will be receive awareness on information security.
– A formal disciplinary process to take action against employees who have committed security breaches has to be implemented and communicated to all personnel.
– Those information security responsibilities and duties that remain valid after the termination or change of employment (e.g. confidentiality clauses) shall be defined, communicated and applied.
A8 – Asset management
– An inventory of assets associated with information and information processing facilities has to be drawn up and maintained. “Owners” (persons or structures of the organization) have to be assigned to assets.
– ISO 27001 requires the organization to establish, document and implement rules for the acceptable use of information and assets associated with information or information processing facilities.
– The organization is required to ensure that, when their employment or contract is terminated, the employees and contractors return all organizational assets in their possession.
– ISO 27001 asks the company to define and apply a system for the classification of information taking into consideration aspects like value, criticality and sensibility to unauthorized disclosure or modification. A system of labeling information according to the classification rules shall be applied.
– In accordance with the classification scheme adopted the organization needs to develop and implement rules for handling assets.
– The organization is required to have procedures/ rules for the management of removable media (e.g. external HDD, USB sticks, CDs and DVDs, etc), including rules for securely disposing of media that is no longer used. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.
A9 – Access control
– An access control policy (addressing both physical access and access to networks and applications) has to be established and documented.
– The organization has to ensure that users are only provided with access to network services that they have been specifically authorized to use.
– ISO/IEC 27001:2013 requires for a formal process of user registration and de-registration while the allocation and use of privileged access rights has to be restricted and controlled.
– The organization needs to ensure that upon termination of their employment, contract or agreement, access rights of employees and external parties are removed.
– The password management system should be interacted and ensure quality passwords.
-There have to be controls restricting users’ access to program source code.
A10 – Cryptography
– If the organization uses cryptography to protect the confidentiality, authenticity and/ or integrity of information then a policy on the use of cryptographic controls shall be developed and implemented. The use, protection and lifetime of cryptographic keys generated shall be addressed in a policy also.
A11 – Physical and environmental security
– ISO/IEC 27001:2013 requires the organization to define security perimeters meant to protect areas that contain either sensitive or critical information and information processing facilities. Only authorized personnel should be allowed to access secure areas.
– Physical security for offices, rooms and facilities has to be designed and applied.
– The organization is required to design and apply physical protection against natural disasters, malicious attack or accidents.
– Delivery and loading areas (areas where external unauthorized persons have access) shall be controlled and, if possible, isolated from information processing facilities, to prevent unauthorized access.
– The standard requires that equipment is sited and protected to reduce risks from environmental threats and hazards and opportunities for unauthorized access. Protection systems for power failures and other disruptions shall exist.
– The organization should use systems to protect cabling carrying data or supporting information services (using for example security measures generically referred to as TEMPEST) to protect from interception or interference.
– Equipment shall be maintained according to specification to ensure optimal operation.
– ISO 27001 requires the organization to ensure that assets are not taken off-sites without prior authorization and when this happens they need to be protected taking into consideration relevant risks.
– Equipment has to be verified to ensure sensitive data and licensed software is removed or overwritten prior to disposal or re-use.
– The standard requires users to ensure adequate protection of unattended equipment while the organization shall develop and apply a clear desk and clear screen policy.
A12 – Operations security
– ISO/IEC 27001 requires the existence of documented operating procedures available to users who need them.
– Changes in the organization and changes to business processes need to be controlled so that they don’t affect information security.
– The organization has to monitor the use of its resources and make projections of future capacity needs to ensure optimal operation.
– Development, testing and operational environments have to be separated.
– The organization shall ensure controls for malware detection, prevention and recovery.
– Backup copies of information and system images have to be taken regularly and tested to ensure they can be relied upon.
– Event logs (including errors, exceptions, faults and information security events) have to be produced, kept and regularly reviewed. Logs have to be protected from tampering and unauthorized access.
– System administrator activities should be logged and the logs protected and regularly reviewed.
– The clocks of all relevant information processing facilities should be synchronized.
– The organization should ensure procedures to control the installation of software on operational systems.
– ISO 27001 requires the organization to obtain in a timely fashion information on technical vulnerabilities of information systems, evaluate those vulnerabilities and implement measures to address the associated risks.
– Audit activities for operational systems should be disruptions to business processes are minimized.
A13 – Communications security
– ISO 27001 requires the organization to manage and control networks so that information in systems and applications is protected.
– Aspects regarding information security as well as service levels should be agreed with network services providers (regardless whether they are in-house of outsourced).
– Different groups of information services, users and information systems shall be segregated on networks.
– The organization is required to define and apply procedures and controls to protect the transfer of information regardless of the types of communication equipment used.
– Information exchanged through electronic messaging (e.g. email or instant messaging programs) shall be adequately protected.
– Requirements for confidentiality and non-disclosure shall be documented and shall reflect the needs of the organization to protect its information.
A14 – System acquisition, development and maintenance
– Information security related requirements are to be included in the organization’s requirements for new information systems or enhancements to existing systems.
– Confidential information passing over public networks (e.g. the case of online payments) shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
– ISO/IEC 27001:2013 requires the organization to develop and apply rules for the development of software. Following changes to operating platforms the organization shall review and test critical business applications to ensure there is no adverse impact on information security.
– The organization should have rules to discourage modifications to software packages.
– ISO 27001 requires for secure development environments to be established and appropriately protected, in case the organization develops software in-house.
– The activity of outsourced system developers has to be supervised and monitored.
– Testing of software products should involve also security functionalities and test data should be adequately protected.
A15 – Supplier relationships
– The organization has to agree and document with suppliers information security requirements for mitigating the risks associated with the supplier’s access to the organization’s assets.
– Information security requirements have to be agreed with every supplier that accesses, processes, stores, communicates or provides IT equipment and services. There requirements should refer also to risks associated with the information and communications technology services and product supply chain.
– The organization shall monitor, review and audit supplier service delivery.
A16 – Information security incident management
– ISO/IEC 27001:2013 requires organizations to establish procedures and assign responsibilities to ensure a quick and appropriate response to information security incidents.
– Security events shall be reported as quickly as possible using efficient communication processes.
– The organization shall require its employees and contractors using its information systems and services to note and report any observed or suspected information security vulnerability.
– Information security events shall be assessed to decide whether they represent information security incidents or not.
– The organization shall respond to information security incidents and the knowledge gained from analyzing and responding to incidents shall be used to reduce the likelihood or impact of future security incidents.
A17 – Information security continuity
– ISO 27001 requires the organization to embed information security into its continuity management, by defining controls to ensure that information security is preserved in case of adverse situations (i.e. crisis or disaster).
– The organization shall have sufficient redundancy for its information processing facilities to meet availability needs.
A18 – Compliance
– ISO 27001 requires the organization to identify and update applicable legal, contractual and regulatory requirements referring to information security.
– Procedures to ensure compliance with intellectual property, privacy and personally identifiable information requirements have to be established.
– Cryptography shall be used according to existing legislation (if applicable).
– The organization is required to ensure the independent review of its approach to managing information security i.e. controls, policies, procedures, etc) at planned intervals and whenever significant changes occur.
– Managers are required to regularly review compliance with applicable information security policies and procedures in their areas of responsibility.
Those are, in short, the requirements of ISO/IEC 27001:2013 standard.
Some requirements may not be applicable due to the activities of the organization and of course supplementary controls can be defined and implemented if necessary.