The International Organization for Standardization (ISO) publishes a set of information security standards, among which the ISO 27001 is well known. A 2021 survey revealed that more than 58,000 organizations around the world have achieved ISO 27001 compliance.
A new edition of the standard was published in 2022, and companies must migrate to it by 2025. In this article, we explain what ISO 27001 compliance involves, what the new 2022 standard is all about, and how to comply using business automation.
What Is the ISO 27001 Standard?
The ISO and the International Electrotechnical Commission (IEC) publish international standards for various industries and processes.
One of them is the information security standard called the ISO 27001 or, more formally, the ISO/IEC 27001:2022 Information security, cybersecurity, and privacy protection — Information security management systems — Requirements.
This standard describes the requirements that an organization’s information security management system (ISMS) must meet. It covers how to implement, maintain, and improve an organization's information security policies systematically through an ISMS.
The three key goals of an ISMS are to protect the confidentiality, integrity, and availability of all your information systems at all times.
The ISO 27001 is part of a family of ISO standards related to information security that includes:
- ISO/IEC 27000: Information security management systems — Overview and vocabulary
- ISO 27002: Information security, cybersecurity, and privacy protection — Information security controls
- ISO 27003: Information security management systems — Guidance
- ISO 27004: Information security management — Monitoring, measurement, analysis, and evaluation
- ISO 27005: Information security, cybersecurity, and privacy protection — Guidance on managing information security risks
The newest (third) edition of the ISO 27001 was published in 2022 and is called ISO/IEC 27001:2022. It replaces the previous two editions, 27001:2013 and 27001:2005. In the next section, find out how your business can benefit from complying with this standard and getting your compliance certified.
The Benefits of ISO 27001 Certification
ISO 27001 certification offers competitive advantages to your business. Many government organizations and private companies mandate that your information security practices must satisfy ISO 27001.
An ISO 27001 certificate also helps your organization and employees implement other security frameworks like the Service Organization Control Type 2 (SOC 2).
What does the certification involve? Find out in the next sections.
Overview of ISO 27001 Compliance
ISO 27001 compliance involves two key concepts:
- Satisfy the requirements: These requirements cover different principles and aspects that your organization must adhere to.
- Use the controls: The ISO 27001 controls are the recommendations or steps you can implement to satisfy those requirements. Each one achieves some control objectives.
In the sections below, we delve into the various categories of requirements and controls that the standard specifies.
Organizational Requirements and Controls
The core philosophy underlying ISO 27001 compliance is that the effectiveness of your information security management system heavily depends on your organizational culture, your business processes, and your management practices.
To address these aspects, the ISO 27001:2022 organizes the related requirements under four categories:
- Context of the organization
- Leadership and management
We'll go over these categories next, reviewing their key requirements and controls.
1. Context of the Organization
The scope of your ISMS depends on your organization's context. You must consider these aspects that make up the context:
- All the external and internal factors that affect your information security
- All the interested parties — like your employees, vendors, business partners, and clients — and their particular legal, regulatory, or contractual requirements
- Dependencies between the activities of your organization, as well as those of the interested parties
ISO 27001 compliance requires you to establish an information security policy that's suited to the purpose and scale of your organization. The policy must commit to satisfying your security requirements and achieving continual improvement. You must document and communicate your policy to all stakeholders.
You are also required to lay out a set of information security objectives that are consistent with your policy. These objectives must be measurable, monitored, and communicated with all stakeholders. You must document their implementation details like tasks, resources, responsibilities, schedules, and evaluation procedures.
Planning also requires comprehensive risk assessments and risk treatment strategies. We'll explore these risk management aspects in detail later.
Organizational controls encompass asset management plans for your information assets, including maintaining their inventory and implementing rules for their handling.
3. Leadership and Management
Your organization's leadership and senior management are key drivers of your ISMS. They must:
- Drive the planning requirements above
- Integrate information security objectives into your business strategies and processes
- Wrangle all the resources your ISMS needs
- Communicate the ISMS’s importance throughout the organization
- Give authority, roles, responsibilities, directions, and support to your employees to implement your information security objectives
- Plan for continual improvements in the system
Your organization as a whole must support your information security management system by satisfying these requirements:
- Resources: Provide the resources needed to establish, implement, and improve your ISMS.
- Competence: Ensure that the implementing personnel have the necessary training, education, and experience.
- Awareness: Make personnel aware of the information security policy, their responsibilities under it, and the implications of not complying with it.
- Communications: Determine the necessary internal and external communications needed for an effective ISMS as well as what, when, to whom, and how to communicate.
- Documentation: Document all the information required by the standard and its effective implementation. Documents and their metadata must be maintained, managed, and protected throughout their lifecycle, including storage, distribution, access, modification, preservation, and retention. This includes documents in physical and digital formats.
Risk Management Requirements
We mentioned earlier that a comprehensive risk management process is a crucial element of ISO 27001 compliance. In this section, we explore relevant requirements and controls in depth.
1. Risk Assessments
You are required to understand all your information security risks in depth. Relevant requirements on your risk assessment process include:
- Risk identification: Identify all the risks that may result in the loss of confidentiality, integrity, or availability of any of your information assets.
- Risk analysis: Assess the possible consequences and likelihood of each identified risk.
- Risk acceptance criteria: Define the quantitative and qualitative thresholds for accepting, tolerating, or rejecting each risk.
- Responsibilities: Identify the employees who must act as risk owners to monitor and mitigate each risk.
- Repeatability: Your organization must assess risks periodically and whenever there are major business or context changes. Use criteria and thresholds that are consistent and comparable over time.
- Priorities: Prioritize your risks for the next risk treatment stage.
- Documentation: Document your entire risk assessment process and its data.
After risk assessments, you must look into mitigating them.
2. Risk Treatment Plans
Mitigating risks involves establishing risk treatment plans based on your risk assessments. These require you to:
- Select risk treatment approaches for each risk.
- Determine the security controls you need to implement those approaches. You must include all the information security controls listed in Annex A of the ISO 27001 standard. However, you are free to add custom controls specific to your organization, industry, or business environment.
- Produce a statement of applicability that lists your controls, justifies each inclusion or exclusion, and reports whether a control is implemented or not.
- Create a risk treatment plan detailing the implementation of your controls.
- Obtain necessary approvals for the treatment plans and acceptance of any residual risks.
Operational Requirements and Controls
Operational requirements and controls are where the rubber meets the road. Your ISMS must be integrated into every department's processes, workflows, and practices. You must define the exact process and criteria you'll apply to your organizational processes and practices to achieve the security objectives.
The detailed list of controls is laid out in Annex A of the standard. Some of the essential data security and technological controls used in operations include:
- Access control: Apply access control policies that determine who can access some sensitive data and what actions are allowed on that data.
- Encryption: You must implement data protection for stored and transmitted data through cryptography techniques.
- Identifying vulnerabilities: Vulnerabilities that can reduce the confidentiality, integrity, or availability of information must be identified through automated analyses, stress tests, penetration tests, etc.
- Incident management: You must have an information security incident management plan to deal with incidents like data breaches and to contain their damage.
- Data privacy: You must have policies to protect personally identifiable data according to your regulatory and contractual obligations.
- Business continuity: Your risk assessments and treatment plans must consider the information security aspects of business continuity management.
In the next two sections, we explore some of the more specialized requirements and controls relevant to compliance.
Supplier Relationship Requirements
The ISO 27001 standard recognizes that your information security is affected by your third-party suppliers and vendors. Some of the relevant controls are listed below.
- Identifying supplier risks: You must establish processes to identify and mitigate the information security risks emanating from every supplier's products or services, including cloud services.
- Adding contractual obligations: Include information security requirements in your supplier contracts through data processing agreements and indemnification agreements.
- Monitoring suppliers: You must continuously monitor, evaluate, review, and respond to any changes in a supplier's information security or service delivery practices.
ISO 27001 requires your organization to be cognizant of all statutory, regulatory, and contractual requirements related to information security.
These can be laws like the General Data Protection Regulations (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA).
You must document their requirements relevant to your organization and your compliance steps.
Evaluation and Improvement Requirements
Lastly, ISO 27001 expects you to meet its evaluation and continual improvement requirements. You must conduct regular management reviews, internal audits, and performance evaluations of your risk assessments and risk treatment plans. You must identify all nonconformities and take corrective actions.
All these steps must also be documented for the certification process.
27001:2022 vs. 27001:2013
For companies transitioning from the older ISO/IEC 27001:2013 standard to the new 2022 standard, we lay out some of the key changes.
The large number of control categories in the 2013 standard has been reduced. The controls are organized under just four categories in the 2022 standard:
- Organizational controls: They address all the organizational and management requirements.
- People controls: They cover controls specific to personnel, such as training and remote working. They were listed under “human resource security” in the older 2013 standard.
- Physical controls: They include controls related to the physical security of perimeters, buildings, rooms, equipment, and similar. They were called “physical and environmental security” in the 2013 standard.
- Technological controls: They cover all the software and software technology controls that we reviewed above. They were grouped under “operations security” and “communications security” in the 2013 standard.
The American National Standard Institute's National Accreditation Board has published a more detailed analysis of the changes.
The ISO 27001 Certification Process
To be certified as ISO 27001 compliant, your organization must undergo a certification audit of all your information systems by an accredited certification body.
Such a body will carry out an external audit of your processes and practices, perform a gap analysis to identify their shortcomings, and advise you on process improvements to get yourself certified.
The certification is valid for three years. After that, you must undergo it again.
Some of the important dates related to ISO 27001 certification include:
- October 22, 2022: Companies can apply for certification against the new ISO 27001:2022.
- October 31, 2023: This is the last date to apply for a one-year certification under the older ISO 27001:2013.
- October 31, 2025: Companies certified under 27001:2013 must transition to 27001:2022 by this date.