Chapter – 2 : Clause-Wise Requirements of ISMS Management System

1.0 Introduction
What is Information Security Management System (ISMS)?

ISO 27001:2013 is an International Standard that specifies requirements for an

information security management system (ISMS), with guidance for its use, to enable an
organization to proactively improve its ISMS performance in preventing information
security incident. ISO 27001:2013 is intended to be applicable to any organization
regardless of its size, type and nature. ISO 27001:2013 enables an organization to
address information security issues through its Information Security Management System;
however, it should be noted that an organization can be required by applicable legal
requirements to also address such issues.

Of late, industries have been reactive towards ISMS management, which has led to the
concept of end-of-pipe treatment of ISMS. Now it is an established fact that this concept
alone could not yield the desired objectives, viz. ISMS protection. In this scenario, the
concept of ISMS through prevention of information security incident is taking shape.

2.0 Plan – Do – Check – Act cycle

The clauses and requirements of the Information Security Management System standard
ISO 27001:2013 are based on the Plan – Do – Check – Act (PDCA) cycle. PDCA is an
integral cycle that operates at the process level and at an overall system level.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 1 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
3.0 An overview of the ISO 27001:2013 standard
After introduction to the standard, the requirements of ISO 27001:2013 are given under
clause number 1 to 10, as listed below:
0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement
High level structure (HLS) of ISO 27001:2013
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
• Understanding the organization and its context
• Understanding the needs and expectations of interested parties
• Determining the scope of information security management system
• Information security management system
5. Leadership
• Leadership and commitment
• ISMS policy
• Organizational roles, responsibilities and authorities
6. Planning
• Actions to address risks & opportunities
• ISMS objectives and planning to achieve them
7. Support
• Resources
• Competence
• Awareness
• Communication
• Documented information
8. Operation
• Operational planning and control
• Information security risk assessment
• Information security risk treatment
9. Performance evaluation
• Monitoring, measurement, analysis & evaluation
• Internal audit
• Management review
10. Improvement
• General
• Nonconformity and corrective action
• Continual improvement

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 2 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
4.0 Context of the organization

4.1. Understanding the organization and its context

Although the ISO 27001:2013 standard doesn‟t prescribe the method for determining the
context of the organization, there are some logical steps and milestones.
First, you need to determine which of the new requirements are already met in your
existing documentation.
As an existing company, you may have already implemented ISO 27001:2005 and defined
the scope of the Information Security Management System (ISMS) in the ISMS Manual,
the sequence of processes and their interaction. These will be either in the form of text or
a flowchart.
If you are implementing the standard from scratch, then you need to determine the scope
of your ISMS and identify the processes and their interactions.
Once the scope of the ISMS is defined with any permissible exclusion, the processes and
their inter-relationships are then identified.
To determine external context of the organization, you should consider issues arising from
its social, political, legal, regulatory, financial, economic, technological, competitive
environment, key organizational drivers, organizational trends, relationship with external
stakeholders and culture. Examples of external context may include:
 Government regulations and changes in the law;
 The requirements of regulatory bodies such as the Factories Act / IT Act / Govt. of
India rules, etc.
 The organization‟s competition;
 The events that may affect corporate image;
 Changes in technology.

To determine internal context of the organization, you should consider issues arising from
its values and culture, organizational structure, governance, current roles and
responsibilities, system and tools, resource levels, capabilities, process maturity, decision
making process, relationship with internal stakeholders. Examples of internal context may
include:
 Higher turnover of the employees can lead to delay in arranging training or many
training courses need to be arranged;
 Technology changes;
 Employees‟ welfare;
 Decision making process is slow;
 Changes and trends having risk on the ISMS objectives of the organization;
 Transportation, etc.
4.2. Understanding the needs and expectations of interested parties

The requirement for identifying relevant interested parties means that you need to decide
whose opinion your organization should consider.
These interested parties include:
 Direct customers / end users;
 Legal authority;
 Employees;
 External providers;
 Corporate partners;
 Statutory and regulatory bodies (e.g. IT officer / Govt. Officer, etc.);
 Owners / shareholders;
 Insurance provider;

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 3 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
 Shareholders;
 Society / neighbors;
 Anyone who has a risk from your business.
Needs and expectations of interested parties:
1) Direct customers and end-users need quality product with secure information, on-
time delivery, etc.
2) Suppliers or others involved in the supply chain need more business, release of
payment on time
3) Regulators and government organizations need compliance of all legal and
statutory requirements by the organization
4) Neighborhood industries and society need safe work environment and good
relation
5) Any other relevant interested parties like insurance, media, banks and credit firms
need timely document submission and payment.

Their feedback can help you to determine how and what can be improved in your
organization.
Their requirements:
 What are the terms and conditions?
 When I will be paid?
 Have we got effective communications?
 What information do I need and when can they give it to me? Are they above
board?
 Are they compliant with the applicable requirements?

4.3. Determining the scope of the ISMS

Organizations must clearly define what services they provide. Link this to the relevant
standards that they are governed by.

The scope of information security management system should be in terms of products and
services, the main processes to deliver them, and the sites of the organization.

The scope should provide justification where requirement is not applicable to the scope of
information security management system and such requirements do not affect conformity
of product and service and information security.

4.4. ISMS and its processes

The standard requires the organization to establish a process-based information security
management system.
This is required to be maintained and continually improved.
The clause sets out high level requirements for the design of such a process-based
management system.
For organizations that already have an operational ISO 27001:2005 ISMS, there will be a
need to conduct a review. This will be necessary to assess what actions will be required to
ensure compliance to the new requirements for a process approach. These processes are
integral and also there are support processes that underpin the operation of the entire
ISMS system. It does not mean that you have to fill your ISMS manual with flowcharts. If
flowcharts work for you then use them.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 4 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
5.0 Leadership
5.1 Leadership and commitment
ISO 27001:2013 requires top management to be much more “hands-on” with respect to
their ISMS system.
Where the word “ensure” is used, top management may still assign this task to others for
completion.
Where the words “promote”, “take”, “engage” or “support” appear, these activities cannot
be delegated and must be undertaken by top management themselves.

The top management must:

 Ensure that their organization‟s ISMS policy and ISMS objectives are consistent
with the organization‟s overall strategic direction and the context in which the
organization is operating;
 Ensure the integration of the information security management system
requirements into the organization‟s processes;
 Ensure the availability of resources needed for the ISMS;
 Ensure that the importance of effective information security management and of
conforming to the information security management system requirements is
communicated across the organization;
 Make sure that the information security management system is achieving its
intended results;
 Lead people to contribute to the effective operation of the system;
 Drive continual improvement and innovation and develop leadership in their
managers.
The top management should ensure that:

 The requirements set out in ISO 27001:2013 are met;

 ISMS processes are delivering their intended outcomes;
 Reporting on the operation of the ISMS and identifying any opportunities for
improvement is taking place;
 Interested parties focus is promoted throughout the organization;
 Whenever changes to the ISMS are planned and implemented, the integrity of the
system is maintained.
5.2 ISMS Policy
The Top management must establish, implement and maintain an ISMS policy that:
 Is appropriate to the purpose and context of the organization;
 Provides a framework for setting ISMS objectives;
 Includes a commitment to satisfy applicable requirements related to information
security;
 Includes a commitment to continual improvement of the ISMS to enhance ISMS
performance.
The top management must:
 Tell everyone about ISMS policy.
 Make sure it is written documented information and display at identified places.
 Make sure people know it and understand it.
 Give it to interested parties who have an interest in your business (e.g. clients /
suppliers / staff).
 Publish it on company‟s website.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 5 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
5.3 Organizational roles, responsibilities and authorities
The top management should allocate responsibilities across the organization to:
 Maintain the information security management system.
 Ensure what is supposed to happen is happening.
 Ensure the desired outcome of the business processes is achieved and determine
how it can be improved.
 Ensure customers and interested parties are remembered at all times.
6.0 Planning
6.1 Actions to address risks and opportunities

6.1.1 General
 Consider issues and requirements to determine risks and opportunities.
 The risks and opportunities that need to be addressed to:
a) ensure the ISMS can achieve its intended outcome;
b) prevent, or reduce, undesired effects;
c) achieve continual improvement.
 Plan actions to address risks and opportunities.
 Plan how to integrate and implement the actions into processes.
 Plan to evaluate the effectiveness of these actions.
6.1.2 Information security risk assessment

 Establish and maintain information security risk criteria, including

1) the risk acceptance criteria;
2) criteria for performing information security risk assessments.
 Ensure that repeated information security risk assessments produce consistent, valid and
comparable results.
 Identify information security risks:
1) Apply risk assessment process to identify risk associated with confidentiality,
integrity and availability (CIA) for information within scope of ISMS;
2) Identify the risk owners.
 Analyze the information security risks (consequences, likelihood, level of risk).
 Evaluate the information security risks:
1) compare the results of risk analysis with the risk criteria;
2) prioritize the analyzed risks for risk treatment.
 Identify and evaluate options for the treatment of risks
 Prepare a Statement of Applicability
Document the procedure for information security risk assessment process.
6.1.3 Information security risk treatment
Apply and implement an information security risk treatment process.
a) Select appropriate information security risk treatment options, taking account of the risk
assessment results;
b) Determine all controls that are necessary to implement the information security risk
treatment option(s) chosen;

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 6 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
c) Compare the controls determined vs. already given list of controls in Annex-A of standard
(do not omit necessary controls);
d) Produce a Statement of Applicability that contains applicability of controls and justification
for inclusions or exclusions;
e) Formulate an information security risk treatment plan;
f) Obtain risk owners‟ approval of the information security risk treatment plan and
acceptance of the residual information security risks.
6.2 ISMS objectives and planning to achieve them
ISMS objectives
Establish ISMS objectives at relevant functions and levels, considering the information
security threat, compliance obligations associated with ISMS threat, risks and
opportunities.

The ISMS objectives must be:

 Consistent with the ISMS policy: the objectives should be within framework of
policy.
 Measurable: if practicable, they should be quantified and specified with targets.
 Monitored: the results should be verified with time plan at regular intervals.
 Communicated: to relevant levels and functions.
 Updated: as appropriate. ISMS objectives should be reviewed and updated based
on the results achieved.
Documented information on the ISMS objectives must be maintained.
Ensure that whatever ISMS objectives you plan are SMART:
 Specific
 Measurable
 Achievable
 Realistic
 Time bound
Other key rules are:
 Make sure they comply with law and industry standards.
 Make sure they conform to the products and services to make them better.
 Monitor: check what you are doing.
 Tell the staff what they are and what you expect of them.
 Update when the management changes something. Keep the records of this.

Planning actions to achieve ISMS objectives

When planning how to achieve ISMS objectives,
 Determine:
 What will be done? Specify what to monitor.
 What resources will be required? Specify what resources are needed.
 Who will be responsible for monitoring?
 When it will be completed? When will the objectives be achieved? Target date?
 How the results will be evaluated? For example: by data gathering and monitoring.
7.0 Support
7.1 Resources
Determine and provide the resources needed for the establishment, implementation,
maintenance and continual improvement of the information security management system.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 7 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
Consider the capabilities of, and constraints on, existing internal resources, and what
needs to be obtained from external providers.
People/Personnel
What an organization has in-house and whether this is sufficient / fit for purpose to
achieve the business plan;
What additional support might be needed externally (e.g. subcontractors that provide
some special service outside of their field).

This standard expects an organization to determine and provide the appropriate number
of personnel to effectively implement the ISMS and for the operation and control of its
processes.
Infrastructure
A company must consider all the things it will need in order to deliver a service/product to
the customer/client. The need for following things must be considered:

 Building(s) / water / gas / electricity, etc;

 Equipment – for example computers / operating systems (e.g. alarm master),
mobile phones / tablets, etc;
 Vehicles – for management / sales and survey staff;
 Information – standards that have to be applied.
7.2 Competence
 Determine necessary competence of person doing work under organization‟s
control that affects the ISMS performance and ability of the organization to fulfill its
compliance obligations.
 Ensure that these persons are competent on the basis of appropriate education,
training or experience. Use skill matrix, competency review, work experience and
educational data of the employees.
 Where applicable, take actions to acquire the necessary competence, and
evaluate the effectiveness of the actions taken. Action may include the provision
for training to, mentoring of, or reassignment of currently employed persons, or the
hiring or contracting of competent persons.
 Retain appropriate documented information as evidence of competence.
7.3 Awareness
Ensure that the persons doing work under the organization‟s control are aware of:
 The ISMS policy; this can be confirmed by interviewing employees.
 Their contribution to the effectiveness of the system, including the benefits of
improved performance; discuss how they contribute to the improvements and the
benefits of improvement.
 The implications of not conforming to system requirements; make them aware of
the result of not following the process, and the loss in case of not complying with
the information security management system requirements and not fulfilling
organization‟s compliance obligations.
7.4 Communication
Establish, implement and maintain the processes needed for internal and external
communication relevant to the ISMS. Consider:
 On what it will communicate – the subject of communication
 When to communicate – the time-line / interval of communication
 With whom to communicate – for example: functional department
 Who will communicate – for example: IS Head

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 8 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
 How to communicate – for example: by mail, or through meeting, notice board,
announcement
When establishing communication process:
 Ensure that information communicated is consistent with information generated
within the ISMS and is reliable.
7.5 Documented information
7.5.1 General
This refers to what is needed for the ISMS. In order to prove that you are working with
ISMS, you need to evidence it. Documented information is basically the documents
needed to provide evidence of conformity with requirements.
7.5.2 Creating and updating
The documents should be created and updated, when necessary, in such a manner that
they are suitable and adequate.
It is also expected to have a clear and approved format for the documents. This is to
ensure that when anyone uses the documents he/she finds them fit. It seems slightly
unnecessary when you are a small or medium-sized enterprise (SME), as there may be a
very small team of even one or two persons including you. For larger businesses, this is
really important, so that documents are created and used properly and the changes that
have been incorporated don‟t get lost when someone else doesn‟t understand them or
removes them.
7.5.3 Control of documented information
The documents that you use should have a clear document control. It means that it is
available and suitable for use, where and when needed, and protected also. You may
already be used to doing this.
Businesses are required to ensure that whoever needs a document/template has access
to it and it is the right one. There is also a reminder that lot of business documents have
confidential info such as:
 Addresses;
 Prices (which in the hands of competitors is unhelpful);
 Secure info about a client‟s site (which could be used improperly in the wrong
hands).
Control of Documented Information
 Documented Information control : key points are-
 Identification
 Storage
 Protection
 Retrieval
 Retention time
 Disposition
 Documented Information (Record) control: key points are-
 Established and maintained
 Evidence
 Controlled
 Legal requirements
 Legible, identifiable and retrievable
Sample List of Documented Information for ISMS
1. Documented statements of the ISMS policy and ISMS objectives
2. The scope of the ISMS and information to support the operation of the processes

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 9 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
3. Risk assessment and treatment plan
4. Records for compliance to this ISMS standard requirements
5. Statement of Applicability
6. Policies and procedures to establish controls on information security as per
established ISMS.
8.0 Operation
8.1 Operational planning and control
Plan, implement and control the processes.
Implement the actions from risks and opportunities.
Implement the risk treatment plan and controls to achieve the IS objectives.
Maintain documented information to establish confidence.
8.2 Information security risk assessment
Perform information security risk assessments at planned intervals or when significant
changes are proposed or occur, taking account of the criteria established.
Retain documented information of the results of risk assessments.
 Risk Assessment –Threats:
• To breach confidentiality of information assets;
• To damage the integrity of information assets - deliberate or accidental
corruption;
• To interrupt the availability of information assets.
 Risk Assessment- Vulnerabilities
• Weaknesses in the organization or information system that may be exploited (by
a threat) to cause potential harm to assets
 Risk Assessment –Threats – Examples:
 Technical
• Failure of network , Poor system performance
 Logical
• Masquerading, Communications infiltration
 Physical
• Theft, Willful damage
 Environmental
• Power failure, Fire, Water
 Risk Assessment – Vulnerabilities- Examples:
 Technical
• Unprotected connections to network/services
 Logical
• Wrong selections and use of passwords
 Human
• Insufficient security/ user protection
 Environmental
• Lack of UPS

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 10 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
 Risk Assessment- Degree of Risk
• The likelihood of a threat harming information assets
 Risk Assessment – Impact
• The degree of business harm and potential consequences likely to result from a
failure to protect assets from threats.
8.3 Information security risk treatment
Implement the information security risk treatment plan.
Retain documented information of the results of the information security risk treatment.
 Risk Treatment
 Controls selected and implemented to reduce the risks to an acceptable level are:
• Preventive, Detective or Corrective
• ISO/IEC 27002:2013 and/or additional.
 Measures can be physical, procedural or product.
 Cost should be in balance with risks and potential impacts.
 Business decision is required.
9.0 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
The organization must monitor, measure, analyze and evaluate ISMS performance.
 Determine :
1. What needs to be monitored and measured (M & M);
2. The methods for monitoring, measurement, analysis and evaluation, as applicable,
to ensure valid results;
3. When will the monitoring and measurement (M & M) be performed;
4. Who will monitor and measure (M & M);
5. When will the results from M & M be analyzed and evaluated;
6. Who will analyze and evaluate the results from M & M.
Retain appropriate documented information as evidence of the monitoring, measurement,
analysis and evaluation results.
9.2 Internal audit
9.1.1 General
There continues to be a need to carry out internal audits and to do it effectively to provide
information on whether the information security management system (ISMS) is effectively
implemented and maintained and whether it conforms to the organization‟s own
requirements for ISMS as well as the requirements of the International Standard ISO
27001:2013.
9.1.2 Internal audit program
The organization must:
 Plan, establish, implement and maintain an internal audit program including the
frequency, methods, responsibilities, planning requirements and reporting of
audits;
 Consider the importance of ISMS in the processes concerned, changes risking on
the organization, and the results of previous audits, while establishing audit
program;
 Define the audit criteria and scope for each audit;

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 11 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
 Select auditors to ensure objectivity and impartiality of audit process;
 Ensure that audit results are reported to relevant management.
Retain documented information (records of audit) as evidence of the implementation of the
audit program and the audit results.
9.3 Management review
The top management/CEO/Director must review the information security management
system (ISMS), at planned intervals, to ensure its continuing suitability, adequacy, and
effectiveness.
Management review inputs
The management review must be planned and carried out taking into consideration:
1. Status of the ISMS (accomplishments, concerns, solutions);
2. Resources and training;
3. Internal /external ISMS audit summary review;
4. Customer feedback/ feedback from interested parties and complaints, if any;
5. Results of Customer Satisfaction Survey and feedback from interested parties;
6. Status of nonconformities and corrective actions;
7. Status of monitoring and measurement results;
8. Status of information security objectives;
9. Techniques, products or procedures, which could be used in the organization to
improve the ISMS;
10. Techniques, products and procedures for ISMS performance and effectiveness;
review effective measurement with respect to control implementation;
11. Recommendations for continual improvement;
12. Changes, if any, to the ISMS management system and its effect;
13. Follow-up on actions from previous management reviews;
14. Vulnerabilities or threats not adequately addressed in the previous risk
assessment.
Management review outputs
The outputs of management review should include:
 Conclusions on the continuing suitability, adequacy and effectiveness of the
information security management system;
 Decisions related to continual improvement opportunities;
 Decisions related to any need for changes to the information security management
system, including resources;
 Actions, if needed, when ISMS objectives have not been achieved;
 Opportunities to improve integration of the information security management
system with other business processes, if needed;
 Any implications for the strategic direction of the organization.
Retain documented information as evidence of the results of management reviews. For
example: minutes of management review meeting with discussion points and actions
decided.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 12 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
10.0 Improvement
10.1 General
Determine opportunities for improvement and implement necessary actions to achieve the
intended outcomes of information security management system.
When taking action to improve, the organization should consider:
 The results from analysis and evaluation of ISMS performance;
 Evaluation of compliance;
 Internal audits;
 Management review.
Examples of improvements:
 Correction,
 Corrective action,
 Continual improvement,
 Breakthrough change,
 Innovation and re-organization.
10.2 Nonconformity and corrective action
When something goes wrong, you must:
 React to it:
1) Do something / take action / fix it;
2) Deal with the consequences;
 Evaluate what went wrong, to prevent it happening again, and check there are not
other similar issues that could happen.
 Implement any action needed;
 Review the effectiveness of any corrective action taken;
 Make changes to the information security management system, if necessary.
Ensure that the corrective action taken is appropriate to the effects of the nonconformities
found, including the information security risk.
Keep records of all nonconformities, what you did to resolve them, additional measures
implemented, etc.
 The nature of the nonconformity and any subsequent actions taken;
 The results of any corrective action.
10.3 Continual improvement
There is now a clearer expectation for organizations to use data from monitoring and
measuring to review the performance of the information security management system.
Organizations should be clear to use this information, by analyzing it and ensuring that the
ISMS is adequate for the organization.

It might be that, during a review, the control measures within a process are insufficient and
do not give the level of assurance that the Directors want in order to know that processes
are being followed correctly.
Organization must continually improve the suitability, adequacy, and effectiveness of the
information security management system to enhance ISMS performance. When taking
action to improve the information security management system, consider the results from

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 13 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
analysis and evaluation of ISMS performance, compliance and the outputs from
management review.
Clarification of new structure, terminology and requirements
Some of the new changes in the structure, terminology and requirements of ISO
27001:2013 are summarized below:
1. Structure and terminology
The clause structure and some of the terminologies of this International Standard, in
comparison with ISO 27001:2005, have been changed to improve alignment with other
management systems standards.
The consequent changes in the structure and terminology do not need to be reflected
in the documentation of an organization‟s information security management system.
The structure of clauses is intended to provide a coherent presentation of
requirements, rather than a model for documenting an organization‟s policies,
objectives and processes. There is no requirement for the structure of an
organization's ISMS documentation to mirror that of this International Standard.
Major differences in terminology between ISO 27001:2005 and ISO 27001:2013

ISO 27001:2005 ISO 27001:2013

Documentation, manual, procedures,
Documented information
records
Asset owner Risk owner
Stakeholders Interested parties
Preventive Action Issues, risks and opportunities

The controls in Annex-A have been restructured, and some controls have disappeared
or been merged into other controls, and new controls have emerged.
Comparison of clauses/ domains of Annex-A in old standard and new standard
ISO 27001:2005 ISO 27001:2013
A5. Security policy A5. Information security policies
A6. Organization of information security A6. Organization of information security
A7. Asset management A7. Human resource security
A8. Human resources security A8. Asset management
A9. Physical and environmental security A9. Access control
Communications and operations
A10. A10. Cryptography
management
A11. Access control A11. Physical and environmental security
Information systems acquisition,
A12. A12. Operations security
development and maintenance
Information security incident
A13. A13. Communications security
management
System acquisition, development and
A14. Business continuity management A14.
maintenance
A15. Compliance A15. Supplier relationships
Information security incident
A16.
management
Information security aspects of business
A17.
continuity management
A18. Compliance

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 14 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System

Comparison of ISMS controls in ISO 27001:2005 and ISO 27001:2013

2. Context of the organization

There are two new clauses relating to the context of the organization, clause 4.1-
Understanding the organization and its context, and clause 4.2 - Understanding the
needs and expectations of interested parties. Together, these clauses require the
organization to determine the issues and requirements that can impact on the planning
of the information security management system.

The scope of ISO 27001:2013 states, in part, that this International Standard is
applicable where an organization needs to demonstrate its ability to consistently meet
customer and applicable statutory and regulatory requirements. No requirement of this
International Standard can be interpreted as extending that applicability without the
agreement of the organization.
3. Risk assessment

Risk assessment means to look at typically two parameters: probability of occurrence

of risk and impact in case of occurrence of risk.

The FMEA (Failure Mode and Effects Analysis) provides a third very interesting
parameter: the probability of detection. This is the probability that the occurrence of a
threat is detected by using detection actions before any major impact has happened.
An example of detection action is virus scans or intrusion detection.

4. Applicability
Where a requirement can be applied within the scope of its information security
management system, the organization cannot decide that it is not applicable. Where a
requirement cannot be applied (for example, where the relevant process is not carried
out) the organization can determine that the requirement is not applicable. However,

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 15 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
this non-applicability cannot be allowed to result in failure to achieve conformity of
products and services or to meet the organization‟s aim, and therefore, identifying the
scope of ISMS is now required.
5. Documented information
For alignment with other management system standards, a common clause on
'Documented Information' has been adopted without significant change or addition
(see clause 7.5). Where appropriate, text elsewhere in this International Standard has
been aligned with its requirements. Consequently, the terms “documented procedure”
and “record” have both been replaced throughout the requirements text by
“documented information”. So the major focus in the ISO 27001:2013 is to reduce
documentation, and only at few places requirements of documented information is
mentioned.
Summary of what is new in ISO 27001:2013
1. Risk management is being added with focus on risk-based thinking.
Identification of risk and risk control is now a requirement.
2. Standardized core text, structure, and definitions enable organizations with
multiple management systems to achieve improved integration and
implementation.
3. Major focus is on achieving value for organization and its interested parties.
Main Changes in ISO 27001:2013
 Use of the High Level Structure (HLS);
 Structure and responsibilities are in line with other management system
standards (10 clauses);
 Improved applicability for services;
 Fewer prescribed requirements;
 Increased emphasis on organizational context;
 Boundaries of the ISMS must be defined;
 Risk-based thinking throughout the standard supersedes a single clause on
preventive action;
 The term „documented information‟ replaces „documents and records‟;
 Controls: Annex A contains 114 controls across 14 control categories.
 Increased leadership requirements;
 Objectives must include reference to „who‟, „what‟, „when‟;
 Operational planning includes addressing risks;
 ISMS documentation need not follow standard structure;
 All terms used in this standard can be changed after definition.
What needs to be communicated as per ISO 27001:2013
1. ISMS policy (sub-clause 5.2)
2. Roles, responsibilities and authorities (sub-clause 5.3)
3. ISMS objectives (sub-clause 6.2.1)

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 16 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
Annexure -1
ISO 27001:2013 Information Security Management System Structure

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 17 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
Annexure – 2
Elements of Information security management system

Table-1 Key commitments of some of the elements of ISO 27001:2013

Clause Title Key Commitments/requirements

4. Context of the organization

Determine
 External issues;
Understanding the  Internal issues;
4.1
organization and its context  All issues relevant to its purpose.
Consider issues that affect ability to achieve the
intended outcome of ISMS.
Determine
Understanding the needs and
 Interested parties that are relevant to the ISMS;
4.2 expectations of interested
 Requirements of these interested parties relevant
parties
to information security;
Determine the boundaries and applicability of the
ISMS to establish its scope
For determining the scope consider:
Determining the scope of the
4.3  The external and internal issues;
ISMS
 The requirements;
 Interfaces and dependencies between activities
performed.
 Establish ISMS;
4.4 Information security  Implement ISMS;
management system (ISMS)  Maintain ISMS;
 Continually improve ISMS.
5. Leadership
Top Management will demonstrate leadership and
commitment with respect to ISMS by:
 information security policy & objectives;
 integration of the ISMS requirements with
processes;
5.1 Leadership and commitment  providing resources;
 communicating the importance of effective ISMS;
 ensuring ISMS achieves its intended outcome;
 promoting continual improvement;
 supporting other relevant management roles to
demonstrate their leadership.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 18 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
Establish an information security policy :
 In line with purpose of the organization;
 Include information security objectives;
 Include framework for setting information security
objectives;
5.2 Policy  Include a commitment to satisfy applicable
requirements;
 Include a commitment to continual improvement
for ISMS;
 Communicate within the organization;
 Provide to interested parties, as appropriate.
 Ensuring ISMS conforms to ISO 27001:2013
Organizational roles, requirements;
5.3
responsibilities and authorities  Reporting on the performance of the ISMS to top
management and within the organization.
6. Planning
 Consider issues, requirements to determine risks
and opportunities;
 The risks and opportunities that need to be
Actions to address risks and addressed;
6.1  Plan actions to address risks and opportunities;
opportunities
 Plan how to integrate and implement the actions
in to processes;
 Plan to evaluate the effectiveness of these
actions.
 Establish and maintain information security risk
criteria;
 Ensure repeated information security risk
assessments;
 Identify information security risks;
Information security risk  Identify the risk owners;
6.1.2  Analyze the information security
assessment
risks(consequences, likelihood, level of risk);
 Evaluate the information security risks;
 Identify and evaluate options for the treatment of
risks;
 Prepare a Statement of Applicability;
Apply and implement an information security risk
treatment process.
 Select appropriate information security risk
treatment options, taking account of the risk
assessment results;
 Determine all controls that are necessary to
Information security risk implement the information security risk treatment
6.1.3
treatment option(s) chosen;
 Compare the controls determined vs. list of
controls in Annex A of the standard (do not omit
necessary controls);
 Produce a Statement of Applicability that contains
applicability of controls and justification for
inclusions or exclusions;

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 19 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
 Formulate an information security risk treatment
plan;
 Obtain risk owners‟ approval of the information
security risk treatment plan and acceptance of
the residual information security risks.
 IS objectives consistent with the information
security policy;
 Measurable objectives;
 Consider applicable IS requirements, and results
Information security objectives
6.2 from risk assessment and risk treatment;
and planning to achieve them
 Communicate IS objectives;
 Update IS objectives periodically ( preferably once
in a year);
 Retain documented IS objectives.
7. Support
Determine and provide the resources needed for:
 Establishment of ISMS;
7.1 Resources  Implementation of ISMS;
 Maintenance of ISMS;
 Continual improvement of ISMS.
 Determine the necessary competence of person
that affects information security performance;
 Ensure persons are competent on the basis of
1. Education 2. Training 3. Experience;
 Take actions to acquire the necessary
competence, and evaluate the effectiveness;
7.2 Competence
 Retain appropriate documented information as
evidence of competence;
 Evaluate the effectiveness of the training provided
and actions taken;
 Maintain records of education, training, skills,
experience and qualifications.
Persons should be aware of:
 Information security policy;
 Their contribution to the effectiveness of ISMS
7.3 Awareness and the benefits of improved information security
performance;
 The implications of not conforming with the ISMS
requirements.
Determine the need for internal and external
communications relevant to the ISMS including:
 What to communicate;
7.4 Communication  When to communicate;
 Whom to communicate;
 Who shall communicate;
 Processes by which communication is affected.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 20 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System

General
 Include documented information required;
 Include documented information determined by
the organization as necessary for the
effectiveness of the ISMS;
Documented information The extent of documentation depends on:
7.5.1
 Size of the organization and type of its activities,
processes, products and services;
 Complexity of processes and their interactions;
 Competence of persons.
Documented information may differ from one
organization to another.
Create and update documented information;
 Identification and description (e.g. a title, date,
author, or reference number);
 Proper format (e.g. language, software version,
7.5.2 Creating & updating graphics) and media (e.g. paper, electronic);
 Review and update and re-approve for suitability
and adequacy;
 Approve information for adequacy and suitability
prior to issue.
Control documented information to ensure:
 Availability and suitability for use;
 Adequately protected (e.g. from loss of
confidentiality, improper use, or loss of integrity);
 Distribution, access, retrieval and use;
 Storage and preservation (including the
preservation of legibility);
 Control of changes and current revision status;
Control of documented  Retention and disposition;
7.5.3
information  Ensure the recent versions are available at points
of use;
 Ensure information of external origin as identified
by IS Head are included for same level of
controls;
 Ensure distribution of information is controlled;
 Prevent unintended use of obsolete information;
 Apply suitable identification;
 Access to information for review or change.
8. Operation
 Plan, implement and control the processes;
 Implement the actions from risks and
Operation planning and opportunities;
8.1
control  Implement the risk treatment plan and controls to
achieve the IS objectives;
 Maintain documented information to establish

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 21 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
confidence.
 Perform information security risk assessments at
planned intervals or when significant changes are
Information security risk proposed or occur, taking account of the criteria
8.2 established;
assessment
 Retain documented information of the results of
risk assessments.
 Implement the information security risk treatment
Information security risk plan;
8.3
treatment  Retain documented information of the results of
the information security risk treatment;
9. Performance evaluation
Evaluate the information security performance and
the effectiveness of the ISMS.
Determine:
 What need to be monitored and measured,
including IS processes and controls?
 Which methods to be used for monitoring,
measurement, analysis and evaluation?
Monitoring, measurement,
9.1  When will the monitoring and measuring be
analysis and evaluation
performed?
 Who will monitor and measure?
 When the results from monitoring and
measurement are to be analyzed and evaluated?
 Who will analyze and evaluate these results?
Retain documented information as evidence of the
monitoring and measurement results.
Conduct internal ISMS audits at planned intervals to
determine whether the ISMS meets company‟s own
requirements and ISO 27001:2013 requirements.
Also ensure that ISMS is effectively implemented and
maintained.
 Plan, establish, implement and maintain an audit
program as per documented procedure.
 Take into consideration the importance of the
processes concerned and the results of previous
9.2 Internal audit audits.
 Define the audit criteria and scope for each audit.
 Select independent auditors and conduct audits.
 Ensure that the results of the audits are reported
to the management.
 Retain documented information as evidence of
the audit program and the audit results.
 Define audits criteria, scope, frequency and
methods.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 22 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
 Verify actions are taken without undue delay.
 Verify improvement activities.
 Verify the actions taken and the reporting of
verification results.
Management shall review the organization‟s ISMS at
planned intervals to ensure continuing suitability,
adequacy and effectiveness.
 Take appropriate input as an agenda of the
meeting, similar to other ISO standards
Review Output
• Decisions related to continual improvement
opportunities for effectiveness of system.
9.3 Management review • Any needs for changes to the ISMS and
modification of procedures that effect information
security, including changes to:
1) Business requirements;
2) Security requirements;
3) Business processes;
4) Regulatory or legal environment;
5) Levels of risk and/or levels of risk acceptance.

10. Improvement

 React to the nonconformity;

 Evaluate the need for action to eliminate the
causes of nonconformity by:
1)reviewing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist or could
Nonconformity and corrective
10.1 potentially occur;
action
 Implement action needed;
 Review the effectiveness of corrective action
taken;
 Make changes to the information security
management system, if necessary.
Retain documented information as evidence.
Continually improve the suitability, adequacy and
effectiveness of the ISMS through the use of the:
 Information security policy;
 Security objectives;
10.2 Continual Improvement
 Audit results;
 Analysis of monitored events;
 Corrective and preventive actions;
 Management review.

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 23 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
Annexure – 3
Mapping of clauses in ISO/IEC 27001:2013 and ISO/IEC 27001:2005

The objective of this comparison is to demonstrate that both systems can be used together for
those organizations that already have got certified under ISO 27001:2005 International Standard
and they can easily update their system with ISO 27001:2013 standard.

ISO/IEC 27001:2013 ISO/IEC 27001:2005

0 Introduction 0 Introduction

1 Scope 1 Scope

2 Normative references 2 Normative references

3 Terms and definitions 3 Terms and definitions

4.1 Understanding the organization and its context 8.3 Preventive action

4.2 Understanding the needs and expectations of 5.2.1(c) Identify and address legal and regulatory
interested parties requirements and contractual security obligations

4.3 Determining the scope of the information security 4.2.1 a) Define scope and boundaries
management system 4.2.3 f) Ensure the scope remains adequate

4.4 Information security management system 4.1 General requirements

5.1 Leadership and commitment 5.1 Management commitment

5.2 Policy 4.2.1 b) Define an ISMS policy

5.1 c) Establishing roles and responsibilities for information

5.3 Organizational roles, responsibilities and authorities
security

6.1.1 Actions to address risks and opportunities - general 8.3 Preventive action

4.2.1 c) Define the risk assessment approach

6.1.2 Information security risk assessment 4.2.1 d) Identify the risks
4.2.1 e) Analyze and evaluate the risks

4.2.1 f) Identify and evaluate options for the treatment of

6.1.3 Information security risk treatment
risks
4.2.1 g) Select control objectives and controls for the
treatment of risks
4.2.1 h) Obtain management approval of the proposed
residual risks
4.2.1i) Prepare a Statement of Applicability
4.2.1 j) Prepare a Statement of Applicability
4.2.2 a) Formulate a risk treatment plan

6.2 Information security objectives and planning to 5.1 b) Ensuring that ISMS objectives and plans are
achieve them established

7.1 Resources 4.2.2 g) Manage resources for the ISMS

5.2.1 Provision of resources

7.2 Competence 5.2.2 Training, awareness and competence

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 24 of 25

Chapter – 2 : Clause-Wise Requirements of ISMS Management System
ISO/IEC 27001:2013 ISO/IEC 27001:2005

7.3 Awareness 4.2.2 e) Implement training and awareness programs

5.2.2 Training, awareness and competence

7.4 Communication 4.2.4 c) Communicate the actions and improvements

5.1 d) Communicating to the organization

7.5 Documented information 4.3 Documentation requirements

8.1 Operational planning and control 4.2.2 f) Manage operations of the ISMS

8.2 Information security risk assessment 4.2.3 d) Review risk assessments at planned intervals

8.3 Information security risk treatment 4.2.2 b) Implement the risk treatment plan
4.2.2 c) Implement controls

4.2.2 d) Define how to measure effectiveness

9.1 Monitoring, measurement, analysis and evaluation 4.2.3 b) Undertake regular reviews of the effectiveness of the
ISMS
4.2.3 c) Measure the effectiveness of controls

4.2.3 e) Conduct internal ISMS audits

9.2 Internal Audit
6 Internal ISMS audits

4.2.3 f) Undertake a management review of the ISMS

9.3 Management review
7 Management review of the ISMS

10.1 Nonconformity and corrective action 4.2.4 Maintain and improve the ISMS
8.2 Corrective action

10.2 Continual improvement 4.2.4 Maintain and improve the ISMS

8.1 Continual improvement

Copyright 2020 @ Punyam Academy | [email protected] | +91-98250 31523 Page 25 of 25