What Are the Requirements of ISO 27001?

ISO 27001 is the internationally recognised standard for information security management systems (ISMS). It provides a robust framework that helps organisations manage their information security risks and implement appropriate security controls. This article delves into the key requirements of ISO 27001, focusing on its essential components and how they benefit businesses.

Understanding ISO 27001

ISO 27001 requires organisations to identify information security risks and select appropriate controls to address them. The standard is divided into two main parts: Clauses 4–10, which outline the broader ISMS requirements, and Annex A, which details specific controls.

Clauses 4–10: The Core Requirements

Clauses 4–10 of ISO 27001 provide a systematic approach to managing information security. These clauses cover:

1. Context of the Organisation: Identifying key stakeholders and establishing the ISMS scope.
2. Leadership: Ensuring top management are committed to the ISMS.
3. Planning: Assessing risks and vulnerabilities, and opportunities to improve security.
4. Support: Providing necessary resources for maintaining the ISMS.
5. Operation: Implementing and managing the ISMS.
6. Performance Evaluation: Monitoring, measuring, and assessing the ISMS.
7. Improvement: Continuously improving the ISMS.

Annex A: The Specific Controls

Annex A of ISO 27001:2022 outlines 93 security controls grouped into four themes. The latest version simplified Annex A from ISO 27001:2013, where it contained 114 controls across 14 domains.

The four themes in ISO 27001:2022 Annex A are:

1. Organisational (37 controls):

Organisational controls concentrate on the policies, procedures, and responsibilities required for effective information security.

1. • Information Security Policy: Establishing a clear and concise policy.
   • Defined Responsibilities: Assigning roles for ISMS management.
   • Threat Intelligence: Gathering and analysing information on threats.
   • Identity and Access Control: Ensuring only authorised personnel have access to information.

2. People (8 controls):

People are often the weak point in an organisation’s cyber security, and ISO 27001 has controls to mitigate the risk.

1. • Pre-employment Screening: Vetting potential employees.
   • Staff Training: Educating staff on information security practices.
   • Contracts and NDAs: Ensuring legal agreements to protect information.
   • Reporting Security Events: Establishing protocols for reporting incidents.

3. Physical (14 controls):

Physical controls are essential for ensuring information security in both the digital and physical environments of the ISMS.

1. • Security Perimeters: Defining and protecting physical boundaries.
   • Clear Desk Policy: Ensuring that desks are clear of sensitive information.
   • Secure Cabling: Protecting cables from unauthorised access.
   • Equipment Maintenance: Regularly maintaining equipment to ensure security.

4. Technological (34 controls):

Technological controls focus on all the digital measures you can take to protect your data.

1. • Malware Protection: Implementing measures to protect against malware.
   • Backups: Ensuring data is regularly backed up and recoverable.
   • Logging and Monitoring: Keeping logs of activities and monitoring them for anomalies.
   • Network Security: Protecting networks from unauthorised access.

How to Select Annex A Controls

Selecting the right controls to create an effective ISMA is based on your ISO 27001 risk assessment. Based on this assessment, you choose controls that address the identified risks. Comparing your chosen controls with those in Annex A ensures you haven’t missed any critical areas. Controls that do not apply to your organisation can be excluded, but you must justify these exclusions in your Statement of Applicability (SoA).

What is the Statement of Applicability (SoA)?

The SoA is a crucial document in your ISMS. It lists all the Annex A controls along with justifications for their inclusion or exclusion and their implementation status. The SoA also includes any additional controls from other frameworks or developed internally. It is a key document during certification and surveillance audits and must be meticulously maintained.

Complying with ISO 27001 involves understanding and implementing its comprehensive requirements. Clauses 4–10 provide a framework for an effective ISMS, while Annex A details specific controls to address various security aspects. The Statement of Applicability ties everything together, ensuring that your organisation’s information security measures are robust and well-documented. By adhering to ISO 27001, organisations can significantly improve their security, protecting their assets with an effective ISMS.

Contact OmniCyber Security today to get started with our ISO 27001 service.