Information security with a system
How does ISO 27001 Work?
Most organizations have some information security controls in place. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention.
Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole.
Moreover, business continuity management and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
ISO/IEC 27001 requires that the management to:
- systematically evaluate the organization’s information security risks, taking into account the threats, vulnerabilities, and impacts;
- establish and implement a comprehensive suite of information security controls and risk treatment (such as risk avoidance, reduction, or transfer) to address those risks that are deemed unacceptable; and
- adopt a management process to ensure that the information security controls and residual risks meet the organization’s information security needs on a continuous basis.
Demonstrable data and information security
Security as part of the corporate culture
Effective implementation of a risk management process
Continuous improvement of your security level
What is ISO 27001?
Information surrounds us everywhere and is part of every process. Sometimes it may be inconsequential, but all too often it is critical and confidential. In order to make this important distinction for your organization, it is necessary to classify information. This is because the protective measures of an Information Security Management System (ISMS) according to ISO/IEC 27001 are based on this classification.
An ISMS creates the framework for protecting operational data and its confidentiality. At the same time, the globally recognized standard ensures the availability of the IT systems involved in corporate processes. In this context, ISO 27001 certification sends a strong signal to the market: namely, independent external evaluation and confirmation of the effectiveness of your ISMS.
With EN ISO/IEC 27001:2017-06, a version coordinated by the European Committee for Standardization (CEN) has been published. It combines the two corrections (corrigenda) Cor 1:2014 and Cor 2:2015. The changes associated with the correction only include an improved description of the associated requirements, but no new, additional requirements. Certificates according to the ISO/IEC 27001:2013 version thus retain their validity.
How to use ISO 27001:2013?
This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization.
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.
Certification to ISO 27001:2013 ISMS
Certification to ISO/IEC 27001 is adopted by more and more organizations in order to benefit from the best practice it contains to reassure customers and clients that its recommendations have been followed.
The official title of the ISO 27001 standard is “Information technology — Security techniques — Information security management systems — Requirements”
ISO/IEC 27001:2013 has ten clauses and an annex, including:
- Scope of the standard
- How the document is referenced
- Reuse of the terms and definitions in ISO/IEC 27000
- Organizational context and stakeholders
- Information security leadership and high-level support for policy
- Planning an information security management system; risk assessment; risk treatment
- Supporting an information security management system
- Making an information security management system operational
- Reviewing the system’s performance
- Corrective action
- Annex A: List of controls and their objectives
Who is a certification to ISO 27001 suitable for?
In Germany, for example, companies that belong to a Critical Infrastructure Sector (KRITIS) and exceed a threshold must provide evidence of how they ensure their information security. KRITIS sectors include energy, water, health, finance and insurance, food, transport and traffic, information technology and telecommunications. Corresponding proof of implementation can be provided by security audits, tests or certifications. For this purpose, either recognized standards such as ISO 27001 or, alternatively, industry-specific security standards recognized by the German Federal Office for Information Security (BSI) can be used as the basis for auditing.
What makes the ISO 27001 standard useful for my company?
Particularly valuable for practice is the implementation of the measures in Annex A of the standard. In addition to the management system-oriented requirements section (chapters 4 to 10), the ISO standard contains an extensive list of 35 measure targets (controls) with 114 concrete measures for a wide variety of safety aspects across 14 chapters in Annex A. The measures must be implemented within the framework of the management system. These measures must be implemented as part of the management system, insofar as they are relevant to your company.
The consistent alignment of company processes with ISO 27001 has been proven to lead to a number of benefits:
- Continuous improvement of the security level
- Reduction of existing risks
- Adherence to compliance requirements
- Greater awareness among employees
- Increased customer satisfaction
Internal audits and management reviews with the participation of top management are the internal levers for achieving this.
Other positive aspects are that interested parties such as supervisory authorities, insurance companies, banks, partner companies build up a higher level of trust in your company. This is because a certified management system signals that your organization deals with risks in a structured manner and subscribes to continuous improvement (CIP), making it more resistant to unwanted influences.
The international standard ISO/IEC 27001 can also be implemented, operated and certified independently of other management systems such as ISO 9001 (quality management) or ISO 14001 (environmental management).
Who is allowed to carry out certification according to ISO 27001?
In addition, ISO/IEC 27006 defines strict requirements that certification bodies must comply with in order to certify an ISMS according to ISO 27001.
- Evidence of specified audit effort
- Requirements for the qualification of auditors.
DQS is accredited by the national German accreditation body DakkS (Deutsche Akkreditierungsstelle GmbH) and therefore authorized to perform audits and certifications according to ISO 27001.
Regardless of the industry in which your company operates, you can rely on the distinctive expertise of DQS auditors. They have many years of experience in the assessment of information security management systems in various industries.
Relation with ISO 27701:2019 for Privacy Information Management
ISO 27701:2019 is an extension to ISO 27001 and ISO 27002 for privacy information management.
If personal data management is important to your business, you may consider to go for ISO 27701 PIMS certification together with ISO 27001:2013 ISMS certification, to address the significant risks and challenges from a large number of privacy information related regulations, like GDPR of EU, CPRA of USA, PDPO of HK, and PIPL of Mainland China.
ISO 27001 vs ISO 27002
ISO 27002 was updated on Feb 15, 2022. The number of information security controls decrease from 114 controls to 93 controls, covered in 4 sections instead of 14 sections in former version.
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
No controls in the previous version were excluded in ISO 27002:2022, but some of them are were merged.
- Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security
were merged into 5.1 Policies for information security.
- Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas
were merged into 7.2 Physical entry.
The ISO 27002:2022 introduced 11 new controls:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
Two Annex are introduced to ISO 27002:2022:
- Annex A – Using attributes
- Annex B – Correspondence with ISO/IEC 27002:2013
Impact to ISO 27001 from ISO 27002:2022
An amendment to ISO 27001:2013 (referred to as ISO 27001:2013+A1:2022) is in progress, which is expected to release in 2022.
- The changes to ISO 27002:2022 will be reflected in Annex A of ISO 27001.
- The main part of ISO 27001 (i.e. Clauses 4 to 10) will remain no change.
- Number of controls decrease from 114 to 93.
- Controls are categorized into 4 sections instead of previous 14.
- There are 11 new controls, while none of the controls was deleted, and some controls were merged.
Relations Between GDPR and ISO 27001 ISMS
Introduction to GDPR
The General Data Protection Regulation (GDPR), EU’s new regulation for data protection will become effective from 25 May 2018. The GDPR applies to the handling of personal identification information of EU citizens. It not only applies to the organizations in EU, but also to the organizations, out of EU, processing and keeping above mentioned personal data.
The local organizations shall have a full and serious review on its practice in the handling of personal data in its business operation. Significant changes may be necessary to the operation related to personal data, from collection, storage, identification, analysis, usage, transferring, etc.
Depending on the impact and its due diligence, the offending organization to GDPR may be subject to a fine up to the higher amount of EUR 20,000,000 and 4% of its annual global revenue.
Key Terms in GDPR:
- Personal data: “Any information that relates to an identified or identifiable living individual.”
- Data controller: “The entity that determines the purposes, conditions and means of the processing of personal data.”
- Data processor: “An entity which processes personal data on behalf of the controller.”
Key Requirements of GDPR
As compared to Directive 95/46/EC, the requirements are enhanced. The key points include, but are not limited to:
- Territorial scope: Not limited to organizations within EU.
- Purpose limitation: Collected for specified, explicit and legitimate purpose.
- Data minimization: Adequate, relevant and limited to what is necessary in relation to the purpose.
- Accuracy: Accurate and, where necessary, kept up to date.
- Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary.
- Integrity and confidentiality: Processes in a manner to ensure security.
- Conditions for consent: Organizations must request permission using easy-to-understand terms. Assuming consent or requiring users to opt out is not allowed.
- Right to access: Increased transparency by requiring controllers to provide data subjects with confirmation of data processing.
- Right to be forgotten: Data subjects can request controllers to erase their personal data and stop distributing the data.
- Automated processing: Data subject have right not to be subject to a decision solely on automated processing.
- Data portability: Data subjects have right to receive their data upon request and to transfer that data to another controller.
- Data protection officers: Some organizations, such as those with a primary purpose for processing personal data or sensitive information, shall appoint Data Protection Officer(s) — an employee or a third party.
- Data breach notification: Within 72 hours after a data breach, the controller shall notify supervisory authorities and data subjects affected, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Data processors shall also inform the controllers for a known data breach.
- Parental consent: Processing the personal data of children under age of 16 for online services shall obtain parental consent. Member states can designate a lower required age (down to 13) for consent.
- Special categories of data: Some types of data have more stringent requirements for consent, such as the data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
- Third countries: Specific rules for transferring data to third countries or international organizations.
- Due diligence: Establish technical and organizational measures to demonstrate compliance to GDPR.
- Subcontractor Control: Data Controllers shall ensure Data Processors have ability to fulfil the requirements of GDPR.
- Certification: Voluntary data protection certification to show compliance to this regulation.
How does ISO 27001 certification work?
Once all requirements of ISO 27001 have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS. If a certified management system is already established in the company, the process can be shortened.
In the first step, you discuss your company and the goals of ISO 27001 certification with us. On this basis, you will receive a detailed offer tailored to the individual needs of your company.
A project planning meeting can be useful for larger projects, for example, in order to better coordinate schedules and the performance of audits with multiple locations or divisions. The pre-audit offers you an opportunity to identify the strengths and potential for improvement of your management system in advance. Both services are optional.
The certification audit starts with the system analysis and evaluation of your ISMS (audit stage 1). Here, your auditor determines whether your management system is sufficiently developed and ready for certification. In the next step (system audit stage 2), your auditor assesses the effectiveness of all management processes on site, applying the ISO 27001 standard. The audit result is presented at a final meeting. If necessary, action plans are agreed upon.
After the certification audit, the results are evaluated by the independent certification board of DQS. If all standard requirements are met, you will receive the ISO 27001 certificate.
After successful certification, key components of your ISMS are re-audited on site at least once a year to ensure continuous improvement.
The ISO 27001 certificate is valid for a maximum of three years. Recertification is performed in good time before expiry to ensure ongoing compliance with the applicable standard requirements. Upon compliance, a new certificate is issued.
What does ISO 27001 certification cost?
The costs for certification according to ISO 27001 are established according to the following four criteria, among others:
1. The complexity of your information security management system.
The critical values (for example patents, personal data, facilities, processes) of your company are taken into account. The cost of certification is based primarily on the information security requirements and the extent to which confidentiality, integrity and availability (VIV) of information are affected.
2. The core business of your company within the scope of the ISMS
At this point, the risks associated with your business processes in particular play an important role in determining the necessary audit effort. Legal requirements are taken into account as well as complex, individual customer requirements.
3. The main technologies and components used in your ISMS
During the audit, the technology as well as the individual components of your ISMS are examined. These include IT platforms, servers, databases, applications as well as network segments. The basic rule here is: The higher the proportion of standard systems and the lower the complexity of your IT, the lower the effort. The costs of an ISO 27001 certification also depend on this.
4 The proportion of in-house developments in your ISMS
If there is no internal development and you mainly use standardized software platforms, the effort of an assessment is lower. If your ISMS is characterized by intensive use of self-developed software and if this software is used for central business areas, the effort for certification will be higher.
In order for us to be able to give you an overview of the costs for an ISMS certification, we need precise information about your business model and the area of application in advance. This way we can provide you with a tailor-made offer.