ISO 27001 - Information Security Management System
ISO 27001 is an international standard, developed by the International Organization for Standardization (ISO), that describes how to establish, maintain and continually improve an ISMS. ISO 27001 is one of the most popular and commonly used information security standards, and countless organizations have certified against it for the purpose of demonstrating adequate security to customers, business partners and regulators. The latest revision of the ISO 27001 standard was published in 2013 (ISO/IEC 27001:2013).
Organizations that meet the requirements of ISO 27001 can be certified by an accredited certification body after successfully completing an audit against the standard. According to the ISO, in 2016 more than 33,000 organizations globally held certification.
What is an ISMS?
An information security management system (ISMS) is an organization’s systematic approach to managing and protecting the confidentiality, integrity and availability (CIA) of information. More specifically, an ISMS includes the policies, procedures, guidelines, resources, activities and controls employed in pursuit of that aim.
So, if the goal of a privacy team is to implement Privacy by Design—the proactive embedding of privacy into the design specifications of information technologies, network infrastructure and business practices—then the goal of an ISMS team would be to accomplish that very same thing, but with security—i.e., to implement “Security by Design.”
Naturally then, an effective ISMS necessitates skilled decision-making, documented policies and procedures, awareness training, clear lines of responsibility and asset ownership, risk assessments and risk treatment plans, incident response, vendor management, internal auditing, and more.
- OneTrust: Implementing appropriate security under the GDPR
- IAPP-OneTrust Joint Research: Bridging ISO 27001 to GDPR
- OneTrust (webinar): IAPP-OneTrust Research: Bridging ISO 27001 to GDPR
Security and Prevention
ISO 27001 provides a roadmap for a building a comprehensive information security management system (ISMS) and implementing only those security controls that make sense for the organization based on a risk assessment. This roadmap includes determining both the internal and external issues that might affect security (including taking the interests of third parties into account) to determine scope and context, and then creating policies and procedures to match.
Specifically, Clause 4 of ISO 27001 requires that you document the internal and external factors affecting your ISMS, as well as the needs and expectations (including requirements) of any interested parties that are relevant to the ISMS, and that you take these things into account when determining the scope (i.e., the boundaries and applicability) of your ISMS. Finally, Clause 4 requires that the ISMS be formally documented and undergo continuous improvement.
Clause 5 is concerned with leadership and responsibilities—ensuring an organization-wide commitment to information security, communicating a documented information security policy throughout the organization, and having defined roles and responsibilities with respect to information security.
Clause 6 is about planning—including creating a documented procedure for identifying, assessing and treating information security risks and opportunities for improvement, as well as a process identifying information security objectives and creating detailed plans on how to achieve them. Risk treatment plans and ISMS objectives should be “S.M.A.R.T.”—Specific, Measurable, Achievable, Relevant, and Time bound.
Clause 7 is about support for the ISMS. It requires that you allocate the resources necessary for achieving your objectives and to ensure continuous improvement of your ISMS, as well as ensuring that in-scope personnel have the necessary levels of information security education, training and experience. It also requires that you ensure organization-wide awareness of information security policies and procedures, and individual roles and responsibilities with respect to security (e.g., that information security is the responsibility of all personnel). Lastly, clause 7 requires a documented policy and procedure for handling both internal and external communications about the ISMS, as well as a documented policy and procedure for ensuring the proper review and approval of new or updated ISMS documentation, as well as for proper control and handling of documentation.
Clause 8 is primarily about implementation of the plans set out in Clause 6. It requires that you undergo risk assessments at planned intervals or when significant changes are planned or occur, and that you document the results. It subsequently requires you to create and carry out risk treatment plans following the risk assessment, and to document the results of treatment. Finally, clause 8 requires you to create a “statement of applicability” that documents the ISO/IEC 27001:2013 Annex A controls that have deemed applicable to the ISMS.
Clause 9 requires that you conduct internal audits of the ISMS against the ISO/IEC 27001:2013 standard (including clauses 4-10 and applicable Annex A controls), and that you conduct management reviews of the ISMS at planned intervals.
Lastly, Clause 10 calls for a documented corrective action procedure for addressing ‘nonconformities’ with the ISO/IEC 27001:2013 standard. Nonconformities are typically identified during audits. Nonconformities identified during an external certification or surveillance audit are typically accompanied by deadlines for completing corrective actions, and in some cases a failure to correct a nonconformity can result in loss of certification.
Accountability and Recordkeeping
The stated goal of ISO 27001 Clause 8 is to develop and maintain appropriate safeguards for organizational assets. Specifically, Clause 8.1 requires that organizations identify and clearly label important data assets. This inventory protocol includes requirements for clear definitions of ownership and acceptable uses for the data. Clause 8.2 continues by requiring data sensitivity classifications, labeling, and access controls based upon these sensitivity levels. Clause 9 also contains relevant guidance on the creation and maintenance of an access control policy.
ISO 27001 includes vendor oversight and control as critical components of appropriate data security protocols. Clause 8 requires organizations to identify what processing actions are outsourced and ensure that these processes are a controlled part of the security program.
Clause 9 builds off of Clause 8, requiring organizations to review, document, and maintain oversight of security programs which may include scheduled risk assessments and audits to confirm that customer data is secure.
Additional, more specific guidance is found in controls A.15, governing “supplier relationships,” and A.18.1, governing compliance with contractual requirements. Control A.15 addresses security concerns where the organization is vulnerable to vendor (“supplier”) access to personal data. It requires risk mitigation by limiting data access and by entering agreements to impose security responsibility and assign liability.
Control A.18 contemplates compliance with agreements where the shoe is on the other foot and the organization is acting as the supplier, requiring compliance with the customer’s security requirements.
Incident and Breach
ISO 27001 requires mechanisms both to quickly identify security incidents and to report them through the necessary established channels. This control (A.16) is designed to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
The fundamental elements underpinning an ISO 27001 compliant response plan are a clear chain of command, established identification and reporting procedures, and the reporting of any unusual activity or incidents by employees and contractors. As with all ISO 27001 requirements, documentation and continued updating are key.
Standards and Frameworks
ISO 27001 - Information Security Management System
An international standard, developed by the International Organization for Standardization (ISO), that describes how to establish, maintain and continually improve an information security management system (ISMS).
Last Updated: July 24, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.