ISO 27001

ISO/IEC 27001 is an international standard on how to manage information security. The

standard was originally published jointly by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) in
2005 and then revised in 2013. It details requirements for establishing, implementing,
maintaining and continually improving an information security management system
(ISMS) – the aim of which is to help organizations make the information assets they
hold more secure.

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:
1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk
treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action

There are 114 controls in 14 groups and 35 control categories:

A.5: Information security policies (2 controls)
A.6: Organization of information security (7 controls)
A.7: Human resource security - 6 controls that are applied before, during, or after
employment
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4
controls)
A.18: Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
 1. Access Control Policy

An access control policy must be established, documented and reviewed regularly

taking into account the requirements of the business for the assets in scope. Access
control rules, rights and restrictions along with the depth of the controls used should
reflect the information security risks around the information and the organisation’s
appetite for managing them. Put simply access control is about who needs to know,
who needs to use and how much they get access to.
Access controls can be digital and physical in nature, e.g. permission restrictions on
user accounts as well as limitations on who can access certain physical locations
(aligned with Annex A.11 Physical and Environment Security). The policy should take
into account:
 Security requirements of business applications and align with the information
classification scheme in use as per A.8 Asset Management;
 Clarify who needs to access, know, who needs to use the information –
supported by documented procedures and responsibilities;
 Management of the access rights and privileged access rights (more power – see
below) including adding, in life changes (e.g. super users/administrators controls) and
periodic reviews (e.g. by regular internal audits in line with requirement 9.2.
 Access control rules should be supported by formal procedures and defined
responsibilities;
Access control needs to be reviewed based on change in roles and in particular during
exit, to align with Annex A.7 Human Resource Security.

2. Documented Operating Procedures

Operating procedures must be documented and then made available to all users who
need them. Documented operating procedures help to ensure consistent and effective
operation of systems for new staff or changing resources, and can often be critical for
disaster recovery, business continuity and for when staff availability is compromised.
Where information systems are “cloud-based” traditional operational activities such as
system start-up, shut-down, backup etc become less relevant and may often be
outsourced to a cloud provider. In more traditional computing environments and
architectures operating procedures are much more likely to be required.

3. Inventory of Assets

Any assets associated with information and information processing facilities need to be
identified and managed over the lifecycle, always up to date. A register or inventory of
those assets has to be put together that shows how they are managed and controlled,
based around their importance.
 4. Ownership of Assets

All information assets must have owners. Asset management ownership can be
different to legal ownership too, and it can be done at an individual level, department, or
other entity. Ownership should be assigned when the assets are created.
The asset owner is responsible for the effective management of the asset over the
whole of the asset’s lifecycle.  They can delegate management of that too and
ownership can change during that lifecycle as long as both are documented.

5. Acceptable Use of Assets

Acceptable use of information and of assets is important to get right. Rules for
acceptable use of assets is often documented in an “Acceptable Use Policy”. The rules
for acceptable use must take into consideration employees, temporary staff, contractors
and other third parties where applicable across the information assets they have access
to. It is important that all relevant parties have access to the set of documented
acceptable use rules and these are reinforced during regular training and information
security awareness, compliance-related activity.

6. Return of Assets

All employees and external party users are expected to return any organisational and
information assets upon termination of their employment, contract or agreement. As
such it must be an obligation for employees and external users to return all the assets
and these obligations would be expected in the relevant agreements with staff,
contractors and others.

7. Network Controls

Networks must be managed and controlled in order to protect information within

systems and applications. Put in simple terms, the organisation should use appropriate
methods in order to ensure it is protecting any information within its systems and
applications. These network controls should consider all operations of the business
carefully, be adequately and proportionately designed, and implemented according to
business requirements, risk assessment, classifications and segregation requirements
as appropriate.
Some possible examples of technical controls for consideration may include;
Connection control and endpoint verification, firewalls and intrusion detection/prevention
systems, access control lists, and physical, logical or virtual segregation. It is also
important to enforce the fact that when connecting to public networks or those of other
organisations outside organisational control, to consider the increased risk levels and to
manage these risks with additional controls as appropriate.
You will need to bear in mind that the auditor will be looking to see these implemented
controls are effective and managed appropriately, including the use of formal change
management procedures.

8. Security of Network Services

Security mechanisms, service levels and management requirements of all network

services need to be identified and included in network services agreements, whether
these services are provided in-house or outsourced. Put into simple terms, the
organisation should include all the various security measures it is taking in order to
secure its network services, in its network services agreements. Your auditor will want
to see that the design and implementation of networks takes into account both the
business requirements and security requirements, achieving a balance that is adequate
and proportionate to both. They will be looking for evidence of this, along with evidence
of a risk assessment.

9. Segregation in Networks

Groups of information services, users and information systems should be segregated on

networks. Wherever possible consider segregating duties of network operations and
computer/system operations e.g. public domains, dept x or y domains. The network
design and control must align to and support information classification policies and
segregation requirements.