ISO 27001 and ISO 27002 Compliance

Being one of the first data protection standards, ISO/IEC 27001 provides a comprehensive framework for
Information Security Management System that any organization may adopt, while ISO/IEC 27002
provides more specific security controls and guidance on their implementation.

What is the ISO 27001 standard?

ISO/IEC 27001 is a global standard designed to establish, maintain and continuously improve a corporate Information Security Management System (ISMS) to protect corporate data in a holistic manner. It is jointly developed and maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The first version of the standard (27001:2005) was published in 2005. The current version is 27001:2013, while the next major update is expected to be released in 2021 or early 2022 by the ISO/IEC.

ImmuniWeb can help you comply with ISO 27001 / ISO 27002 cybersecurity and data protection requirements. How We Help

The overarching ISO 27001 standard encompasses people, technology and processes within the covered organization, providing a multidimensional protection from diversified types of risks and threats. The standard also implies vigorous management’s commitment and support for information security at all levels of the organization. In addition to traditional cybersecurity requirements, ISO 27001 covers such areas as business continuity and disaster recovery, human risk management and security awareness, physical protection of non-digital information and regulatory compliance. It is considered one of the most inclusive data protection standards that goes far beyond technology and IT processes. Large companies may spend several years to implement all of the requirements prior to getting the desired certification.

Interestingly, and in contrast with other well-known security standards such as NIST 800-53 or NIST 800-171, the text of the ISO 27001 standard is not publicly available and has to be purchased for a small fee at the ISO website in a PDF or paper format.

What is the ISO 27002 standard?

The ISO/IEC 27002 standard merely supplements ISO 27001 by providing detailed guidelines and actionable best practices on how to implement the ISMS security controls from the ISO 27001 Annex A. The most recent version of ISO 27002 is currently ISO 27002:2013.

Differently from the ISO 27001 standard, there is no formal certification process for the ISO 27002 compliance, however, it can be expressly incorporated in the ISO 27001 ISMS documentation as the primary guidance for security controls implementation. Integration of ISO 27002 into the ISO 27001 is considered to be a good practice that provides additional assurance for concerned parties. Additionally, ISO 27017 further expands the ISO 27002 controls for the cloud environment and is considered a best practice among cloud service providers.

Is ISO 27001 compliance, audit or certification mandatory?

Differently from state-enacted laws and regulations, such as GDPR in the EU or NYDFS in the state of New York, the ISO 27001 compliance and certification are not mandatory. The standard becomes, however, a widespread prerequisite for suppliers of large organizations and governmental entities that now require obligatory ISO 27001 certification or SOC 2 reports from their contractors and vendors to reduce third-party risks and minimize the impact of supply chain attacks.

Many organizations incorporate mandatory ISO 27001 compliance, certified by an external audit, into their third-party risk management program (TPRM) and, among other things, may contractually impose yearly submission of external audit reports, periodic onsite inspections and even monetary fines for uncured non-conformities with the standard. Repetitive violations of contract provisions may lead to contract termination and loss of business for careless suppliers.

External ISO 27001 audit and certification is also voluntary and not imposed by the black letter of the standard. Most of the organizations, however, prefer to get their external audit by an accredited auditor (e.g. by UKAS or ANAB), also known as accredited registrar or accredited certification body, to independently validate their adherence to the standard.

What is the difference between ISO 27001 and SOC 2?

Service Organization Control (SOC), designed and maintained by the American Institute of Certified Public Accountants (AICPA), is not a certification but rather a set of interrelated auditing reports validating proper implementation of internal controls by service companies.

There are different types of SOC reports. SOC 2 report attests compliance with the security controls from the so-called Trust Service Principles (TSP) that include five categories of controls: security, availability, confidentiality, processing integrity and privacy. There are two types of SOC 2 reports: SOC 2 Type 1 report provides a snapshot of organizational state of security at a specific point of time. While SOC 2 Type 2 report encompasses compliance during a certain period of time, usually spanning from 6 to 12 months, validating continuous compliance with the enacted security controls. Compared to the ISO 27001 certification, SOC 2 reports - attesting conformity with the TSP controls - are considerably less complicated and time-consuming to obtain.

Valid SOC 2 reports may be provided only by licensed Certified Public Accountant (CPA) firms or individuals. SOC 2 is more prevalent in the US, while ISO 27001 is more international and globally recognized standard. An ISO 27001-certified organization should normally have no difficulties to obtain SOC 2 Type 1 and Type 2 reports.

What are the ISO 27001 requirements?

A significant number of modern security standards and laws, such as PCI DSS or the SHIELD Act, are largely focused on technology and practical implementation of the related security controls, while ISO 27001 gives a lot of importance to people and processes in the organization, promotes security awareness and requires personal involvement of top management into corporate information security program and continuous improvement of the underlying ISMS.

The ISO 27001:2013 standard is composed of 10 Clauses with numerous subclauses:

1. Scope
2. Normative References
3. Terms and definitions
4. Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system
5. Leadership
5.1 Leadership and commitment
5.2 Information Security Policy
5.3 Organizational roles, responsibilities and authorities
6. Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7. Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8. Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10. Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement

While the Clauses 1 to 3 are merely introductory, proper implementation of the Clauses 4 to 10 is mandatory to achieve compliance with the standard. The ISO 27001 requirements offer a risk-based approach to implementation and continuous improvement of corporate information security strategy based on a multifaceted ISMS, capable to adequately mitigate technical, physical, human and legal risks to the acceptable level.

Remarkably, under the standard, risk assessment and consequent risk mitigation plan may be unique for each organization: ISO 27001 does not dictate how to conduct risk assessment, neither sets a minimum bar for risk acceptance or tolerance. This unique feature of ISO 27001 provides covered companies with a fairly broad flexibility, adjustable to their specific business context, needs and priorities. Of course, no ISO 27001 auditor in sound mind will agree with a risk treatment plan that contradicts common sense or is obviously at odds with the existing industry regulations or law. Organizations looking for sound risk assessment and treatment methodologies may consider ISO 27005 standard that provides detailed guidelines on risk management. Similarly to ISO 27002 mentioned above, ISO 27005 supplements the ISO 27001 standard.

What are the ISO 27001 security controls?

By the virtue of Clause 6.1.2, ISO 27001 requires organizations to perform an ongoing risk assessment followed by risk treatment process described in the Clause 6.1.3.

There are no specific security controls in the standard and the organizations are free to select their own security controls to mitigate the risks. This gap is compensated by the Annex A to the ISO 27001 standard, which contains a non-exhaustive list of recommended but non-obligatory security controls aimed to provide more specific technical guidance to the organizations. Implementation of these security controls are elaborated by ISO 27002.

The ISO 27001:2013 Annex A currently contains 114 controls grouped in 14 sections (A.5 - A.18) in:

A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance

The wide spectrum of security controls, spanning from physical safeguards and security training to supply chain risk management and meeting regulatory requirements, makes ISO 27001 one of the most comprehensive data protection standards.

For instance, the control A.18.1.1 requires organizations to identify laws, regulations and contractual duties that apply to their business. The next control A.18.1.2 addresses intellectual property requirements by preventing negligent or unwitting infringement of licensing agreements or violation of copyright law. Privacy legislation is covered by the control A.18.1.3 that mandates protection of personal data (PII) as prescribed by the applicable privacy laws, such as LGPD in Brazil or PDPA in Singapore. Thus, a violation of applicable law or industry standard, such as HIPAA or PCI DSS, may potentially trigger a major non-conformity with ISO 27001 and even lead to a suspension of certification if spotted during an annual audit.

It is important to note that the foregoing controls from the Annex A may be excluded if irrelevant for the ISMS scope or non-applicable for the organizational context. For instance, the A.11.1.6 control encompasses physical security of delivery and loading areas that may simply not exist. Nonetheless, it is a good practice to consider all of the controls, avoid exclusions and properly document risk mitigation controls in case a currently non-applicable control becomes necessary one day.

One should also bear in mind that the 114 controls from the Annex A is not a ceiling but rather a bottom line. When risk assessment requires supplementary security controls in order to adequately mitigate the identified risks to the acceptable level, additional controls must be implemented even if they are not expressly mentioned in the Annex.

ImmuniWeb can help you comply with ISO 27001 / ISO 27002 cybersecurity and data protection requirements. How We Help

How to implement ISO 27001?

Cybersecurity professionals commonly follow divergent checklist approaches to tactical implementation of the ISO 27001 standard that may vary by country, industry or size of the certified business. The underlying strategy is, however, pretty similar and consistent.

First, the organization wishing to be ISO 27001 certified, shall analyze and agree on the underlying needs and the desired outcomes of the ISMS within the context of its business (Clause 4.1). When doing so, the organization shall likewise consider legitimate needs and concerns of the so-called interested parties (Clause 4.2). The interested parties may include clients, partners, employees or regulators who may be positively or negatively affected by the ISMS implementation. For instance, customers will certainly appreciate more assurance that their data is adequately protected, while suppliers may give a cold welcome to additional due diligence requirements.

Then, the organization has to define the actual scope of the ISMS within the organization (Clause 4.3). The ISO 27001 scoping is somewhat similar to the PCI DSS scoping of the Cardholder Data Environment (CDE), however, differently from clearly imposed guidelines for the CDE scope, ISO 27001 may apply to any part, office or specific site of the covered entity. It’s essential to properly determine the boundaries of the ISMS, considering organizational context and needs, as well as involvement of third parties into the business processes (e.g. external cloud storage or outsourced credit card processing). Commonly, small and medium-sized organizations select their entire infrastructure to be in the ISMS scope, while large international businesses may exclude some offices or locations where no sensitive data is processed or stored to reduce costs. Any unjustified or overbroad exclusions (e.g. regional offices or departments that have access to the data that the ISMS aims to protect) will likely be a red flag, therefore, pay a special attention to your scoping process.

The next step is to obtain a long-term commitment from the organizational leadership (Clause 5.1) to continuously support and adequately maintain the ISMS by allocation of requisite resources and promoting healthy security culture within the organization. The Clause 5.2 is probably one of the most tangible ones: it requires creation of detailed documentation, including numerous policies and procedures to describe the ISMS, underlying processes and implemented security controls. Eventually, organization shall unambiguously assign roles and responsibilities, and grant necessary authority to employees to fulfill their ISMS-related duties pursuant to the Clause 5.3 of the standard.

Crucial ISMS implementation steps come from the Clause 6.1 that includes risk assessment, analysis and treatment. In a nutshell, the subclauses 6.1.1 to 6.1.3 require the organization to cautiously identify and assess the applicable risks, define a reasonably acceptable risk level (risk appetite) and then determine and implement security controls to efficiently mitigate those risks. During this phase, the Statement of Applicability (SoA) comes into the game. This foundational ISMS document shall contain the list of necessary controls, justifications for their inclusion and implementation status, as well as justifications for exclusions (if any). From a practical viewpoint, SoA may be a Microsoft Excel file providing easily consumable information about the current ISMS status.

Akin to some privacy laws that impose specific qualifications or experience requirements for Data Protection Officers (DPO), the Clause 7.2 of ISO 27001 requires covered organizations to determine necessary experience, training or education for personnel who will implement and maintain the ISMS. There are no specific requirements under the standard, but the skills are to be sufficient to execute ISMS-related tasks in a competent and qualified manner. The subsequent 7.3 and 7.4 Clauses require corporate personnel to be aware of the ISMS existence and its requirements, as well as to implement a frictionless communication process within the organization to ensure efficient promulgation of ISMS-related information and updates internally. Finally, Clause 7.5 provides guidance on maintenance and safeguarding of the ISMS documentation, including role-based access, version control and retention. Ideally, all people within the organization should be familiar with the relevant policies and procedures and share their feedback with the ISMS management team for continuous improvement purposes.

Practical implementation of the security controls, interrelated processes and procedures is described by the Clauses 8.1 to 8.3. Success of the ISMS implementation and achievement of its goals shall be measured in an ongoing manner as stipulated by the Clauses 9.1 to 9.3. This includes continual ISMS’s effectiveness evaluation, internal audit and management review of the audit results for corrective actions.

Finally, Clauses 10.1 and 10.2 guide organizations on how to mitigate the identified non-conformities by corrective actions in a continual and incremental manner.

What documents and records are mandatory under ISO 27001?

There are no formal requirements for the number or format of the ISMS documents, however, the following information must be documented somewhere in writing:

• Scope of the ISMS
• Information security policy and objectives
• Risk assessment and risk treatment methodology
• Statement of Applicability
• Risk treatment plan
• Risk assessment and risk treatment report
• Definition of security roles and responsibilities
• Inventory of assets
• Acceptable use of assets
• Access control policy
• Operating procedures for IT management
• Secure system engineering principles
• Supplier security policy
• Incident management procedure
• Business continuity procedures
• Legal, regulatory and contractual requirements

Some organizations maintain a highly complex ecosystem of interconnected catalogues, policies, procedures and other documents mapped to the specific ISO 27001 Clauses or security controls from the Annex A. It is, however, recommended to tailor your ISMS documentation to the needs and context of your organization, keeping everything as simple as possible. The less complex your documentation is, the less it will eventually cost you to maintain, improve and audit it.

To comply with the continuous improvement requirements of the standard and to support your ongoing efforts with verifiable evidence, organizations shall also maintain the following written records:

• Records of training, skills, experience and qualifications
• Monitoring and measurement results
• Internal audit program
• Results of internal audits
• Results of the management review
• Results of corrective actions
• Logs of user activities, exceptions and security events

There is no specific file format or design requirements for the above-mentioned records, what actually counts is accessibility, readability, traceability and ease of maintenance.

How much do ISO 27001 audit and certification cost?

Organizations should bear in mind that external audit and formal certification come after implementation of the ISO 27001 requirements. The entire process may take many months and usually is the most significant component of ISMS implementation cost. External audit and ISO 27001 certification are merely a culmination of a complex, laborious and time-consuming process.

The audit process is composed of two externally performed audits for the ISO 27001 standard compliance. The first audit is more focused on the ISMS documentation review and is aimed to assess overall readiness of the organization to fulfill the ISO 27001 requirements in a sustainable manner. The second part is rather dedicated to in-depth inspection of the documentation and implemented security controls to ascertain that they are sufficient to mitigate the risks in compliance with the existing ISMS policies and procedures. Moreover, external auditors usually impose annual surveillance audit that is comparatively short and often focused on reviewing how previously identified non-conformities, newly discovered risks or security incidents have been treated by the organization. Failure to comply with the ISMS requirements or largely inadequate security controls may lead to certification suspension.

Depending on the scope of the ISMS, nature of the business, quantity and complexity of the security controls, cost of auditing and certification may greatly vary. An SME may spend from 15 to 20 thousand USD, while a multinational business from a highly regulated industry, handling large volume of sensitive data dispersed around the globe, should be well prepared to invest a seven-digit number. As mentioned above, it is vital to select a duly accredited auditor, such as SGS or BSI, with a proven track record in ISO auditing.