Before attempting ISO 27001 certification, all stakeholders should be familiar with how it is organized and used. ISO 27001 is divided into 12 different sections.
This document explains what information security means and why organizations should manage risk.
The scope covers the high-level requirements of an ISMS that can be applied to all types and organizations.
This article explains the relationship between ISO 27000 and 27001 standards.
Terms, Definitions cover the complicated terminology that is used within this standard.
The Context For The Organization – explains who should participate in the creation and maintenance ISMSs.
Leadership – Describes how leaders should agree to ISMS policies.
Planning-This outline outlines how risk management should work across an organization.
Support- This section describes how to raise information security awareness and assign responsibilities.
The operation covers how to manage risk and how documentation should meet audit standards.
Performance Assessment – Provides guidelines on how to monitor, measure, and evaluate the ISMS’s performance.
Improvement – Describes how the ISMS should continue to be improved and updated, especially after audits.
What Are The ISO 27001 Audit Controls?
The ISO 27001 documentation breaks down the best practices in 14 separate controls. Compliance audits will cover each control during certification audits. Below is a summary of each section and how it will be used in a real audit.
Information Security : policies describe how policies should appear in an ISMS and be reviewed for compliance. Auditors will examine how regularly your procedures are reviewed and documented.
Organization Of Information Security defines which parts of an organization should take care of what tasks and actions. Auditors should expect to see a clear organizational structure that outlines high-level responsibilities, based on roles.
Human Resource Security : is how employees should know about cybersecurity before they take on new, change, or leave their job. Auditors will need to be able to clearly define the procedures for onboarding or offboarding information security personnel.
Asset Management: is a description of the processes involved with managing data assets, and how they should be secure and protected. Auditors will want to know how your company tracks hardware, software, and databases. You should also include common tools or any methods you use for data integrity.
Access Control : this guideline explains how employees can be granted access to specific types of data. Auditors should be provided with a detailed explanation of how access privileges were set up and who is responsible to maintain them.
Cryptography : covers best encryption practices. Auditors will search for areas of your system that deal with sensitive data. This includes the type of encryption used like DES, RSA, or AES.
Physical And Environmental Security : is a description of the security processes used to secure buildings and internal equipment. Auditors will examine the site to determine if there are any security issues. They also check how offices and data centers can be accessed.
Operation Security : Guides how to secure your data. This has been made more urgent by the 2018 General Data Protection Regulation. Auditors will request evidence of data flows and explanations as to where the information is kept.
Communications Security: is a security policy that covers all transmissions within an organization’s network. Auditors can expect to be provided with a summary of the communication systems that are used by an organization, such as videoconferencing or email, and information about how data is protected.
System Development, Acquisition, And Maintenance : describes the process for managing systems in secure environments. Auditors will require evidence that all new systems have been maintained to high standards of security.
Supplier Relationships : describe how an organization should interact with third parties while maintaining security. Auditors will review contracts with third parties that could have access to sensitive information.
Information Security Incident Management : provides best practices on how to deal with security issues. Auditors may be asked to run a drill on incident management to assess the organization’s response. To detect and categorize unusual system behavior, software like SIEM is a great tool.
Information Security : Major Changes and Business Continuity Management – describes how to handle business disruptions. Auditors might cause several disruptions. The ISMS will cover the steps needed to recover from them.
Compliance: Identifies which industry or government regulations are relevant to the company, such as. Auditors will require evidence that the business has fully complied with any regulations in which it operates.
A common mistake made by many organizations is to place all responsibility for ISO Certification on the local IT department. Information technology is an important part of ISO 27001. However, it must be shared across the organization.