As the cyber security journey continues, I’ve been inevitably caught in the net of ISO 27001. As one of the most globally accepted frameworks for information security, its inevitable that those working in cyber security will end up working with it, in it or on it.
I’ve put this together as a simple guide aimed at assisting those going for the first (and lowest) ISO 27001 certification: ISO27001 Foundation.
What is the ISO?
Before I get in to the 27001 framework, I thought it best to discuss the organisation behind it. The ISO is a truly international organisation which helps to define globally accepted standards for everything from children’s toys to cyber security standards.
Each country is represented by the ISO by a single member organisation, for example in the UK it is the British Standards Institution (BSI) while in the USA it is the American National Standards Institute (ANSI).
What is ISO 27001?
ISO 27001 is a framework designed to assist in the management of information security within an organisation and to create an Information Security Management System (ISMS). It is not prescriptive in terms of what an organisation should do, for example it will not state ‘backups should be performed daily’ as there is no ‘one-size fits all’ methodology for security and resilience. Instead ISO 27001 provides guidance for organisations to define their own suitable requirements and then requires these are adhered to in order to maintain ISO 27001 compliant status.
That’s great but what is it?
The ISO 27001 is a documented standard, broken down in to eleven sections, the first four of which are introductory with the remaining seven being mandatory requirements for an organisation to be compliant. The sections are:
- Section 0: Introduction
- Section 1: Scope
- Section 2: Normative references
- Section 3: Terms and definitions
- Section 4: Context of the organisation
- Section 5: Leadership
- Section 6: Planning
- Section 7: Support
- Section 8: Operation
- Section 9: Performance evaluation
- Section 10: Improvement
Finally, there is Annex A which is a catalogue of controls that can be used.