ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks.
The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
Structure of the Standard
ISO/IEC 27001:2013 has the following sections:
- 1 Introduction - the standard describes a process for systematically managing information risks.
- 2 Scope - it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
- 3 Normative References - only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.
- 4 Context of the Organization - understanding the organizational context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” the ISMS.
- 5 Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
- 6 Planning - outlines the process to identify, analyze and plan to treat information risks, and clarify the objectives of information security.
- 7 Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
- 8 Operation - a bit more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
- 9 Performance Evaluation - monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.
- 10 Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS.
ISMS scope, and Statement of Applicability (SoA)
Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organization benefit by addressing their information risks in an appropriate and systematically-managed manner, organizations can scope their ISMS as broadly or as narrowly as they wish - indeed scoping is a crucial decision for senior management (clause 4.3). A documented ISMS scope is one of the mandatory requirements for certification.
Although the “Statement of Applicability” (SoA) is not explicitly defined, it is a mandatory requirement of section 6.1.3. SoA refers to the output from the information risk assessments and, in particular, the decisions around treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them. It usually references the relevant controls from ISO/IEC 27002 but the organization may use a completely different framework such as NIST SP800-53, the ISF standard, BMIS and/or COBIT or a custom approach. The information security control objectives and controls from ISO/IEC 27002 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’: they are not required.
The ISMS scope and SoA are crucial if a third party intends to attach any reliance to an organization’s ISO/IEC 27001 compliance certificate. If an organization’s ISO/IEC 27001 scope only includes “Acme Ltd. Department X”, for example, the associated certificate says absolutely nothing about the state of information security in “Acme Ltd. Department Y” or indeed “Acme Ltd.” as a whole. Similarly, if for some reason management decides to accept malware risks without implementing conventional antivirus controls, the certification auditors may well challenge such a bold assertion but, provided the associated analyses and decisions were sound, that alone would not be justification to refuse to certify the organization since antivirus controls are not in fact mandatory.
In effect (without actually using the term “metrics”), the 2013 edition of the standard requires the use of metrics on the performance and effectiveness of the organization’s ISMS and information security controls. Section 9, “Performance evaluation”, requires the organization to determine and implement suitable security metrics ... but gives only high-level requirements.
ISO/IEC 27004 offers advice on what and how to measure in order to satisfy the requirement - an approach not dissimilar to that described in PRAGMATIC Security Metrics.
Certified compliance with ISO/IEC 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are (quite rightly!) concerned about the security of their information, and about information security throughout the supply chain or network.
Certification brings a number of benefits above and beyond mere compliance, in much the same way that an ISO 9000-series certificate says more than just “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires senior management approval (which is an advantage in security awareness terms, at least!).
The certificate has marketing potential and demonstrates that the organization takes information security management seriously. However, as noted above, the assurance value of the certificate is highly dependent on the ISMS scope and SoA - in other words, don’t put too much faith in an organization’s ISO/IEC 27001 compliance certificate if you are highly dependent on its information security. In just the same way that certified PCI-DSS compliance does not mean “We guarantee to secure credit card data and other personal information”, certified ISO/IEC 27001 compliance is a positive sign but not a cast-iron guarantee about an organization’s information security. It says “We have a compliant ISMS in place”, not “We are secure”. That’s an important distinction.