iso 27001 recipe and ingredients - pivot point security

OverviewThe ISO 27001 standard is very comprehensive. We like to think of it as a recipe for achieving and maintaining a desired information security posture.

What ingredients does the ISO 27001 recipe consume? These are the 114 information security controls, or mechanisms to reduce information security risk, described in the ISO 27002 standard and inAnnex A of ISO 27001.

The clauses (steps) in the ISO 27001 certification process provide this guidance. They support you in defining and documenting the goals and results of your ISMS, its scope, your Risk Assessment results, the controls you elect to implement, how robust those controls need to be, and so on. One of the greatest strengths of the ISO 27001 standard is how it helps you rationalize the best way manage risk. We’ll get into that more below.

ISO 27001 focuses on managing information security risk in alignment with your organization’s goals and risk appetite. ISO 27001 is flexible and largely non-prescriptive. It recognizes, for example, that a venture-funded startup in a disruptive market like artificial intelligence will likely have a higher appetite for information security risk than an established law firm serving Fortune 1000 clients. Even the same organization will often view and approach risk differently at different stages of its maturity and growth.

ISO 27001 The “Recipe and Ingredients” for Certification

INFORMATION SECURITY CONTROLS

If you’re reading this, your organization is either considering or actively moving toward ISO 27001 certification. That’s good news, as implementing an ISO 27001 certified Information Security Management System (ISMS) is one of the best initiatives any business can do to protect its sensitive data-and to demonstrate that capability to clients and other stakeholders.

Businesses that achieve ISO 27001 certification are significantly less likely to experience security incidents, and any incident impacts are significantly reduced. They also enjoy a competitive advantage and a reduced burden of questionnaires and onsite vendor audits because they can readily prove they’re secure.

This eBrief will give you a quick and easily digestible introduction to the ISO 27001 standard and the process of becoming ISO 27001 certified.

114

Why choose ISO 27001 from among the many information security standards and frameworks out there? It’s time-tested, proven to be effective, is recognized internationally, and iswidely leveraged throughout many industries.

ISO 27001 is part of the ISO 27000 family of related standards, which provide additional guidance to help an organization plan and operate its ISMS in a range of circumstances. These standards include ISO 27017 for cloud security, ISO 27018 for privacy, ISO 27799 for healthcare environments, and many more.

The key advantage of ISO 27001 is that it provides a trusted, independent, third party attestation regarding your ISMS and overall security posture. This is something you can hand to stakeholders that proves you are proactively managing information security. Third party attestation is the best kind of proof you can offer. It’s more trustworthy than first party attestation (e.g., I fill out your questionnaire) and much less resource intensive for stakeholders than second party attestation (e.g., you audit me yourself).

To certify organizations against the ISO 27001 standard, ISO has accredited a handful of certification bodies. These entities, in turn, accredit the registrars that conduct certification audits, as well as the certified lead auditors who actually perform the audits. Each of these levels of accreditation serves to prove that an ISO 27001 certified organization has gone through an objective, standardized and approved audit program performed by a qualified and accountable auditor.

The heart of the ISO 27001 standard is its Clauses 4 through 10. These are the key “steps” in the ISO 27001 certification process:

Clause 4 is Context - What are we protecting and why?

Clause 5 is Leadership - Who is responsible to make this happen?

Clause 6 is Planning - What’s our plan, and how and why did we arrive at it?

Clause 7 is Support - What resources do we need to commit to this effort?

Clause 8 is Operation - How, when and where do we operationalize our plan?

Clause 9 is Performance Evaluation - How is our plan working?

Clause 10 is Improvement - How do we continuously improve year over year?

20,000organizations worldwide have achieved ISO 27001 certification.

over


Advantages

Key Elements of Certification


Context and Leadership

Context and Leadership (clauses 4 and 5) both relate to establishing a vision for your ISMS.

The Context clause guides you in defining the scope of your ISMS. The formal ISMS Scope statement you create as a prerequisite for certification is the cornerstone of your ISMS.

Getting your scope right is critical to a smooth, successful certification process. Your ISMS committee will use the Scope Statement to document certification efforts and determine what specific data to protect. Your management will use it to verify their direction and expectations have been understood. At audit time, your registrar will use it to plan for the audit and assess whether your ISMS is successful.

“Context” is anything that influences your understanding of information-related risk,and/or impacts the decisions you will make about managing that risk. Context includes:

What information are you trying to protect and in what specific circumstances?

What products, services, systems, networks, databases, facilities, roles, etc. are and are not within the ISMS Scope?

Where are the relevant interfaces or boundaries where sensitive information is exchanged?

What external & internal issues influence risk and your decisions about risk?

Who are the key stakeholders (e.g., clients, management, stockholders, regulatory bodies, your cyber liability insurance provider) in your ISMS and what are their expectations for how you will manage information security risk?


The ISO 27001 standard gives senior leadership explicit responsibility to define and declare their expectations and vision for the ISMS, confer the authority to act on that vision, and state how the process will be governed and by whom (who does what and when).

Your formal Information Security Management Charter document will establish these roles, responsibilities and objectives. The standard also requires that you create an Information Security Policy document, which establishes explicit expectations for the ISMS (the more explicit the better). This document also establishes accountability for the ISMS in areas like compliance, internal audit and so on.

Like many ISO 27001 documents, the above are not “one and done” documents but need to be examined and updated every year to reflect changes in your organization and its operating environment. This includes the evolution of your risk landscape and risk appetite.

Pro Tip – Management “buy in” which includes good direction and communication is the number one indicator for a successful ISO 27001 implementation. If IT and/or Operations tries to push this alone, it’s a long road ahead.

Planning, Support and Operations

Planning, Support and Operations (clauses 6, 7 and 8) go together because they all work together to translate management’s vision for your ISMS into a sustainable, consistent, repeatable implementation.

These clauses are about making the vision real and keeping it moving. They guide you to address questions like: What is our plan? What resources do we need to make it happen? How will we document and communicate the plan and the operational processes?

As you plan your ISMS, you translate management’s expectations into an operational blueprint. The steps you’ll take during this critical process include:

Planning

Leadership

Defining your overall risk management process/methodology and its objectives

Conducting a Risk Assessmentand reporting on the results, including Risk Treatment decisions and Risk Treatment plans

Selecting the ISO 27001 controls you will implement in your ISMS


The risk management process defines how you will assess risk in a consistent, repeatable way. This includes developing threat and vulnerability libraries, impact criteria, probability criteria, and options for managing risks that are unacceptably high. You need to adjust your information security controls to reduce risk to an acceptable level.

Your Risk Assessment and Risk Treatment plan are generated from your risk management process. These documents explain what risks you identified, and your decisions and rationale for accepting, transferring, insuring or mitigating each risk. For risks you choose to mitigate, you’ll also document related controls, how strong they are, who is responsible and the implementation timeframe.

Another core ISMS planning artifact that is linked to Risk Assessment/Treatment is the Statement of Applicability. This states which controls from ISO 27001 Annex A (or any other framework, NIST, HIPAA, SOC, etc.) you plan to implement, and why.

Support

The Support clause guides an organization in determining what resources, competencies, awareness, communication and document management processes are required to effectively operate its ISMS. This encompasses not just money and in-house staff, but also external resources and expertise, training requirements, revised job descriptions, HR/recruiting changes, credential verification requirements, performance reviews, and so on.

Part of supporting the ISMS is communicating about it. Who internally and externally has to know what, when, and in what way, for the plan to be effectively operationalized.

DOCUMENTATION GOES ALONG WITH COMMUNICATION. HOW WILL YOU CREATE AND CONTROL APPLICABLE POLICIES, PROCEDURES AND STANDARDS IN ORDER TO EFFECTIVELY OPERATE THE ISMS?

Incident Response (IR) Plans

Vendor Risk Management (VRM) Procedures

Security Metrics

ISMS Internal Audit Plans

Related Corrective Action Plans

IMPORTANT DOCUMENTATION INCLUDES:

ISMS Policy

Clause RequirementsControl Documentation


The Operation clause ensures documentation necessary to effectively operate the ISMS is developed. The goal is to make it easier to follow the plan by documenting critical information security activities in a way that makes them more repeatable and consistent.

Your documentation is likely to cover issues, such as; your ISMS committee will meet bi-annually, you will handle employee termination via a deprovisioning process, you will present a written report on ISMS status covering X, Y and Z metrics to leadership quarterly, and you will control your ISMS documentation and versioning using such-and-such software.

Performance Evaluation and ImprovementPerformance Evaluation and Improvement (clauses 9 and 10) help you determine whether the ISMS you implemented is working as intended, and is in line with management’s vision, and plan. Performance Evaluation covers measurement, analysis, evaluation, internal audit and management review of the ISMS once it is implemented. Improvement covers corrective actions for nonconformities, along with ongoing improvements in the information security program. ISO 27001 requires certified organizations to make their ISMS better year over year (continuous improvement).

Performance Evaluation and Improvement focus on whether the ISMS is effective, based on testing and metrics. It’s important that your security metrics reflect your security objectives as outlined by management, as well as priorities outlined in your Risk Treatment plan.

Operation

You can think of security metrics as security KPI’s. Examples include average time to remediate critical vulnerabilities, the percentage of high risk vendors reviewed in last year, the percentage of your data that is available for recovery on your disaster recovery (DR) site, or the percentage of corporate sites that have a working Business Continuity (BC) plan.

A core aspect of ISO 27001 performance evaluation is your internal audit program. The standard requires a internal audits at planned intervals (most often annually) to assess the effectiveness of the ISMS in managing risk as intended. Leadership is required to review the internal audit report.

Internal audits are in addition to the certification or surveillance audits that are conducted annually by your certification registrar. Besides mandated audits, your ISMS will be subject to other performance evaluations, such as vendor reviews, regulatory audits, network penetration tests, management reviews, etc.

All these evaluations will enable you to identify major and minor nonconformities. Nonconformities identified require you to create corrective action plans to document what happened and ensure that lessons are learned and root causes identified. How do we fix this? Could similar problems exist? Was the fix effective? How did we change the ISMS? This documentation not only serves as a change record, but also helps support continuous improvement.

Annex A lists 114 information security controls and their objectives. Annex A is a bit like “cliff notes” for ISO 27002, because it briefly summarizes the controls that ISO 27002 covers in more detail.

As mentioned above, we also think of Annex A as listing the “ingredients” that are consumed when you implement an ISMS using the ISO 27001 “recipe.”


Annex A

Information security policies

Organization of information security

Human resource security (controls that apply before, during and following employment)

Asset management

Access control (passwords, etc.)

Cryptography (encryption)Information security aspects of business continuity management (how BC impacts the ISMS)

A.5

A.6

A.8

A.10

A.13

A.15

A.17

A.7

A.9

A.11

A.12

A.14

A.16

A.18Physical and environment security

Operations security (backups, monitoring)

Communications security

System acquisition, development and maintenance security

Supplier relationships (VRM, third party risk management/TPRM)

Information security incident management (incident response, etc.)

Compliance (both internal and external requirements)

BRIEFLY, ANNEX A ORGANIZES THE 114 CONTROLS UNDER FOURTEEN DOMAINS:


Next Steps – Choose your pathThere are generally two options when it comes to building an ISO 27001 certified ISMS: Do it yourself (DIY) or hire help. Here is a quick breakdown to help you choose what is right for you:

The Hired Help Option

With Pivot Point Security as your trusted partner, achieving and maintaining ISO 27001 certification is a certainty. We offer a unique “As-A-Service” model that enables you to stay on track, save time and money, reach certification at your own pace, ensure your ISMS is effective, and ensure you pass your certification audit.

To start a conversation with one of our ISO 27001 experts, giveus a call at 888-748-6876 or email us at [email protected]

The DIY Option

If you have internal staff with the expertise and bandwidth, as well as 8-24 months to receive your certification, the DIY route may be your best option. In the end, ISO 27001 is not rocket science… its work.

Technically this is the route we chose to get our ISO 27001 certification (although as an ISO 27001 consulting organization we certainly had the expertise). For us, the biggest challenge of DIY was a strain on bandwidth. Your people in charge of IT, Operations, Security, and Legal/Compliance (and many others) will have a fair amount of additional work to do. Our team put in 300+ combined hours over a 10 month period to get ISO 27001 certified .

If time, expertise or bandwidth are a concern, hiring some outside help may be your best option. Most firms (like us) will have different levels of support from simple consulting to basically taking the project over completely. Of course, this comes with a hard cost that may be prohibitive for some organizations.

For reference, you can expect to pay $30,000 to $90,000 depending on engagement model, ISMS scope, current maturity, and timeline.

The DIY Option The Hired Help Option

iso 27001 recipe and ingredients - pivot point security

Documents