By Core Business Solutions Co-Founder and President

Welcome! This guide is designed to give you a high-level overview of the ISO 27001 standard and to briefly explain how Core Business Solutions can help you achieve ISO 27001 certification. Only 37% of ISO 27001 is the IT or technical side of the standard, the remaining 63% represents the people or business side of the standard. This means that people and the establishment of security policies and procedures are an integral part of maintaining a secure Information Security Management System.

SCOTT

DAWSON

AN INTRODUCTION TO

ISO 27001

What is ISO 27001?

Who Issues the Certificate?

ISO 27001 is a robust information security management system (ISMS) standard applicable to any business in any sector. It addresses people, processes, and technologies that process protected information/data.

ISO 27001 certificates are issued by a third-party registrar after an extensive audit of a company’s ISMS. During the audit, they will evaluate compliance with the standard’s requirements. Surveillance audits must be repeated on an annual basis to maintain certification.

ISO 27001 applies a comprehensive set of security controls, Annex A, that includes information security best practices, control areas, control objectives, and controls. It mitigates threats to information Confidentiality, Integrity, and Availability that are important to business security and continuity.

Who Wrote it & Why? The ISO/IEC 27001:2022 standard was developed by the ISO/IEC joint technical committee JTC 1. JTC 1 is the standards development group where experts come together to develop worldwide Information and Communication Technology (ICT) standards for business and consumer applications. In 2022, the ISO/IEC 27001 standard was last reviewed and updated. Cybersecurity management is a crucial part of any organization. Without it, your organization can risk lost revenue and customer trust. ISO 27001 has been developed to be easily integrated into your existing management systems and is suitable for any size organization.

What Requirements are Included? ISO 27001 requirements are aligned with the structure of the ISO 9001 Management System and are organized into these sections:

• Context of the Information • Leadership • Planning • Support • Operation • Performance • Improvement

Together, these requirements make up the Information Security Management System (ISMS) described in company documentation and include the ISMS manual, procedures, policies, records, and other information used for day-today operational security. Risk Assessment and management is the central tenet of the ISO 27001 standard. Ensuring Confidentiality, Integrity and Availability of information is paramount in addition to Implementing controls that are required by your organization’s ISMS.

WHAT ARE THE

BENEFITS? Reduced Risk

Improved Customer Trust Improved Availability of Information Improved Security of Information Improved Confidentiality of Information Creation of a Systematic Approach to Security Involvement of All Employees in Ensuring the Effectiveness of Your Information Security Management System Greater Management Visibility and Risk Management

WHAT HAS CHANGED IN

ISO 27001? The previous version of ISO 27001 was released in 2013. But the world has changed since then. Information security threats have grown more complex. Our methods for preventing them need to match. Earlier this year, ISO 27002 (the source of ISO 27001’s security controls) received its 2022 revision. Now ISO 27001 has been updated to match. In addition to the security control changes, there are a few additional requirements and management review topics required. ISO 27001:2013 contained 114 security controls. The new version contains 93 controls. Some of the previous controls have been removed. Others have been merged. Others are completely new, designed to help organizations like yours face the changing world of security threats. The 11 newly added security controls are: • Threat intelligence • Information security for the use of cloud services • ICT readiness for business continuity • Physical security monitoring • Configuration management • Information deletion • Data masking • Data leakage prevention • Monitoring activities • Web filtering • Secure coding ISO 27001:2022 organizes its controls into four control groups. A note of clarification before we dive deeper: These control groups receive their numbering from the ISO 27002 standard. As such, they are numbered 5-8. So don’t worry. You’re not missing groups 1-4, it’s just a quirk of the numbering system.

THE CONTROL GROUPS

ARE ORGANIZED AS FOLLOWS: 5. Organizational Controls This group, the largest of the four, contains 37 controls. These controls deal with your organization and its processes. Among them, you will find controls such as the return of assets. • Organizational information policies

• Cloud service use • Asset use

6. People Controls This group contains 8 controls dealing with the people in your organization and the way they interact with your information. It includes controls such as information security awareness training. • Remote work

• Non-disclosures

• Confidentiality

• Screening

7. Physical Controls This group contains 14 controls to address the physical aspects of information security, such as facility access and printed information. It features controls such as the clear desk and clear screen policy. • Security monitoring

• Maintenance

• Storage media

• Facilities security

8. Technological Controls

This group contains 34 controls, and it requires more technical expertise than the other groups. It deals with the cybersecurity aspect of information security, and it contains controls such as protection against malware. • Authentication

• Data leak prevention

• Encryption Remember: Not every organization needs to meet every control. You choose the controls that apply to you. If you believe a control doesn’t apply to you, you’ll need to explain your reasoning in a statement of applicability. Keep in mind: Because of all this renumbering and reorganization, you will likely need to update the labeling of your documents, even if the actual security controls you employ haven’t changed. In addition to these changes, there are a few minor changes to some clauses to align the standard to Annex SL (the high-level structure for the ISO standards).

ISO 27001:2022 TRANSITION TIMELINE

As of October 25, 2022, companies can begin certifying to the updated standard. But if you’re still following ISO 27001:2013, or if you’re in the process of certifying to ISO 27001:2013, don’t panic! You have a bit more time. You can still certify to ISO 27001:2013 for one more year, until October 31, 2023. Happy Halloween! But pay attention, because some registrars might stop certifying organizations to the 2013 version before this date. If that’s the case, you may need to switch registrars or transition sooner. The true hard deadline comes in three years, on October 31, 2025. At that point, everyone certified to ISO 27001:2013 must recertify to ISO 27001:2022. No new ISO 27001:2013 certifications will be offered at this point.

WHAT

ISO 27001:2022 MEANS FOR YOU

Everyone certified to ISO 27001 will face some extra work over the next few years–even if that just means re-labeling your documents and controls. But depending on the scope of your ISMS, you might have up to 11 new controls to implement. Don’t assume this will be a quick and easy project. It’s best to begin now. That way, you won’t be caught off guard by the upcoming changes, and you’ll have plenty of time to figure out the new technical controls. Plus, these new controls will help your business. Cybersecurity threats are real, and they can bring down an organization overnight. The updated ISO 27001 standard can help protect your information from today’s threats.

CLAUSES OF THE

ISO 27001 STANDARD Clauses one through three are technically not auditable, and simply provide additional supporting information like the overall purpose of the standard, an explanation of the process approach methodology, other documents or standards which may be referenced, and some terms and definitions that are applicable. We will dive right into the clauses of the standard that are auditable, or those that the auditor will expect to see addressed.

Clause 4 Context of the Organization Every company is influenced by both internal and external factors. How the ISO 27001 standard applies to each business is based on the context of that specific organization, helping to define exactly how the ISMS should be developed and implemented so that it reduces risk of the Confidentiality, Integrity and Availability of the organization’s data.

Clause 5 Leadership This section of the standard is all about Management Responsibility as it relates to the information security management system (ISMS). Management commitment to the ISMS is a key foundation of the standard and a variety of tools are used to ensure this. The organization is required to publish an information security policy that establishes management’s vision and its commitment to information security. This section also addresses organizational roles, responsibilities, and authorities. A management review is conducted at least annually.

Clause 6 Planning This clause addresses the actions needed to address risks and opportunities in the organization. A set of security objectives are developed and identified in a plan to achieve those security objectives. Risk assessment and risk treatment are addressed in this session.

Things to Remember: • All actions should be proportionate to the risk they address and the impact that risk may have on the confidentiality, integrity and availability of information. • All planning should be results-driven. • Planning is handled by managers and process owners on an ongoing basis. • Details of all actions, including tasks to be completed, needed resources, risks, responsibilities, dates for completion, and evaluation of effectiveness must be documented.

Clause 7 Support In this section the organization will determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the information security management system. This section addresses resources, competency, employee awareness and communication. Appropriate training of all employees on the ISMS is crucial to success. Appropriate documentation and management of documentation is an auditable element as well.

Clause 8 Operations Clause 8 indicates that an organization will plan, implement, and control the processes needed to meet information security requirements, and to implement the actions determined in Clause 6 (planning, risk assessment, and treatment). The organization will need to establish criteria and then control the process based on the criteria for change management and implement plans to achieve information security objectives. Documented information needs to be available to prove the processes have been carried out as planned. The organization also needs to control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are determined and controlled.

Clause 9 Performance Evaluation The organization will need to evaluate the information security performance and the effectiveness of the information security management system, what needs monitored, measured, and when it needs to happen, is included. The organization needs to evaluate and analyze security performance on a regular basis. Conducting an internal audit and management review is part of this process of performance evaluation.

Clause 10 Improvement In this section, the organization needs to address any non-conformities and take corrective actions. These need to be documented and areas for improvement need to be documented. The organization is expected to continually improve the suitability, adequacy, and effectiveness of the information security management system.

INFORMATION SECURITY ASSURES

INFORMATION ASSETS

MAINTAIN THEIR: CONFIDENTIALITY - Authorized Disclosure

INTEGRITY - Accurate & Complete

AVAILABILITY - Reliable, Timely

An ISMS is necessary for legitimate use of information and prevents information high-jacking or illegitimate use. Implementing ISO 27001 with ISO 9001 is a natural.

If you are interested in pursuing ISO 27001 certification, contact Core Business Solutions to talk to a consultant today!

© Core Business Solutions, Inc. Lewisburg, PA 866-354-0300 | [email protected] www.thecoresolution.com