In our previous blog, we outlined what is ISO 27001. Essentially it's a risk-based approach to information security, requiring organizations to identify risks that may be detrimental to information security and then select appropriate controls to mitigate them.
Those controls are outlined in Annex A of the Standard. As of ISO 27001: 2013, there are 114 Annex A controls, divided into 14 control domains. When checking for ISO 27001 compliance, certification auditors will take a look at controls under each domain. Below is a summary of each standard and the best method of compliance in the event of an audit.
The 14 Domains of ISO 27001
Information Security Policies - this domain covers how organizations should go about writing and reviewing their policies in their ISMS. To be compliant make sure your organization is reviewing and documenting your procedures regularly.
The Organization of Information Security - this domain refers to how responsibilities are assigned in your organization i.e. who does what and when. To be compliant make sure that your organizational hierarchy is documented, with a clear indication of roles and responsibilities.
Human Resource Security - covers how employees need to be informed about cybersecurity when starting a job, leaving a job, or even changing jobs within the organization. To ensure compliance, succinct procedures for information security during onboarding and offboarding need to be recorded by the organization.
Asset Management - describes the steps needed to manage data assets and how they need to be secured. In the event of a certification audit, your organization's process of tracking hardware, software, and databases will be evaluated, therefore you may be required to evidence your methods of securing your data assets integrity.
Access Control - guides how the organization should control an employee's access to data depending on position and status. To be compliant an organization should clearly outline how access privileges are set and who is overseeing them.
Cryptography - this domain covers the best practices regarding encryption. In the event of an audit, how each system that deals with sensitive data are being encrypted, including the type of encryption used, will be evaluated.
Physical and Environmental Security - covers how an organization should secure buildings and internal equipment. To make sure that your organization is compliant, vulnerabilities in security at your place of business need to be eliminated.
Operations security - this domain describes the best methods of collecting and storing data. To be compliant, make sure data flows and where data is being stored can be evidenced in the occasion of an audit.
Communications Security - covers the security of the information being transmitted within the organization's network. To make sure that your organization is being compliant with this domain, the security of communication systems like email and video conferencing needs to be evaluated.
System Acquisition and Maintenance - details how new and existing systems that are introduced into the organization's operations should be managed. To ensure compliance, all systems need to be held up to a high information security standard.
Supplier Relationships - covers how the organization should ensure the security of sensitive information/data when working with a third-party supplier. In the event of an audit, contracts with any outside party that has access to this data will be evaluated.
Security Incident Management - this domain encapsulates how an organization should deal with security issues. In the event of an audit, incident response and management will be tested.
Business Continuity Management - covers how business disruptions and major changes should be handled. Auditors may pose a series of hypothetical disruptions to test whether the ISMS covers the next steps.
Compliance - identifies the relevant government or industry regulations that apply to your organization.
How does ISO 27001 solve organisational challenges?
Given the wide range of domains covered by the ISO 27001 standard, the process of getting certified resolves certain key challenges faces by your business:
Your organization isn’t aware of its information assets - A common problem amongst organizations is they fail to recognize what information and data they have stored currently in their systems. ISO 27001 can help to identify the information assets and secure them, which in turn could lead to maximizing their potential market value.
Your organization’s information systems may be disorganized or unoptimized - The very purpose of ISO 27001 is to uphold your Information Security Management System to a high level. Organizing information effectively can increase ease of use and help employees operate efficiently, getting your ISMS ISO accredited is one step towards this.
Your organization may be unaware of the risks facing them -There are three different types of organizations, organizations that are aware they have been breached, unaware of a breach in security and that know they haven’t been breached yet. It is dangerous if your organization falls into category two, the ISO 27001 can empower your organization to identify risks that are known and unknown, preventing them before they cause any damage to your reputation or finances.
Your organization may be losing out on clients and additional revenue - Achieving and maintaining ISO 27001 accreditation for your ISMS can help not only attract clients but reassure your current clients of your commitment towards securing their sensitive information and data. By reassuring your clients you also make sure that your organization doesn’t lose out on additional revenue.
Your organization may be wasting time on repeated audits - Getting your ISMS, ISO 27001 accreditation, helps your organization to be globally recognized as secure, which negates the need for your customers to perform audits on your organization.
Completing customer security questionnaires - Once you are ISO compliant and/or certified the ability to complete security questionnaires is a lot easier given you have an Information Security Management System.
Is your business looking to align systems and processes to achieve the ISO 27001 certification? The team at StickmanCyber can help with ISO 27001 assessment and implementation and get you aligned with the gold standard of information security management.