If you run a business, you should know that you have an obligation to take care of sensitive data of any kind. In order to make sure you do this, there are a lot of different regulations and compliance frameworks out there for you to follow. From how to take in data, how you store it and how you need to protect your systems to ensure they aren’t compromised. On that last point, there are a lot of different IT, cyber and information security frameworks and standards you should be aware of, especially if you are a business owner handling any sort of sensitive data for your clients. But we couldn’t fit all of them into 1 post without diminishing them. So instead, we’re going to focus on 4 main areas in 4 different posts – ISO27001, Cyber Essentials, CIS Critical Security Controls and ISO27032. We’ll start with ISO27001.
What Is An ISO Standard?
Starting at the beginning, ISO standards are international standards set out by the ISO, which stands for International Organisation for Standardisation. This body (which has a membership of over 163 other national standards bodies) creates documents that provide each industry with requirements, specifications, guidelines and characteristics that can be used consistently to ensure that materials, products, processes and services are truly fit for their purpose. This ensures that customers are getting a consistent minimum standard of products or services. These standards are developed by the industry that needs them, using experts from all fields and geographical locations to ensure everyone can adhere easily. Almost every sector you can think of has their own set of ISO standards, and these are identified by a series of numbers. Some standards relevant to IT Security are ISO 27001, 27002, ISO 15408, ISO27018 and ISO27032.
What Is ISO 27001?
ISO/IEC 27001:2013 (formerly known as ISO/IEC 27001:2005) is a specification for any information security management system (or ISMS). To break that down, an ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management process. According to the International Organisation for Standardisation, ISO 27001 was developed in order to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system”. ISO 27001 has been designed to be technology neutral, and uses a top down, risk based approach to help businesses plan for risk. The standard breaks down into a six part process for business owners to follow. The standard itself has a series of clauses, which are to be implemented by organisations, and then a series of controls contained with Annex A, which are further supported in ISO27002. Think of ISO27001 as telling you what to do, and ISO27002 providing you information on how to do it.
Some of the core components to be implemented by businesses are to;
- Define a security policy.
- Have and be able to demonstrate senior leadership support
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
These areas bring us nicely onto our next point about ISO 27001 – the controls.
ISO 27001 Controls – Annex A
Within the ISO 27001 framework there are currently 114 controls, separated into 14 groups and 35 control objectives defined within Annex A. The controls are there to help an organisation choose the correct method for mitigating risk and protecting their business through the implementation of these controls. The list below defines the main Annex Control areas within ISO27001:
A.5: Information security policies (2 controls)
A.6: Organisation of information security (7 controls)
A.7: Human resource security (6 controls)
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
These controls are updated periodically to keep up with changing technologies. In order to be complaint with ISO 27001, business owners need to identify which of these controls are applicable to them, and implement them.
At Bridewell Consulting, we specialise in helping businesses understand their obligations under different IT, cyber and information security frameworks like ISO 27001. This includes full end-to-end implementation of an ISMS, taking businesses from nothing straight through to ISO 27001:2013 certification. We offer fully managed, partially managed (but fully supported) ISO 27001 consultancy services, as well as internal audits to help you identify risk points and comply with the requirements of the standard. For more information, get in touch with one of our experts today.