Yes! There is a lot of buzz going on in information security. Questions like ‘is our company secure in terms of Information security?’, ‘How can we check?’, ‘Is there a Checklist?’, ‘What are the information security criteria?’ etc. The solution to all these questions can be found in the basics of an ISO 27001 certification.

What is ISO 27001 Certification?

What are the simple steps to Implement IT security, Is there an ISO 27001-ISMS Checklist?

Based on our research which is generally practiced by top companies, we have simplified the standards to 7 steps and they are given below;

Step 1: Identify the key areas of the organization.

Step 2: Classify information simply as confidential, internal, and public.

Step 3: Define the access for the above and identify the risk involved with it.

Step 4: Invest your resources on securing the most valuable assets and confidential information by selecting the right controls.

Step 5: Monitor the controls implemented.

Step 6: Define your back-ups as a Business Continuity Plan. 

Step 7: Conduct multiple iterations of audits to narrow down the process.

What are the areas of control for ISO 27001 ISMS & what do ISMS clauses mean?

There are 10 clauses in the ISO 27001:2013 version and they represent the following; Clause 1 to clause 3 are non-auditable clauses and clause 4 to clause 10 are auditable clauses. All areas of control are explained from clause 4 to clause 10.

Clause 1- Scope

Clause 2- Normative reference

Clause 3- Terms & definition

Clause 4- Context of organization- Organization context, the scope of work, needs 7 expectations from interested parties, the need of an ISMS and management commitment towards implementing ISMS.

Clause 5- Leadership- defining roles & responsibility, defining ISMS policy, Commitments for implementing ISMS, a person (CISO- Chief Information Security Officer) or a team (Core Team) to look after all ISMS activities.

Clause 6- Planning – ISMS objectives (Setting short term and long term goals) and a plan to achieve those objectives.

Clause 7- Support – Identify the resources, train your team on ISMS, evaluate the skills and increase knowledge of the current system and its requirement. Besides these, you also need to define the internal and external communications and the documentation management system.

Clause 8- Operations – Core business activity and the plans to achieve it, risk identification while planning & choosing the appropriate methodology to treat the risk.

Clause 9- Performance evaluation- Verify, validate, analyze and conduct internal audits and management review meetings.

Clause 10- Improvement- Identifying the areas to be improved, prioritizing & finding the corrective actions and setting new objectives and goals for continual improvement.

Annex A is a reference control objectives and controls

So what is Annex A? Is Annex A and Statement of Applicability (SOA) the same? What does it say?

A5– Polices for ISMS (Administrative Controls- ISMS policy)

A6– Organization commitment for Information Security (Administrative Controls – Internal duties, Mobile device policies, etc.)

A7– Human Resource security-  on before hiring, during tenure and after exit (Administrative controls- Non Disclosure Agreement, Back Ground verification, etc.)

A8– Asset management (Administrative, Physical and Technical controls – Asset responsibility, Classify, label & data handling & disposal)

A9– Limitation on Access (Administrative, Physical and Technical controls – Access Control Policy, User management, Access Responsibility, System & application-level access controls)

A10– Cryptography (Technical control – Policy and key management)

A11– Physical security (Admin controls – Locks, Barriers, surveillance camera, Asset security, etc.)

A12– Operation Security (Administrative, Physical and Technical controls – Document controls, Software & Applications controls, Backups and Logging, Vulnerability Assessment and Penetration Testing VAPT)

A13– Security on Communication (Administrative, Physical and Technical controls- Internal & external Network segregation control, security on sharing data within the network, etc.)

A14– Security on development & the core system (Administrative, Physical and Technical controls- Engineering principles, trusted applications, Test criteria, Back up plans, roll-back procedure, etc.)

A15– Vendor Management (Administrative, Physical and Technical controls- Vendor agreements, Service level agreements, Operational level agreements, Information security in supplier relationship, Response & resolution time, delivery principles, etc.

A16– Incident Management (Administrative, Physical and Technical controls- Procedure, responsibility, Awareness and Disaster management, etc.)

A17– Business Continuity Management (Administrative, Physical and Technical controls- Plan, implement, review & availability)

A18– Compliance (Administrative, Physical and Technical controls- Legal, NDA, Customer agreement, third party audits inputs and output review, administrative and technical compliance)

Now you have the above items as a reference, what to implement, which area to address for information security. You can always reach out to CertPro, our team been technically implementing ISO 27001 and are happy to assist you with implementing, guide you by providing sufficient knowledge and templates.

Who can have ISO 27001? What is the current version? Is there any revision, if so when will it be released?

The latest version is 2013, last reviewed in 2019 and is confirmed to hold the same as the 2013 version.

Reference: https://www.iso.org/standard/54534.html

As there has been a revision in 2019, further reviews and updates usually take on a year to be released. Major changes will be identified and the standard will be revised and released, 2024-25 is the expectated new release year of the standard.