In 2005, the International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) published a family of standards designed to help organizations and companies improve their quality management practices. One of these information security standards was ISO/IEC 27001, which aims to help companies better manage their information security.
If achieving an ISO 27001 certification is essential to your organization, keep reading to learn about its benefits and requirements and how you can successfully integrate it.
ISO 27001 explained
ISO 27001:2013 is the current set of ISO 27001 standards used by companies and organizations worldwide. These standards help companies know how to manage information security. ISO 27001 gives organizations information about establishing and implementing an information security management system (ISMS). It also includes information about maintaining and improving an organization's ISMS.
The ISO published these standards with the goal of assisting companies as they attempt to improve the security of their information assets. To receive an ISO 27001 certification, organizations have to go through an accredited certification body. These certifications can only be awarded once an organization successfully completes an audit.
Why is ISO 27001 important?
ISO 27001 is crucial to many organizations, giving them a framework for protecting sensitive information. A major part of this framework is designed to help organizations improve their risk management by identifying the strengths and weaknesses of their current security efforts. ISO 270001 ensures organizations understand the need for effective cybersecurity, underscoring the importance of using an ISMS since it improves the security of a company's end-to-end processes.
When an organization uses ISO 27001 while developing and implementing a new ISMS, it relies on a living set of documents made to improve risk management. Since these documents are usually stored online in a knowledge management system, companies can use the ISO 27001 standards to ensure their documents and data are secure.
What are the benefits of ISO 27001?
ISO 27001 comes with several advantages for organizations.
By achieving ISO 27001 certification, a company shows it has reached full compliance in implementing and following cybersecurity best practices. When you fully comply with these standards, you'll set your organization up to more effectively guard against cyber threats such as malware and ransomware.
Achieving ISO 27001 certification enhances an organization's reputation. When your organization is ISO 27001 certified, you show your partners and customers you can properly protect their data. Due to the international reputational advantages associated with ISO 27001, you're more likely to increase your business opportunities.
When you implement ISO 27001 standards at your company, you can increase organization. With these standards successfully implemented, you'll avoid poor organization, as you'll have to document your main security processes and identify who's responsible for them. Every staff member can review documentation to find their responsibilities and information on how to conduct key processes.
Since ISO 27001 aims to prevent security incidents from occurring in the first place, you can lower costs associated with security incidents. While you'll have to invest some money to achieve ISO 27001 compliance, your cost savings from preventing security incidents will outweigh initial investment expenses.
What are the ISO 27001 requirements?
ISO 27001 features 12 sections organizations must review to meet the ISO 27001 standards. Sections 5 through 11 go over particular requirements organizations must satisfy to achieve compliance. Find out more about the main standards of ISO 27001 below:
- Context of the organization: To meet this requirement, you'll need to identify what stakeholders will be responsible for your ISMS's creation and maintenance
- Leadership: This section of the ISO 27001 standards explains how your organization's leaders should be involved with ISMS procedures and policies
- Planning: The planning requirements outline how an organization should plan out a risk-management strategy
- Support: In the support section, ISO 27001 details how to increase information security awareness and designate responsibilities at your organization
- Operation: The operation requirements cover how your organization should use documentation and manage risks to fulfill ISO 27001 audit strategy requirements
- Performance evaluation: To meet performance evaluation standards, your organization will need to follow guidelines surrounding the proper measuring and monitoring of your ISMS's performance
- Improvement: The improvement section lays out how your organization should regularly improve and update your ISMS
What are ISO 27001 controls?
ISO 27001 controls are practices that organizations must implement to lower their risks to competent levels. These controls can be physical, technical, human, legal, and organizational. ISO 27001 has 114 controls, with these controls falling into 35 control categories and 14 domains. The ISO designed these controls to give organizations a framework for managing, treating, and identifying information security risks.
What are the 14 domains of ISO 27001?
ISO 27001 sets out 14 domains that their controls cover. These 14 domains cover key parts of an organization, such as their organization of information security, human resource security, supplier relationships, asset management, and information security incident management. By following the policies and standards the controls in these 14 domains set, a company can ensure they comply with ISO 27001 and achieve certification.
Learn more about the 14 domains of ISO 27001 below:
1. Information security policies
The first domain of ISO 27001 covers information security policies. This domain determines how an organization should write its ISMS policies and review them for compliance. When an auditor examines your organization for these policies, they'll check how you document and review your procedures and the frequency with which you do so.
2. Organization of information security
In the organization of information security section, ISO 27001 gives organizations the necessary framework for information security implementation and operation. This section defines the responsibilities of different parts of an organization. It also helps organizations define their information security's organizational aspects, such as teleworking, project management, and mobile device usage. Here, an auditor will look for an understandable organization chart featuring information on each role's responsibilities.
3. Human resource security
The human resource security domain focuses on how organizations should inform their employees about cybersecurity during onboarding, offboarding, and while transferring positions. It also covers how an organization can hire, train, and manage its employees in a secure manner. During an audit, the auditor will check to see you have clear information security practices during the onboarding and offboarding of employees.
4. Asset management
In the asset management section, ISO 27001 provides controls that give organizations information about identifying information security assets, such as storage devices and processing devices. This domain's controls also cover how organizations should designate the security responsibilities of their data assets. They ensure people understand proper handling of these assets based on predefined classification levels. In an audit, the auditor will examine how an organization tracks its databases, software, and hardware and the methods or tools it uses to maintain data integrity.
5. Access control
When an organization reviews the access control domain, it learns more about how it should limit employees' access to various types of data. In this case, auditors will ask for an organization to provide detailed information about how it sets access privileges and whose responsibility it is to maintain these controls.
The cryptography domain covers controls designed to establish how an organization should properly use encryption solutions. Proper use of these solutions includes an organization's ability to protect the integrity, confidentiality, and authenticity of information. When an auditor audits an organization, they'll inspect systems that handle sensitive data and the kinds of encryption an organization uses.
7. Physical and environmental security
Besides protecting a company's cyber security operations, ISO 27001 also covers physical and environmental security. This domain details appropriate processes for securing internal equipment and buildings, guarding them against natural and human intervention. During an audit, the auditor will search for a physical location's vulnerabilities, paying particular attention to accessibility standards for data centers and offices.
8. Operations security
The operations security domain details various controls designed to ensure organizations secure and protect their IT systems from data loss. To meet the standards set in this domain, a company has to follow ISO 27001's guidance on secure collection and storage of data. When an auditor checks to see if an organization meets operations security standards, they want to see data flow evidence and information about where the organization stores data.
9. Communications security
The controls in the communications security domain cover the security of all the transmissions occurring within an organization's network. By securing transmissions, an organization can better protect its network services and infrastructure and the data that travels within the network. In an audit, the auditor will want to see what communication systems an organization is using and how the organization is ensuring its data stays protected.
10. System acquisition, development, and maintenance
The system acquisition, development, and maintenance section include controls made to maintain information security best practices when upgrading existing systems or purchasing new ones. During an audit, the auditor will check if an organization has maintained rigorous security standards when introducing new systems.
11. Supplier relationships
If an organization outsources various activities to partners or suppliers, it should review the supplier relationships section. This section provides information about the right information security controls any suppliers and partners should follow when an organization outsources activities to them.
The controls in this domain also cover how organizations should properly monitor third-party security performance. To verify an organization is correctly outsourcing various activities, an auditor will review an organization's contracts with third parties that potentially have access to sensitive data.
12. Information security incident management
The information security incident management domain provides organizations with best practices for effectively responding to security threats. These best practices include information about the proper handling and communication procedures related to security incidents and events.
This domain's controls also cover how to resolve incidents quickly, preserve evidence, and learn from past incidents to prevent recurring security issues. An auditor may run drills to see how an organization handles incidents to verify they can effectively handle various threats.
13. Information security aspects of business continuity management
The information security aspects of the business continuity management domain feature controls designed to help organizations maintain their information security management operations when they experience disruptions. These controls also provide information about how to handle major changes. An auditor may check an organization's competency by having an organization's ISMS respond to various theoretical disruptions and verifying the response is effective.
ISO 27001’s final domain is compliance, with this section covering what industry or government regulations an organization must meet. By following the controls in this section, a company can better prevent contractual, statutory, regulatory, and legal breaches. The organization can also use these controls to see if its information security meets ISO 27001's requirements, policies, and procedures. During an audit, the auditor will look for evidence of full compliance with any relevant regulations governing the organization.
How do you implement ISO 27001 controls?
As you attempt to implement ISO 27001 controls, you'll employ various methods based on the type of control you're putting into place. Review the primary methods for implementing these controls below:
- Organizational controls: Add organizational controls by defining your expected behavior on the part of equipment, system, software, and users and by putting rules in place. Examples of these controls include access controls and policies on using personal devices for work..
- Human resource controls: Give employees and other relevant personnel the experience, knowledge, skills, and education required to securely perform their responsibilities. Some examples of these controls include ISO 27001 internal auditor training and security awareness training.
- Technical controls: Put technical controls in place by adding firmware, hardware, and software components into your information systems. Primary examples include antivirus software and cloud backups.
- Physical controls: Install devices and equipment that can physically interact with objects and people to increase your organization's physical security. Some examples of these kinds of controls include locks, CCTV cameras, and alarm systems.
- Legal controls: Add legal controls by making sure your organization's behaviors and rules follow the contracts, regulations, and laws your organization must follow. Examples of legal controls include service-level agreements and non-disclosure agreements.
How to do risk assessment with ISO 27001
When you want to comply with ISO 27001 while you conduct a risk assessment, you should follow a few steps. Some of the top steps for conducting a compliant risk assessment include:
Create a risk management framework
A risk management framework will provide you with rules for how you can identify risks; how risks impact your information's availability, confidentiality, and integrity; and who receives risk ownership. A good framework will also use a calculating method for estimating a risk's likelihood and potential impact. This framework will need to include a risk scale, asset- or scenario-based risk assessment, risk appetite, and baseline security criteria.
Identify potential risks and threats
With your risk management framework in place, identify key risks that could impact your information's integrity, availability, and confidentiality. Listing out all potential threats to your information assets can help you organize them and keep track of your organization's main threats.
Once you've identified potential risks, determine your information assets' main vulnerabilities. Based on your analysis, you can assign likelihood and impact values determined by your risk criteria.
Determine current acceptable risk
Once you've analyzed your risks, you'll want to compare them against your previously determined criteria for acceptable risk. How far certain risks fall outside your acceptable criteria will often determine the risks you need to act on.
Implement risk treatment solutions
Finally, you'll need to decide what to do about the risks you’ve identified. For example, you might choose to eliminate processes that lead to risks, or you could apply security controls to various processes to reduce the risk. If a risk is within your acceptable risk criteria, you might decide to retain the risk.
What are the ISO 27000 standards?
ISO 27001 establishes the primary requirements for organizations' ISMS, but organizations should also be aware of other requirements in the ISO 27000 family of standards. Some of the primary ISO 27000 standards that complement ISO 27001 can be found below:
- ISO/IEC 27000: ISO 27000 gives organizations definitions about key terms found in the following ISO 27000 family of standards
- ISO/IEC 27002: When you want to implement controls found in ANNEX A of ISO 27001, ISO 27002 is an essential standard; this standard gives organizations information and guidelines about implementing controls
- ISO/IEC 27004: ISO 27004 provides organizations with guidelines about measuring their information security;it complements ISO 27001, as it helps organizations identify if their ISMS is meeting key objectives
- ISO/IEC 27005: Information security risk management is critical for reducing risk, and ISO 27005 establishes guidelines for performing it; this standard fits with ISO 27001 since it describes how organizations can conduct effective risk assessment and risk treatment activities
- ISO/IEC 27017: When you review ISO 27017, you'll find guidelines about cloud environments' information security
- ISO/IEC 27018: ISO 27018 gives organizations guidelines about how they can protect privacy while using cloud environments
- ISO/IEC 27031: ISO 27031 provides organizations with guidelines for the main elements they'll want to take into account when creating business continuity for Information and communication technologies
What is the difference between SOC 2 and ISO 27001?
While ISO 27001 is a set of standards for an organization's ISMS, Service Organization Control (SOC) 2 is a set of audit reports an organization uses to show evidence of its conformity to a set of defined criteria. In a SOC 2 audit, organizations check their information security controls' design and operation against a set of defined criteria.
Though SOC 2 and ISO 27001 are different, they can be complementary. After implementing ISO 27001 standards, organizations often find they can more easily create a SOC 2 report.
ISO 27001 checklist
As you attempt to reach ISO 27001 compliance, a checklist can help you focus your efforts. Review the following eight steps of an effective ISO 27001 checklist:
- Receive management support and organize an implementation team
- Create an implementation plan
- Develop an ISMS policy and define its scope
- Find your organization's security baseline
- Craft a risk management process
- Execute your risk treatment plan
- Monitor, measure, and review your ISMS's performance and compliance
- Prepare for an audit and certify your ISMS
How Box helps maintain trust and compliance
The Content Cloud makes it simple for you to comply with ISO 27001. Our Box Trust Center showcases how we help our clients achieve compliance with governmental and private standards across the world. For example, we encrypt our client's data in motion and at rest to ensure our clients adhere to ISO 270001 requirements. Our collaboration platform has even received an ISO 27001:2013 certification, attesting to our excellence at achieving compliance.
Alongside the Box Trust Center, we also offer security and compliance solutions designed to help you meet various privacy and compliance requirements. Since these solutions seamlessly integrate with the top security and information governance partners, you can ensure your entire tech stack has the security and compliance you need.
With Box Governance, you can improve your governance strategy with cloud content management. This solution streamlines your content's lifecycle, reduces risk without harming productivity, and gives you tools to manage your document retention and disposition policies.
Learn more about what Box has to offer
Besides helping our customers comply with ISO 27001, we can help your company achieve compliance with other top security standards. The Content Cloud can also help you better protect your content and empower your teams to collaborate with others securely.
With all your content on a cloud-based platform, it can even reduce your overall expenses, as you won't have to use redundant apps, and it makes managing your content lifecycle much easier, freeing up your teams to focus on more profitable tasks.
Protect your content and comply with security standards with Box
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.