How ISO 27001 Certification Works: Requirements and Controls

We left off our ISO 27001 series with the completion of a gap analysis. The scoping and gap analysis directs your compliance team to the requirements and controls that need implementation. That’s what we’ll cover in this post.

ICYMI, our first post covered the initial steps of achieving ISO 27001 certification. These include what an ISMS and statement of applicability cover, the scoping of your ISO 27001 systems, and gap analysis. When these steps are complete, you should be able to strategically implement the necessary controls to fill in gaps within your information security posture.

ISO 27001 Requirements

There are 7 clauses (or requirements) listed in ISO 27001 clauses 4 through 10 for establishing, implementing, maintaining, and continually improving the ISMS. These dictate what your ISMS should include being an effective information security policy document.

Clause 4: ISMS Organization and Context

Requirements 4.1-4.4 cover the scoping of your systems and how to design an ISMS.

To complete both tasks effectively, your business will need to communicate why ISO 27001 is needed, the expectations of interested parties (customers, prospects, investors, etc.), and describe the scope that the ISMS should cover.

Clause 5: Commitment and Leadership

Clause 5.1-5.3 is short and to the point, covering leadership’s commitment to information security through an ISMS and the ISO 27001 standard. It defines roles and responsibilities within the organization for security and asks the organization to author an information security policy.

Clause 6: Risk Planning

With only 2 parts, Clause 6 addresses planning for risk management and remediation. This requirement covers the information security risk assessment process and how the objectives of your information security posture may be impacted. This also includes clear documentation and risk treatment instructions and determining if your infosec program functions properly.

Clause 7: Communication and Resources

ISO 27001 requires a formal allocation of resources to the establishment, implementation, and demonstration of the ISMS, which is covered in clause 7. The resources must be competent, aware of their responsibilities, must communicate internally and externally about ISMS, and clearly document information to demonstrate compliance.

Clause 8: Operational Risk Assessment and Remediation

Clause 8 asks the organization to place regular assessments and evaluations of operational controls. These are a key part of demonstrating compliance and implementing risk remediation processes.

Clause 9: Monitoring and Evaluation

Clause 9 defines how a business should monitor the ISMS controls and overall compliance. It asks the organization to identify which objectives and controls should be monitored, how often, who is responsible for the monitoring, and how that information will be used. More specifically, this clause includes guidance for conducting internal audits over the ISMS.

This clause also includes a requirement for management to review the monitoring at specific intervals to ensure the ISMS continues to operate effectively based on the business’ growth.

Clause 10: Continual Improvement

Controls and requirements supporting the ISMS should be routinely tested and evaluated; in the instance of nonconformity, the organization is required to execute corrective action.

This is key to any information security regulation, but ISO 27001 lays it out in the final requirements. The standard built continual improvement directly into it, which can be performed at least annually after each internal audit.

ISO 27001 Annex A

To support the requirements of ISO 27001, the standard includes controls listed in Annex A. These controls cover technical operations of the business, and practices to secure information, people, and processes.

Because ISO 27001 is a prescriptive standard, ISO 27002 provides a framework for implementing Annex A controls. Compliance experts and auditors use this to determine if the controls have been applied correctly and are currently functioning at the time of the audit.

While the requirements define your ISMS, the controls in Annex A underpin the requirements with security and operational practices. ISO 27001 lists 114 controls, which largely deal with physical, technical, legal, and organizational security.

Below is a fairly comprehensive list of ISO 27001 controls.

A5: Information Security Policy

1 control

The first directive of ISO 27001 is to provide management with direction and support for information security in accordance with business requirements and relevant laws and regulations.

A9: Access Control

14 controls

This section addresses access control in relation to users, business needs, and systems. The ISO 27001 framework asks that businesses limit access to information and prevent unauthorized access through a series of controls.

A8: Asset Management

10 controls

Asset Management defines responsibilities, classification, and handling of organizational assets to ensure protection and prevent unauthorized disclosure or modifications. It’s largely up to your organization to define which assets are within the scope of this requirement.

A15: Supplier Relationships

5 controls

This requirement section covers the protection of assets and information accessible to suppliers during operations and delivery.

With 5 associated controls, organizations will need to address security within supplier agreements, monitor and review supplier services regularly, and manage taking changes to the provisions of services by suppliers to mitigate risk.

A14: Acquisition, Development, and Maintenance of Systems

13 controls

ISO 27001 asks businesses to build security into the infrastructure of information systems. This includes requirements for information systems across the entire lifecycle, including design, testing, implementation, and analysis.

A7: HR Security

6 controls

All Human Resource related security is defined under section A7 of ISO 27001.

It’s broken into a few different categories; before, during, and termination or change of employment. Most of these requirements are logical, including prospective employee screening, communicating the terms and conditions of employment, disciplinary processes, and information and security awareness training.

A10: Cryptography

2 controls

The cryptographic requirement asks businesses to ensure proper protection of confidential information through translating data into a protected code that is only usable by someone who has a decryption key. Your company will need to ensure that data is stored and transmitted in an encrypted format to reduce the probability of data compromise in the event that the data is lost or stolen.

A11: Environmental and Physical Security

15 controls

This requirement prevents unauthorized access, damage, and interference to information and processing facilities. It addresses secure areas and equipment belonging to the organization.

A12: Operations Security

14 controls

The Operations Security requirement of ISO 27001 deals with securing the breadth of operations that a COO would typically face. From documentation of procedures and event logging to protecting against malware and the management of technical vulnerabilities, you’ve got a lot to tackle here.

A13: Communication Security

7 controls

The Communication Security requirement outlines network security management and information transfer. These requirements ensure the protection of information in networks and maintain information security when transferring information internally or externally.

A16: Incident Management

7 controls

In the case of a snafu, the framework requires your team to prepare a plan to ensure the consistent and effective management of the problem. This includes a communication plan on security events and weaknesses.

A17: Business Continuity

3 controls

ISO 27001 requires businesses to embed information security into the organization’s business continuity management system and ensure the availability of information processing facilities. You’ll need to plan, implement, verify, and review the continuity plan.

A18: Compliance

8 controls

Finally, compliance with legal and contractual requirements of ISO 27001. This requirement asks businesses to avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security. Further, it requires that the business adheres to the policies and procedures laid out in the above requirements. Basically, follow your own rules.

How to Implement ISO 27001 Requirements and Controls

Whew. ISO 27001 prescribes a plethora of controls and requirements. The implementation process can be laborious, but it is far less guesswork than similar frameworks, like SOC 2.

Each requirement or control has a practical application and a clear path to implementation, e.g. establishing the HR onboarding process or ensuring employees install antivirus software on their work devices.

Tips from the Experts

Our compliance experts recommend starting with defining the ISMS scope and policies to support effective information security guidelines. Once this is established, it will be easier to digest the technical and operational controls to satisfy the ISO 27001 requirements and Annex A controls.

After you feel that your policies and controls have been defined, performing an internal audit will provide management a clear picture as to whether your organization is ready for certification.

Next up, we’ll cover how to tackle an internal ISO 27001 audit and readiness assessment. Stay tuned for our next post.