A guide to ISO 27001:2022
ISO 27001:2022 is the fastest-growing ISO standard and for good reason. It is becoming a strategic priority for many businesses with the ever-growing awareness of online threats and increasing digitalisation of our lives.
- Help businesses to preserve the confidentiality, integrity and availability of their information
- Create a benchmark against which the performance of companies can be judged
- Empower clients to trust our information security practices.
Why is ISO 27001 so important?
Becoming certified to ISO 27001 is no small undertaking even with a specialist consultant to guide you through the process. So why is it so important for an increasing number of businesses to achieve certification?
It’s a strategic level consideration
Information Security is now undoubtedly a strategic level consideration for many businesses. Three quarters of businesses say cyber security is a high priority for their organisation’s senior management and that number is increasing every year. With over two thirds of small and medium size businesses seeking external support in information security in the past year, you are not alone in investigating ISO 27001 as an option.
Cyber security threats are increasing
Every week articles about security threats and breaches are reported in the news. In a world where cyber crime is a very real threat, it’s never been more important to safeguard the integrity of your data and demonstrate your security controls through a strong and certified ISO 27001 Information Security Management Systems (ISMS).
It helps you win tenders
A significant driver for small and medium size businesses to obtain certification is that ISO 27001 is becoming a permanent feature in tenders. From web design and software development through to healthcare and charities, clients are requesting tangible and certified evidence from their supply chain that they have strong security processes in place. The willingness to invest in information security certification shows very positive intent to prospective clients.
It protects your customer data and intellectual property
With prospective clients looking for partners with whom they can confidently share their personal and business data, ISO 27001 helps your organisation to alleviate their fears and give assurance that you can keep their data safe. If you have particularly sensitive intellectual property that you need to protect, strong internal as well as external controls are required.
It improves your business continuity planning
With almost every business being critically reliant on digital systems, ensuring your infrastructure can remain up or be quickly brought back online in a business continuity situation is an absolute necessity.
It offers a comprehensive framework
The ISO 27001 standard is comprehensive in nature, laying out the basic building blocks for an information security management system.
How is the standard structured?
When you first look at the standard, the layout and terminology can be confusing. However, as you understand further how ISO 27001 is structured the logic starts to appear.
A story of two halves
The ISO 27001 standard is broken into two halves: Clauses 1-10; and Annex A. The clauses outline the general framework for your information security system, whilst Annex A describes the 93 controls you need to consider as you implement your management system.
The first half: Clauses 1-10
The ISO 27001 standard is written around 10 clauses. Of the ten clauses, it is clauses 4-10 that are audited. Clauses 1-3 are used to set the scene of the standard but are less important when it comes to your ISO 27001 implementation.
Clause 4 – Context of the Organisation
Your organisation must identify, monitor and review external and internal issues that could impact information security within your business. These contextual issues can be far reaching and may include obvious threats such as malicious attack, but may also include elements such as fast growth of your business impacting your ability to onboard staff consistently, or the use of significant levels of homeworking. You should document your findings and review them regularly. This clause also asks you to document all the interested parties who have needs and expectations of your business. Finally, this is the clause that requires you to define the scope of your management system; which locations are in scope; is development inhouse or outsourced; which systems are being covered?
Clause 5 – Leadership
Leadership involvement is a critical component in making an information security management system work, and for this reason the standard makes it a requirement. Leadership are required to create your Information Security Policy, set security objectives, be present in the information security reviews and communicate the importance of security throughout the organisation. Some of the ways leaders are involved will be tangible, e.g. the writing of the Information Security Policy, but in other ways their involvement will be intangible, e.g. by acting in a way that positively promotes a culture of security.
Clause 6 – Planning
In Clause 6 of ISO 27001 you need to conduct a detailed risk assessment against a defined risk assessment process. For each risk you identify, you need to assess the magnitude of the risk and how you intend on dealing with it. If you decide the risk is acceptable you can tolerate it. If you evaluate the risk to be unacceptable you can choose to terminate the risk by stopping the process, treat the risk by applying further controls, or transfer the risk to another party. For those risks that you evaluate as needing action, you should establish a risk treatment plan to bring the risk down to an acceptable level.
The second part of Clause 6 is the setting of information security objectives. We find these objectives are often related to companies largest outstanding risks, however they can also aim to take advantage of opportunities you see. Your objectives should be SMART (specific, measurable, attainable, relevant and time-bound).
Clause 7 – Support
This section of the standard is about all the pieces of a management system that act like the oil, allowing everything else to run smoothly. We are talking about making sure you have raised awareness of information security, trained staff on policies and procedures, established lines of internal and external communication on information security matters and applied consistent control over your documented information.
Clause 8 – Operations
Clause 8 requires your organisation to carry out your operations in a controlled manner, applying the information security mechanisms and controls that you have identified. You will need to demonstrate you are keeping on top of supplier management, organisational & product development changes and treating the risks you have identified.
Clause 9 – Performance evaluation
There are three main components of performance evaluation. Firstly you will need to define and measure key information security metrics to have confidence your systems are working. Secondly is the important business of internal auditing – you will need to demonstrate that you regularly audit all the key components of the management system to review performance. Lastly, you will need to hold periodic ‘management reviews’ in which the person responsible for the daily running of the management systems reports back to the leadership team against a set agenda.
Clause 10 – Improvement
The key mechanism for continual improvement is a ‘nonconformance process’. Although this sounds a bit foreboding, it is actually a constructive way to review your systems when something goes wrong and address the root cause of the issue. It is not about finding fault with individuals, rather the focus is on understanding why a process has broken down. The other half of improvement is the general way in which your business continually improves information security arrangements, either through small incremental changes or larger step changes.
The second half: Annex A
Annex A, the Statement of Applicability (SOA) and ISO 27002 are closely linked. Annex A is the section of ISO 27001 which outlines the 93 controls you need to consider in your information security management system. The SOA is a document used to outline the controls that are relevant to your scope and ISO 27002 is a non-auditable supporting standard which is dedicated to giving more detail about each of the 93 controls. It is useful to have a brief overview of the 4 subsections in Annex A which contain the 93 controls:
A.5 Organizational
Annex A.5 of ISO 27001:2022 covers a broad range of organisational controls that should implement to ensure effective information security management. These controls encompass policies for information security; roles and responsibilities; asset management; access control and secure authentication; supplier relationships; use of cloud services; incident management; business continuity; legal compliance; protection of PII (personally identifiable information); and documentation.
A.6 People
The focus of Annex A.6 is on people controls. This set of clauses requires an organisation to consider information security in recruitment; screening when hiring; terms and conditions of employment; information security awareness and training; confidentiality and NDAs; remote working and information security event reporting.
A.7 Physical
Annex A.7 shifts focus to the physical security arrangements in offices and the control of physical assets. Companies must consider controls including physical security controls to buildings, offices and other secure areas; monitoring of security perimeters; protection against threats such as fire; location of equipment and screens, and the use of a clear screen and clear desk policy; securing assets off the premises, e.g. at home or when travelling; maintaining and then securely disposing or reissuing equipment.
A.8 Technological
Finally, Annex A.8 tackles technological controls that should be implemented in the organisation. Another broad grouping of controls includes securing user end point devices; restricting access to information on a need-to-access basis; managing capacity of systems; protecting systems against malware; managing technical vulnerabilities; data masking and the prevention of data leakage; backup of data and redundancy of systems; event logging and activity monitoring; installation of software; network security, cryptography; secure development (either in-house or outsourced); and change management.
What does it take to be successful?
We have guided hundreds of businesses through the implementation and certification process, and we know what auditors are looking for. Each ISO standard introduces a wide number of requirements – we ensure you meet each of these sufficiently (this is what gets you certified), and assist you in focusing more on those areas you wish to excel further at (this is what adds value).
Senior management
Senior management must be involved to give legitimacy to the information security system, ensure the team buy in & provide the resources needed
Engagement of staff
Staff should be asked to help write the processes in the first instance and then be actively approached to make suggestions for improvements as the system matures
Thirst for improvement
Ideally the whole organisation, or at least a number of influential members must have a real desire to push the business to continually improve, learning from mistakes and seeking suggestions from all team members for improvements
Consistency & discipline
A ISMS should not be a consideration once a year just before the auditors come in – instead work should be carried out on the management system little and often (e.g. spreading the internal audits throughout the year; or arranging quarterly information security meetings)
Need more guidance?
Our experienced consultants are available to support you through the process. We can help you perform a gap analysis to understand where your strengths and weaknesses are, host educational sessions to talk you through the requirements of the standard or help you with a full implementation.
Need more information on how the Implementation and Certification process works?
