ISO/IEC 27001 is a well-respected and often cited standard that has influenced numerous other information security standards including the US Federal Government’s FISMA program, the industrial control system security management standard ISA-99, the commonly used models of PKI governance based on RFC 3647, and various other examples. There are two significant revisions of ISO/IEC 27001, dating from 2005 and 2013 and each version standard is nearly self-contained, making normative reference to a single other document (ISO/IEC 17799:2005 and ISO/IEC 27001:2013 in the 2005 and 2013 revisions respectively), with a couple of other documents references for further information but not mandatory for understanding the standard.
The purpose of this post is to explain what ISO/IEC 27001 is, and how the two revisions differ, with some discussion of the purpose and scope of ISO 27001 audits.
ISO/IEC 27001 Overview
ISO/IEC 27001 (herein called “the Standard”) defines an information security management system (or ISMS), a term worth decomposing to fully understand. The Standard defines a management system as the “organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.” This broad scope affects many aspects of an organization, and applying a management system to an existing organization requires significant effort. With this understanding of management system, the ISMS is the component of an organization’s overall management system with the purpose “to establish, implement, operate, monitor, review, maintain and improve information security."
To claim conformity with the Standard, an organization must comply with all requirements specified in clauses 4 through 8, which define general requirements for establishing, managing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS; as well as requirements for internal audits, management review, and continual improvement. The Standard specifies a number of documentation requirements as well including the overall ISMS policy, procedures and controls that implement that policy, a risk assessment methodology and report, a Statement of Applicability (see below), procedures for planning, operating and controlling information security processes and for measuring their effectiveness. The Standard also requires records of the processes in order to provide evidence of conformity to the requirements.
Annex A of the Standard defines a list of security controls that may be used to achieve various common information security objectives. During the establishment of the ISMS, the organization defines an ISMS policy and risk assessment, and determines a risk treatment plan based on selected control objectives and security controls selected from Annex A. The organization describes their selection of security controls and the rationale for that selection in a Statement of Applicability, which is a document that must be maintained in order to reflect the current state of the ISMS.
It is important to recall that the Standard pertains to management systems, which cover a broad range of organizational assets and activities. Conformance to the Standard is achieved from the top down – planning and policy development requirements are imposed on “top management”, who must demonstrate leadership and commitment to the correct implementation of the information security management system, and establish an information security policy. The organization is required to develop an information security risk assessment that leads to a risk treatment, and risk treatment plan then informs the selection and design of security controls that satisfy the objectives.
Differences between ISO/IEC 27001:2005 and ISO/IEC 27001:2013
The overall objectives of the Standard remain unchanged in the more recent revision, but the overall approach has been reorganized and the list of controls modified. The 2013 revision has the following structural changes to the primary content:
In addition to the main content, Annex A is changed in a number of ways. The 2005 version based the identification of security controls on ISO/IEC 17799:2005, but the new revision references ISO/IEC 27002:2013. This is important to note because:
The ISO/IEC JTC 1/SC 27 group that maintains the standards has created a document that maps the 2005 and 2013 revisions of ISO/IEC 27001 and ISO/IEC 27002. This will be helpful for organizations during the activities of modifying their information security management systems to maintain conformance with the standard, and updating security policies and other documents to reference the 2013 version of the security controls.
The International Accreditation Forum (IAF) oversees all national ISO 27001 certification programs, and they determined at their General Assembly meeting on 2013-10-24 that the deadline for conformance with ISO/IEC 27001:2013 will be two years from publication, or 2015-10-01.
ISO 27001 Audits
It is important to understand what an ISO 27001 audit is and is not. Because most people do not have access to the standard itself, it is difficult to understand the full scope, but organizations are required to establish audit programs to verify the organizations conformance to the requirements of the Standard as well as to the requirements developed for their ISMS. At Electrosoft we have encountered organizations performing “ISO 27001 audits” that only verify the latter portion – the scope of their audit is to test the organization’s implementation of the security controls, without regard to the conformance to the Standard itself. However the value of such an audit is minimal at best – generally the security controls that the audit is performed against are simply a description of the current implementation of the system, rather than developed from a meaningful risk treatment plan as required by the Standard. The resulting audit may demonstrate that the ISMS is following intended practices, but it does not demonstrate that those practices will mitigate the actual risks to the organization. Such an audit does not conform to the requirements of Standard, should not be referred to as an ISO 27001 audit, and does not demonstrate that the organization has a functioning information security management system.
It is therefore important to understand that a correctly performed ISO 27001 audit will cover conformance of the enterprise’s information security management system, which is integrated with the organization’s processes and overall management structure. This will require review of responsibilities of management and support staff, creation and communication of organizational policies, risk treatment and other planning activities, suitability and control of documented information and internal performance evaluation such as monitoring, internal audits and management reviews.
Please feel free to add comments and discuss.