ISO 27001 – Information Security Management.
WHAT IS ISO 27001?
ISO 27001 is a voluntary and certifiable international compliance standard for information security management first published in 2005 by the International Organization for Standardization (ISO). The current version of the standard is ISO/IEC/27001 in its 2013 version, which has undergone various amendments over the years, for example in 2017.
This standard establishes the requirements and methodology for implementing an Information Security Management System (hereinafter ISMS). We can say that the implementation of an ISMS is the central part of the ISO 27001 standard.
It provides organisations with the necessary tools to manage information securely, helping to protect one of the most important assets of an organisation, information.
ISO 27001 is a worldwide benchmark and one of its objectives is to provide confidentiality, integrity and continuous availability of information to protect it from any interference or risk to which it may be subjected, especially in a context of technological transformation.
Currently, although ISO 27001 is voluntary, compliance with it has become almost a compulsory condition when working with large organisations, and this is due to the fact that it not only allows data protection and prevents the disastrous consequences of the materialisation of a risk that affects it, but it will also generate more confidence among third parties with whom the organisations relate, be they clients, suppliers, etc.
In this sense, ISO 27001 can be implemented in any type of organisation, private or public, and regardless of its size and business activity. Information is an increasingly important asset in any type of activity, so managing information security is an increasingly important need in any business sector. It is not surprising that sectors such as the financial sector, the health sector, the transport sector, etc., are seeing an increase in the number of certifications in this standard, ISO 27001.
Obtaining certification in ISO 27001 will generate added value for the organisation with respect to other competitors, will generate more trust in the eyes of third parties and, furthermore, will reduce the probability of incidents, mitigate their impact and avoid possible negative and damaging consequences for the organisation.
STRUCTURE OF ISO 27001
When talking about the structure of the standard, ISO 27001 can be divided into two parts. The first corresponds to the guidelines that give shape to an Information Security Management System (ISMS), and the second refers to the annex that includes the security controls that must be implemented in the organisation, which are detailed in greater detail in ISO 27002.
Thus, we can say that, on the one hand, we have ISO 27001 that tells us what to do to protect information and implement an ISMS and, on the other hand, we have ISO 27002 that tells us how to do it.
As mentioned above, the first part of ISO 27001 is structured as follows:
- Purpose and scope of application: This section gives a series of indications on the purpose, use and application of the standard.
- Standards for consultation: It is recommended to consult the various standards necessary for the application of the standard.
- Terms and definitions: This third point provides a guide to the key words and their definitions that enable you to understand the requirements of the standard.
- Organisational context: This is one of the fundamental requirements established by the standard and a reference point in the application of the information security management system. It is necessary to know the organisation and define all those external and internal issues that, in relation to information security, are relevant and affect it in order to achieve the desired results of its ISMS.
Thus, the necessary indications on the knowledge of the organisation and its context, the needs and expectations of the parties involved and the determination of the scope of the ISMS, defining its limits and applicability, are included.
- Leadership: In addition to the context of the organisation, ISO 27001 considers the requirements concerning the commitment of the top management in the process of implementing an ISMS as fundamental. The involvement of management in creating a security culture in the organisation is essential.
Therefore, this commitment is materialised by leading the development of a security policy, providing the necessary material and human resources, promoting awareness and continuous improvement, etc., thus ensuring the integration of the security system requirements in the organisation’s processes.
The Information Security Policy, which is very important in ISO 27001, is nothing more than a document in which the management sets the principles and objectives and assumes its commitment to security. It is essential that it is aligned with the rest of the organisation’s strategies so that it is integrated into the day-to-day running of the organisation and there are no discrepancies. For it to be truly meaningful, the policy needs to be known and published both internally and to the rest of the organisation’s stakeholders.
As already mentioned, it is important to generate a real culture around information security in the company, so it must be borne in mind that information security is a multidisciplinary and transversal issue, where not only the involvement and commitment of top management is necessary, but also the participation of all employees, who must be aware of the action plans to be carried out and the way in which they contribute to their fulfilment. In order to achieve this active collaboration and to ensure that tasks are carried out efficiently, it is necessary to assign roles and responsibilities.
- Planning: Once the context of the organisation has been established, it is necessary to determine the risks and opportunities that need to be addressed (defining the methodology, identifying assets and identifying threats and vulnerabilities), carrying out a risk assessment according to the acceptance criteria, and also defining the information security objectives and planning how to carry them out.
- Support: At this point, the standard refers to the fact that for the proper functioning of the ISMS it is necessary to have the necessary resources and the competence and awareness of both personnel and all interested parties. Likewise, it is also necessary to define internal and external communications processes and documentation as evidence of compliance with the requirements established by ISO 27001.
- Operation: This chapter is where the measures defined in the previous chapters are put into action, therefore, the organisation must plan, implement, monitor and control the necessary processes for the fulfilment of the security requirements as well as the assessment of risks and their treatment.
- Performance evaluation: As a fundamental part of any management system, it is necessary to evaluate the performance of the actions undertaken and the effectiveness of the ISMS. Thus, monitoring, measurement, analysis, and evaluation must be carried out to ensure proper compliance. The management must review the ISMS periodically to ensure its adequacy and effectiveness, checking whether the objectives are being achieved and, if not, looking for possible causes and deciding on solutions. Another tool available to organisations is internal audits.
ISO 27001 imposes the need to carry out these audits at planned intervals as the main tool for controlling compliance of the ISMS with the organisation’s own requirements in relation to the system and those established by the ISO 27001 standard itself.
Improvement: Finally, the process of continuous improvement allows the maturity of the system to be improved. possible deviations. This is where we find the treatment of non-conformities, corrective actions and continuous improvement.
On the other hand, we have the second part of the ISO 27001 standard, the part on security controls, set out in Annex A. This is the guidance that organisations should follow when implementing an ISMS. It is the guide that organisations must follow when implementing an ISMS. The annex is made up of 114 controls grouped into 35 categories and 14 security domains whose objectives are: policies, organisational aspects, human resources, asset management, logical access, encryption, etc., among others.
NEW VERSION OF ISO 27001
Last September, the draft of the new ISO 27001:2022 was approved. The update of the standard is expected to be published in the last quarter of this year, with a transition period of 3 years. Against this background, the International Accreditation Forum (IAF) has set out the requirements for the transition to the new version of the standard, detailed in IAF MD 2026, to serve as a basis for certification bodies to act in a coordinated manner.
The main part of ISO 27001, clauses 4 to 10, which include scope, context, stakeholders, etc., will not change with this update. Mainly, the changes affected by ISO 27001:2022 concern Annex A, which was introduced in February by ISO 27002:2022.
On the other hand, as can be seen from the IAF document, the changes include, broadly speaking:
- Annex A references to controls in ISO/IEC 27002:2022, including control title and control information.
- Revised editorially the notes to Clause 6.1.3 c), including the removal of control objectives and the use of “information security control” to replace “control”.
- The wording of Clause 6.1.3 d) is reorganised to remove potential ambiguity.
Furthermore, compared to the previous version, the number of controls in ISO 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. For the controls in ISO 27002:2022, 11 controls are new, 24 controls were merged from existing controls and 58 controls were updated.
Finally, if you are already ISO 27001 certified, you should know that this new update will not affect your certification, but you will have 36 months from the publication of ISO 27001:2022 to make the transition and update your ISMS.