ISO 27001 Standards; ISO 27001 clauses and controls

ISO 27001 clauses and controls

The clauses of ISO 27001 support the implementation and maintenance of an ISMS. The ISO 27001 standard has ten management system clauses. The first three clauses include the scope, normative references and terms and definitions. This introduces the purpose of ISO 27001 certification Australia, helping organisations understand what ISMS is.

ISO 27001 Clause 4: Context of the organisation

Clause 4 contains the context of the organisation. It addresses the prerequisites of implementing an ISMS successfully by understanding the relevant internal and external issues. Clause 5 focuses on the ISO 27001 requirements for adequate leadership. This clause emphasises the resources needed for the successful implementation of an ISMS, as well as the supporting person needed to contribute to the ISMS’s efficiency.

ISO 27001 Clause 6: ISMS environment

Clause six helps organisations plan an ISMS environment. An ISMS environment should take into account risks and opportunities by performing and information security risk assessment. Information security objectives or assessed based on the findings of the risk assessment.

ISO 27001 Clause 7: Support

Clause 7 focuses on the support needed to achieve the security objectives identified in the previous clause. The key issues supporting the achievement of security objectives include communications, awareness, competence of employees and availability of resources.

ISO 27001 Clause 8: Planning and Control

Clause 8 is where the operational planning and control begins. In clause 8.1, organisations are guided to begin implementing the security requirements utilising the controls that were identified in the ISMS plan. To remain compliant, organisations must demonstrate any changes in the information management policies. Moreover, the impact of these changes must also be monitored. One of the best methods to demonstrate that the organisation is meeting the requirements of the ISMS is through records.

For example, when the organisation tries to put a control in place, the monthly review should show evidence such as logs, sign-off sheets or a finding report. The steps of clause 8.1 also provide organisations with documentation tips. For more information, we suggest you read the benefits of ISO 27001.

ISO 27001 Clause 8.2: Information security risk assessment

In clause 8.2, companies are guided to conduct information security risk assessments. Previously, in clause 6.12, the standard asked companies to define the steps of an information security risk. In clause 8.2, the organisation performs the assessment using these pre-defined steps.

Information security risk assessment by identifying and cataloguing the organisation’s information assets and identifying threats and vulnerabilities.

The internal controls that were erected to address these threats and vulnerabilities would then be analysed. Using internal controls as a guide, the likelihood of all incidents is determined. The impact of such incidences should be assessed so that the risks to information security can be categorised by severity. Finally, customised controls are created for the newly identified and prioritised threats.

The benefit of this assessment is that it helps give organisational decision-makers an informed view of their current security strength. As a result, areas of weakness can be identified, and strategies for improvement can be implemented.

ISO 27001 Clause 8.3: Treatment plan

In clause 8.3, a treatment plan is created and implemented. This section requires organisations to implement the information security risk treatment plan that was defined in clause 6.1.3. Essentially, in the previous steps, the organisation identified the assets, determined the information outputs for these assets, and prioritised the security threats.

Now, in order of priority, each asset would have its own treatment plan in the form of a customised control. The controls in Annex A of ISO 27001 standard are great guidance for companies. Companies can select the control that is most suited to their needs.

ISO 27001 Clause 9.1: Evaluations

ISO 27001 clause 9.1 focuses on monitoring, measuring, analysing and evaluating the controls that were implemented in clause 8.3. Clause 9.1 of ISO 27001 requires organisations to evaluate how the ISMS is performing by conducting evaluations of its effectiveness. Clause 9.1 asks organisations to identify what processes and controls need to be monitored, the exact methods of evaluation and the timing of the evaluation. It also asks organisations to identify individuals who are delegated with the responsibility of conducting these assessments and analysing the results.

ISO 27001 Clause 9.2: Internal audit

Clause 9.2 outlines the key considerations for an ISMS internal audit. It has two main requirements. The audits should occur at planned intervals and the auditor selected should be objective and impartial. Generally, the ISMS audit is performed by individuals who were not involved in its implementation or operation.

The ISMS internal audit should be conducted to determine the current status of the system. Organisations must plan audits considering the most crucial aspects of the business.

ISO 27001 Clause 9.2: Management review

Clause 9.3 addresses the organisation’s need for a management review. The standard explicitly defines the minimum input required for a management review. These minimum inputs are feedback on information security performance that are acquired through previous management reviews.

Feedback on information security performance can comprise of audit results, nonconformities, monitoring or management results, corrective actions and documented details of information security objectives.

This is the focus of clause 10. The management review should also outline feedback from interested parties, results of risk assessments and the current status of risk treatment plans. Lastly, there must be a provision to identify opportunities for continuous improvement.

The objective of the management review is to assess the performance of the ISMS. This is done by considering the number of inputs so that any necessary changes or improvements to the system can be determined. This allows the business to assess the status of their implementation while simultaneously identifying growth opportunities.

ISO 27001 Annex A: 114 information security controls

Additionally, Annex A provides a list of 114 information security controls. For 114 controls are categorised into 14 categories including:

• compliance
• information security aspects
• incident management
• supplier relationships
• system acquisition
• communication security
• operational security
• environmental security
• cryptographic
• access control
• management
• human resource security
• organisation of information security
• policies

If you need more information about ISO 27001 standards, contact ISO Council’s professional consultants.