Looking at each clause and how to deliver against it.
Note: I don't recommend necessarily reading this entire document from start to finish. That'd put anyone to sleep. Consider it a reference guide when you need help interpreting the standard and what it means.
Contents
ISO 27001:2022 Clauses 1 to 3 - Introduction & Scope
Overview
Clauses 1-3 of ISO 27001:2022 form the foundation of the standard by setting the stage for more detailed requirements in subsequent clauses.
The clauses encompass the standard's introduction, scope, normative references, and definitions, which are essential for comprehending the framework.
The clauses provide an overview of ISO 27001 itself in 3 brief sections;
Scope (of the standard)
Normative References (background reading and referenced documents)
Terms & Definitions (points you at the ISO website for a glossary)
These initial clauses set the foundation for understanding and implementing the rest of the standard, ensuring an understanding of its purpose, reference documentation, and consistency in terminology.
It's effectively the 'forward' of a book – the introduction and endorsement bit you skip quickly through to get to the good stuff.
These clauses are not generally referred to when people talk about compliance with ISO 27001; that is all handled by clause four onwards.
Clause 4 - Context of the Organisation
So, Clause 4 is all about taking a step back and looking at the nature of your organisation and the scope of the Information Security Management System (ISMS); what parts will you apply ISO 27001 to?
There are four sub-clauses;
4.1 - Understanding the Organisation and its Context
4.2 - Understanding the Needs and Expectations of Interested Parties
4.3 - Determining the Scope of the Information Security Management System
4.4 - Information Security Management System
4.1 Understanding the Organization and its Context
Understanding the organisation's context means understanding its influences. So, what 'internal' and 'external' issues impact your organisation and its security stance?
Requirement Summary
What does clause 4 want? Well, it wants to see evidence of;
Identify external and internal issues relevant to the purpose of the organisation.
Any issues that should be considered when determining the scope of the Information Security Management System (ISMS).
Internal Influences Examples
Organisational culture and attitudes towards information security.
Existing IT infrastructure and security measures.
Roles and responsibilities related to information security.
External Influences Examples
Regulatory requirements (e.g., GDPR, HIPAA).
Emerging cyber threats and technological developments.
Competitor actions and industry trends.
What an Auditor is Looking For
Documentation of external and internal issues.
Evidence that these issues have been considered in the ISMS scope.
Review of the organisation's strategic direction and its alignment with ISMS.
4.2 Understanding the Needs and Expectations of Interested Parties
Next, it is essential to determine who is interested in our information security position and list the stakeholders' interests.
Again, stakeholders could be internal or external to the organisation.
For example, they could be;
Internal Examples
Employees who have their data processed by the organisation.
Shareholders who want to maintain an excellent organisational reputation.
Senior Leadership need assurances that risks and compliance are proactively managed.
External Examples
Customers who entrust their data to the organisation and want to understand how it is managed.
Regulatory bodies that monitor compliance with standards such as GDPR.
Suppliers who have access to the organisation's data.
Requirement Summary
Identify interested parties relevant to the ISMS.
Understand the requirements of these interested parties.
What an Auditor is Looking For
Documentation of relevant interested parties and their needs and expectations.
4.3 Determining the Scope of the Information Security Management System
The scope is different with every organisation. It's within your power to decide what to include in the scope of your ISO 27001 implementation and what to exclude. This includes the business processes, offices, teams, services, or functions to which you will apply the ISMS.
In the early days, this can be very important and stop you from 'boiling the ocean' by trying to do too much.
So, I advise keeping it simple and the scope as tight as possible for your first time out. It's entirely possible to extend the scope in subsequent years, but it isn't so easy to reduce the scope retrospectively.
Requirement Summary
Establish the boundaries and applicability of the ISMS.
Consider external and internal issues and the requirements of interested parties.
What an Auditor is Looking For
A clear statement of the ISMS scope.
Justification for the scope boundaries.
Evidence that scope considers all relevant issues and requirements.
4.4 Information Security Management System
So, clause 4.4 states that you need to create and maintain an Information Security Management System (ISMS), as we call it in the biz. It sounds like a record store or a security application, and it could be part of it. It really refers to the processes, policies, tools, and controls that you create as part of your ISO 27001 management system.
In the previous clause, ISO asked you to determine the scope of the ISMS; in future clauses, it’s asking you to determine the workings of the system.
Every output and requirement in the standard is the ISMS.
How you choose to implement it is up to you.
Some organisations opt for a whiz-bang snazzy system to help manage their ISMS documentation and processes (I've not seen one that isn't overly complicated and tiresome to use), and others set up a file store on SharePoint and put all their documentation into that.
Requirement Summary
Establish, implement, maintain, and continually improve the ISMS to the standard's requirements.
What an Auditor is Looking For
An established ISMS with defined processes and procedures.
Evidence of continual improvement activities.
Compliance with all clauses of the ISO 27001 standard.
Key Implementation Steps
Step | Description |
|---|---|
1 | Develop an ISMS policy and objectives. |
2 | Establish ISMS processes and procedures. |
3 | Implement the ISMS across the organisation. |
4 | Monitor and measure the effectiveness of the ISMS. |
5 | Conduct regular internal audits and management reviews. |
6 | Implement corrective actions and improvements based on audit findings and reviews. |
Clause 5: Leadership
Clause 5 is about setting clear messaging and expectations from the senior management.
Information Security requires oversight and sponsorship from the very top. It can't be a bottom-up-driven initiative (trust me, I've tried it). A key senior sponsor is a must, and you'll need to demonstrate responsibilities across the ISMS.
Clause 5 also outlines the need for an overarching Information Security Policy.
There are three main sub-clauses;
5.1 Leadership & Commitment
5.2 Policy
5.3 Organisational Roles, Responsibilities & Authorities
5.1 Leadership and Commitment
Finding a senior sponsor is crucial to success, and you'll need to demonstrate that they are involved and supporting your security efforts.
The sponsor will provide the strategic direction, funding and resources needed for the ISMS to be successful. Without it, I'm afraid you are fighting a lost cause, so even if you must write business cases and other documents and push them under their noses to get sign-off, then that's what is needed.
Requirement Summary
Top management must demonstrate Leadership and commitment to the ISMS.
Ensure the ISMS achieves its intended outcomes.
Ensure resources are available.
Communicate the importance of effective information security management and conformance to the ISMS requirements.
Ensure the ISMS is integrated into the organisation's processes.
Promote continual improvement.
What an Auditor is Looking For
Evidence of top management's active involvement in the ISMS.
Records of communication from top management emphasising the importance of information security.
Documentation showing that information security objectives align with the organisation's strategic direction.
Evidence that resources have been allocated for the ISMS.
Key Implementation Steps
Step | Description |
1 | Conduct regular meetings with top management to discuss ISMS-related matters. |
2 | Document and disseminate top management's commitment to information security. |
3 | Allocate necessary resources (financial, human, technological) for ISMS implementation and maintenance. |
4 | Align ISMS objectives with the strategic goals of the organisation. |
5 | Promote a culture of information security throughout the organisation. |
5.2 Policy
As part of the implementation, it is important to set the stage and let everyone know what's expected of them. This is predominantly done through two mechanisms: policy and training.
You must have an overarching Information Security Policy. This 'parent' policy may signpost readers to more specific sub-policies, such as a Secure Development Policy, Bring-Your-Own-Device Policy, or the famous Acceptable Use Policy.
Requirement Summary
Establish an information security policy.
Ensure the policy is appropriate to the purpose of the organisation.
Include information security objectives or provide a framework for setting objectives.
Include a commitment to satisfy applicable requirements and continual improvement.
Ensure the policy is documented, communicated, and available to interested parties.
What an Auditor is Looking For
A documented information security policy.
Evidence that the policy has been communicated within the organisation.
Records show that the policy is regularly reviewed and updated.
Evidence that the policy is aligned with the organisation's objectives.
Key Implementation Steps
Step | Description |
1 | Draft an information security policy that aligns with organisational objectives. |
2 | Obtain approval from top management for the policy. |
3 | Communicate the policy to all employees and relevant stakeholders. |
4 | Make the policy available on the organisation's intranet and other communication channels. |
5 | Schedule regular reviews of the policy to ensure it remains relevant and practical. |
5.3 Organisational Roles, Responsibilities, and Authorities
Clause 5.3 asks you to define your Roles and Responsibilities (R&Rs) for Information Security. Specifically, the primary ISMS maintenance responsibilities.
To meet this clause, there are two main responsibilities the standard refers to;
Making sure the ISMS conforms to the ISO 27001 standard
Reporting on the performance of the ISMS to the senior management
This isn't the entirety of the roles & responsibilities across 27001 and the clauses and controls therein, so you can't get away with just jotting those two down in a matrix and patting yourself on the back, as there are others relating to various clauses and controls (such as ownership of risks, etc.). Still, these are the key ones related to Leadership. There are many roles and responsibilities within the first point alone.
Requirement Summary
Assign and communicate roles, responsibilities, and authorities for information security.
Ensure these roles are well-defined and understood within the organisation.
Assign responsibility and authority to ensure the ISMS conforms to the standard and reports on its performance.
What an Auditor is Looking For
Documentation of assigned roles and responsibilities.
Evidence that responsibilities have been communicated to relevant personnel.
Records of performance reports submitted to top management.
Clear job descriptions that include information security responsibilities.
Key Implementation Steps
Step | Description |
1 | Define roles and responsibilities related to information security. |
2 | Create job descriptions and organisational charts reflecting these roles. |
3 | Communicate roles and responsibilities to all relevant personnel. |
4 | Ensure all employees understand their information security duties. |
5 | Establish regular reporting mechanisms to keep top management informed about ISMS performance. |
Clause 6: Planning
So, clause 6 is about setting out where and how you will put effort into Information Security.
You can't do everything in year one, so where will you focus your attention?
What risks are the most pressing?
What are your objectives for the year ahead?
How will you manage change?
Clause 6 has three main sub-sections, of which there are sub-sub-sections, if that's a word.
They are;
6.1 Actions to Address Risks & Opportunities
6.1.1 General
6.1.2 Information Security Risk Assessment
6.1.3 Information Security Risk Treatment
6.2 Information Security Objectives & Planning to Achieve Them
6.3 Planning of Changes
6.1 Actions to Address Risks and Opportunities
It can be a bit confusing, and you need to look at the standard itself, but 6.1 is effectively just a parent clause holding 6.1.1 to 6.1.2, so we'll jump into those.
6.1.1 General
This outlines the overall requirement to manage risks and have an articulated framework for identifying, evaluating and addressing those risks.
This is usually handled by creating a Risk Methodology and procedure and then maintaining a log of your risks, their assessments, and treatment plans.
Requirement Summary
Consider internal and external issues (Clause 4.1) and interested party requirements (Clause 4.2) when planning the ISMS.
Determine risks and opportunities that need addressing to:
Ensure the ISMS achieves intended outcomes.
Prevent or reduce undesired effects.
Achieve continual improvement.
Plan actions to address these risks and opportunities.
Integrate and implement these actions into ISMS processes.
Evaluate the effectiveness of these actions.
What an Auditor is Looking For
Evidence of a risk management process includes identifying, assessing, and treating risks.
Documentation showing the consideration of risks and opportunities in the planning process.
Records of actions taken to address risks and opportunities and their effectiveness.
Key Implementation Steps
The implementation steps are picked up by 6.1.2 and 6.1.3, but these are the high-level activities;
Step | Description |
1 | Identify and document risks and opportunities related to the ISMS. |
2 | Develop and document risk treatment plans. |
3 | Integrate risk treatment actions into ISMS processes. |
4 | Implement risk treatment plans and actions. |
5 | Monitor and review the effectiveness of the risk treatment plans. |
6.1.2 Information Security Risk Assessment
Any risk management framework needs to clarify how it will assess risks, rank them against each other, and then determine which ones are the most serious, as it may well be that you can't deal with all of them.
6.1.2 requires you to outline your risk scoring and evaluation approach and maintain such activities' records.
Requirement Summary
Define and apply a risk assessment process that:
Establishes risk acceptance criteria.
Ensures consistent, valid, and comparable risk assessment results.
Identifies risks related to loss of confidentiality, integrity, and availability of information.
Analysis evaluates risks and prioritises them for treatment.
What an Auditor is Looking For
Documented risk assessment methodology.
Records of identified risks and their analysis.
Documentation of risk evaluation and prioritisation.
Key Implementation Steps
Step | Description |
1 | Define risk assessment criteria and acceptance levels. |
2 | Conduct risk assessments to identify potential risks. |
3 | Analyse risks to determine their potential impact and likelihood. |
4 | Evaluate and prioritise tasks based on assessment results. |
5 | Document the risk assessment process and outcomes. |
6.1.3 Information Security Risk Treatment
Once you've assessed your risks, you must ensure each risk has a treatment plan.
The treatment could involve implementing a new control, transferring the risk, avoiding the risk, or simply recording the appropriate management's acceptance of the risk and potential fallout.
ALERT! ISO 27001 is divided into two major parts: the clauses and the controls. The controls are outlined in Annex A and detailed in ISO/IEC 27002.
There are 93 controls, all of which need to be addressed or clarified as to why they are not applicable.
|
Here, the standard requires that we need to maintain a Statement of Applicability (SoA) document.
The SoA serves to:
List all controls from Annex A.
Justify their inclusion or exclusion.
State whether each control is implemented.
Justify any exclusions.
Your risk treatment methodology might state that your organisation will address risks with a 'moderate' level of impact and likelihood score. Each identified risk will need a detailed mitigation, transfer, avoidance, or acceptance plan. Lower-scoring risks might also be addressed or accepted based on the organisation's risk appetite.
At the core of ISO 27001 is that the organisation is aware of its risks and makes informed decisions on how to address them. Here, you are ensuring a record of how each risk will be treated (or not).
Requirement Summary
Define and apply a risk treatment process to:
Select appropriate risk treatment options.
Implement controls to manage risks.
Retain documented information on risk treatment decisions.
Compare the determined controls with those in Annex A.
Develop a Statement of Applicability to document:
The necessary controls.
Justifications for inclusion or exclusion.
Implementation status.
What an Auditor is Looking For
Documented risk treatment plans and decisions.
Evidence of implemented controls to mitigate risks.
Records of residual risk acceptance by management.
Comprehensive and justified Statement of Applicability.
Key Implementation Steps
Step | Description |
1 | Identify and select appropriate risk treatment options (avoid, transfer, mitigate, or accept). |
2 | Compare selected controls with those in Annex A to ensure no necessary controls are omitted. |
3 | Develop risk treatment plans with specific controls. |
4 | Document the risk treatment decisions and accept residual risks. |
5 | Create and maintain the Statement of Applicability, listing all controls and their status. |
6 | Implement the selected controls. |
7 | Monitor the effectiveness of implemented controls and update plans as necessary. |
6.2 Information Security Objectives and Planning to Achieve Them
Your ISMS needs to demonstrate that you have a plan with clear objectives.
The plan/objectives needn't be complicated, but it should summarise what you will achieve in the forthcoming period and what resources will be needed to deliver against it.
I consider it an annual project plan for information security and everything you want to achieve that year.
Requirement Summary
Establish information security objectives at relevant functions and levels.
Ensure objectives are consistent with the information security policy.
bjectives should be measurable, monitored, communicated, and updated as necessary.
Plan how to achieve these objectives, including what will be done, the required resources, responsible persons, deadlines, and evaluation methods.
What an Auditor is Looking For
Documented information security objectives.
Evidence that objectives are aligned with the information security policy.
Records of planning and actions taken to achieve the objectives.
Monitoring and review of progress towards objectives.
Key Implementation Steps
Step | Description |
1 | Define information security objectives aligned with organisations. |
2 | Ensure objectives are measurable and achievable. |
3 | Communicate objectives to all relevant stakeholders. |
4 | Develop plans detailing actions, resources, responsibilities, and timelines to achieve objectives. |
5 | Monitor progress and update objectives and plans as needed. |
6.3 Planning of Changes
Clause 6.3 of the standard is a single but significant line, and open to interpretation. It's not possible to summarise without clearly stating it;
"When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner."
Wow, that's both all-encompassing and vague. Here's how I choose to interpret it;
Requirement Summary
Determine the need for any changes to the ISMS.
Plan changes in a systematic manner.
Ensure changes are carried out in a controlled manner.
Consider the purpose of the changes and their potential consequences.
Maintain the integrity of the ISMS during and after changes.
What an Auditor is Looking For
Documentation of the planned changes and their purposes.
Evidence that the potential consequences of changes have been considered.
Records show that changes are implemented in a controlled manner.
Assurance that the ISMS integrity is maintained during and after changes.
Key Implementation Steps
Step | Description |
1 | Identify and document the need for changes to the ISMS. |
2 | Assess the potential impacts and consequences of the proposed changes. |
3 | Develop a change management plan detailing the steps and controls required. |
4 | Obtain approval from relevant stakeholders before implementing changes. |
5 | Implement changes in a controlled manner, ensuring ISMS integrity is maintained. |
6 | Monitor and review the effectiveness of changes post-implementation. |
Clause 7 - Support
Clause 7 requires us to implement a robust supportive framework to communicate and educate staff and stakeholders on the Information Security Management System (ISMS).
How will you communicate policies, procedures and critical information?
What resources do you need to do that?
How will it be documented and controlled?
There are several key clauses here, including;
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented Information
7.5.1 General
7.5.2 Creating & Updated
7.5.3 Control of Documented Information
7.1 Resources
This is another pretty broad one-liner, but it still warrants attention.
The standard states,
"The organisation shall determine and provide the resources needed for the establishment, implmentation, maintenence and continual improvement of the Information Security Management System".
That means we need to ensure we have the right resources to run our ISMS. Earlier in the standard, it asked us to consider leadership and management resources; this is much wider.
Requirement Summary
Determine and provide the necessary resources for establishing, implementing, maintaining, and continually improving the ISMS.
What an Auditor is Looking For
Evidence of resource allocation for ISMS activities.
Records showing sufficient resources have been provided for effective ISMS operation.
Key Implementation Steps
Step | Description |
1 | Identify the resources needed (human, financial, technological) for ISMS activities. |
2 | Ensure budget allocation and procurement of necessary resources. |
3 | Document resource allocation and utilisation. |
4 | Monitor resource adequacy and adjust as necessary. |
5 | Review resource needs periodically. |
7.2 Competence
We must ensure that staff members are sufficiently trained for their roles within the ISMS.
Requirement Summary
Determine the necessary competence of personnel affecting ISMS performance.
Ensure that personnel are competent based on appropriate education, training, or experience.
Take actions to acquire the necessary competence and evaluate the effectiveness of those actions.
What an Auditor is Looking For
Competence criteria for ISMS roles.
Records of education, training, and experience for personnel.
Evidence of actions taken to acquire and evaluate competence.
Key Implementation Steps
Step | Description | |
1 | Define competence requirements for ISMS roles. | |
2 | Identify gaps in current competence levels. | |
3 | Provide training and development programs to fill gaps. | |
4 | Maintain records of training, education, and experience. | |
5 | Evaluate the effectiveness of training and competence improvement actions. |
|
7.3 Awareness
Under 7.3, the standard wants us to explain how we communicate the Information Security Policy from clause 5.2 and any other aspects of the ISMS that need awareness, such as responsibilities and controls that might be put in place.
It can be a little confusing regarding the difference between 7.3 (Awareness) and 7.4 (Communication). 7.3 focuses on ensuring all personnel understand their roles, the importance of information security, and the consequences of noncompliance, whereas 7.4 (Communication) involves establishing internal and external communication processes about the ISMS, including what, when, how, and with whom to communicate.
First, let's look at 7.3, which focuses on awareness.
Requirement Summary
Ensure that all personnel are aware of the ISMS policy, their contribution to the effectiveness of the ISMS, and the implications of not conforming to ISMS requirements.
What an Auditor is Looking For
Evidence that ISMS policy has been communicated to all personnel.
Records showing awareness programs and their effectiveness.
Examples of awareness activities conducted.
Key Implementation Steps
Step | Description |
1 | Develop an awareness program covering ISMS policy and individual roles. |
2 | Conduct regular awareness sessions and training. |
3 | Use multiple communication channels to reinforce awareness. |
4 | Collect feedback from personnel to improve awareness programs. |
5 | Document awareness activities and evaluate their effectiveness. |
7.4 Communication
Clause 7.4 (Communication) establishes a structured plan for internal and external communications regarding the ISMS. This includes what needs to be communicated, when it should be communicated, with whom it should be communicated, and how the communication should take place, covering policies, procedures, and general information security matters.
The bottom line is that you need a comms plan.
Requirement Summary
Determine the need for internal and external communications relevant to the ISMS.
Identify what, when, with whom, and how to communicate.
What an Auditor is Looking For
Communication plan covering ISMS-related communications.
Evidence of communication activities (e.g., meeting minutes, announcements).
Records showing evaluation of communication effectiveness.
Key Implementation Steps
Step | Description |
1 | Develop a communication plan outlining what, when, with whom, and how to communicate ISMS information. |
2 | Implement the communication plan using appropriate channels. |
3 | Ensure regular updates and feedback mechanisms are in place. |
4 | Maintain records of all communications. |
5 | Review and adjust the communication plan as necessary. |
7.5 Documented Information
Nothing to see here; it's just a holder for 7.5.1 and others.
7.5.1 General
This clause summarises the general requirements for documented information within the ISMS before moving into some specifics in 7.5.2 and 7.5.3.
It's not rocket science; it's just saying the same thing all auditors say;
"Say what you are going to do" (document processes)
"Do it" (follow your processes)
"Prove that you've done it" (record the activity)
Requirement Summary
The ISMS must include documented information required by ISO 27001.
Include documented information deemed necessary by the organisation for the effectiveness of the ISMS.
What an Auditor is Looking For
Documentation of ISMS processes and procedures.
Evidence that all required documents are maintained and accessible.
Records show that documented information is controlled.
Key Implementation Steps
Step | Description |
1 | Identify all required documented information as per ISO 27001. |
2 | Develop and document necessary procedures and policies. |
3 | Ensure documents are approved and communicated to relevant personnel. |
4 | Implement a document control process to manage document creation, updating, and access. |
5 | Regularly review and update documented information. |
7.5.2 Creating and Updating
Again, this is a pretty straightforward version control requirement that most systems will handle automatically for you.
Clause 7.5.2 lays out a few light requirements to ensure consistency around document versions and standards and that there is a review process in place for any documents in the ISMS.
Requirement Summary
Ensure that documented information created and updated is appropriate and adequately controlled.
Include appropriate identification, format, and review/approval processes.
What an Auditor is Looking For
Documentation showing that the creation and updating of documents follow defined procedures.
Evidence of proper identification, formatting, review, and approval of documents.
Records show that only authorised individuals create and update documented information.
Key Implementation Steps
Step | Description |
1 | Define criteria for document creation and updating, including identification and format. |
2 | Develop a procedure for the review and approval of documents. |
3 | Train personnel on document creation, review, and approval processes. |
4 | Implement access controls to ensure only authorised personnel can create or update documents. |
5 | Maintain records of document reviews and approvals. |
7.5.3 Control of Documented Information
Clause 7.5.3 wants us to explain how we will ensure the documentation is secure, access-controlled and version-controlled.
If you are putting it into a document management system, like Sharepoint or Google Docs, a lot of this can be handled for you.
Requirement Summary
Control documented information to ensure it is available and suitable for use where and when needed.
Ensure that documented information is adequately protected, including from unauthorised access, alteration, and destruction.
Control distribution, access, retrieval, and use of documented information.
Control storage, preservation, and disposal of documented information.
Control external documented information deemed necessary for ISMS.
What an Auditor is Looking For
Procedures and controls for managing documented information.
Evidence that documented information is protected against unauthorised access and alterations.
Records of distribution, access, retrieval, and disposal of documented information.
Documentation showing control over external documented information.
Key Implementation Steps
Step | Description |
1 | Establish procedures for controlling documented information, covering distribution, access, retrieval, storage, preservation, and disposal. |
2 | Implement security measures to protect documented information from unauthorised access and alterations. |
3 | Ensure that all personnel are aware of and follow document control procedures. |
4 | Regularly audit and review the control mechanisms for documented information. |
5 | Maintain records of all activities related to the control of documented information, including handling of external documents. |
So, there you have it, all of Clause 7 (Support) explained. Nothing too scary, eh?
Clause 8: Operation
Clause 8 is straightforward to read. It concerns implementing the actions and risk methodology from Clause 6 (Planning).
However, there is a lot of meat on this bone. It's asking you to outline the processes you need as an organisation. Not only that, but you'll need to provide evidence of each process being adhered to.
Clause 8 mandates organisations to plan, implement, and control the necessary processes to meet ISMS requirements and address risks and opportunities identified in earlier clauses. This involves detailed operational planning and control, including setting criteria for process control, ensuring consistency and effectiveness in risk assessment, and implementing risk treatment plans to mitigate identified risks.
The clause emphasises maintaining documented information to provide evidence of process execution and control, ensuring that the ISMS operates as intended and achieves its security objectives.
So, while the standard's text is easy enough to read, implementation requires some heavy lifting.
8.1 Operational Planning and Control
Going back to Clause 6 (Planning), Clause 8.2 mandates that we put plans in place for each requirement (risks, activities, processes, etc.). I believe our American friends say, 'This is where the rubber hits the road.'
We need to action a plan to put in place the processes that we've said we need.
Requirement Summary
Plan, implement, and control the processes needed to meet ISMS requirements.
Implement actions identified in Clause 6.
Establish criteria for the processes and control their execution.
Maintain documented information to ensure confidence that processes have been carried out as planned.
What an Auditor is Looking For
Evidence of planned processes to meet ISMS requirements.
Documentation showing criteria for process control.
Records of process implementation and control activities.
Assurance that documented information supports process execution.
Key Implementation Steps
Step | Description |
1 | Identify and document processes necessary for ISMS operations. |
2 | Define criteria and control measures for each process. |
3 | Implement processes and control measures as planned. |
4 | Maintain and manage documented information to provide evidence of process control. |
5 | Review and update processes and controls as necessary to ensure effectiveness. |
8.2 Information Security Risk Assessment
Remember, in Clause 6.1.2, the standard asked us to outline the risk assessment methodology. This part of the standard is about implementing that methodology and having evidence of risks and their assessments.
A risk log and risk assessments should tick this box.
Requirement Summary
Conduct regular information security risk assessments.
Identify, analyse, and evaluate information security risks.
Ensure risk assessments are consistent and repeatable.
What an Auditor is Looking For
Documentation of regular risk assessment activities.
Records showing identified, analysed, and evaluated risks.
Evidence that risk assessments follow a consistent methodology.
Key Implementation Steps
Step | Description |
1 | Develop a risk assessment methodology. |
2 | Schedule regular risk assessments. |
3 | Conduct risk assessments to identify, analyse, and evaluate risks. |
4 | Document the findings and results of each risk assessment. |
5 | Ensure risk assessment activities are repeatable and consistent. |
8.3 Information Security Risk Treatment
The counterpart to 8.2 (Risk Assessments) is 8.3 (Risk Treatments).
You need a treatment plan for each risk in your log. This could be as simple as someone signing off to accept the risk or something more complicated like a project/action plan.
You can have one overarching risk treatment plan, or lots of individual ones.
So, implement the methodology you wrote down in 6.1.3 (Risk Treatment Methodology) and keep records of the activities.
Requirement Summary
Implement risk treatment plans to address identified risks.
Select appropriate risk treatment options (avoid, transfer, mitigate, or accept).
Maintain documented information on risk treatment actions.
What an Auditor is Looking For
Risk treatment plans and decisions.
Evidence of implemented risk treatment measures.
Records of risk treatment activities and outcomes.
Key Implementation Steps
Step | Description |
1 | Develop risk treatment plans based on risk assessment results. |
2 | Select and document appropriate risk treatment options for each identified risk. |
3 | Implement the selected risk treatment measures. |
4 | Maintain records of risk treatment activities and their effectiveness. |
5 | Review and update risk treatment plans as necessary. |
Clause 9: Performance Evaluation
Clause 9 and Performance Evaluation is about measuring your ISMS actions' effectiveness.
In the classic quality cycle, it's the "Check" part of the Plan-Do-Check-Act cycle of improvement.
We always want to improve the ISMS and its processes (Clause 10), but we need to know what's effective and what's not to make those improvements.
There are three main clauses, with several subsections that need exploring;
9.1 Monitoring, Measurement, Analysis, and Evaluation
9.2 Internal Audit
9.2.1 General
9.2.2 Internal Audit Programme
9.3 Management Review
9.3.1 General
9.3.2 Management Review Inputs
9.3.3 Management Review Results
9.1 Monitoring, Measurement, Analysis, and Evaluation
Measuring the performance of the Information Security Management System (ISMS) can be overwhelming if we let it.
Remember the mantra: start small and scale up going forward.
In this clause, we need to look across the ISMS and carefully determine which things to measure.
What indicators and metrics would tell us something helpful and could be acted upon, and what others would be 'noise'?
Requirement Summary
Determine what needs monitoring and measuring, including the processes and controls.
Establish monitoring, measurement, analysis, and evaluation methods to ensure valid results.
Specify when monitoring and measuring shall be performed.
Identify who shall monitor and measure.
Determine when results shall be analysed and evaluated.
Ensure documented information is available as evidence of the results.
What an Auditor is Looking For
Defined and documented criteria for monitoring and measurement.
Evidence of regular monitoring, measurement, and analysis activities.
Documentation of analysis and evaluation results.
Records of corrective actions taken based on evaluation results.
Key Implementation Steps
Step | Description |
1 | Define criteria and methods for monitoring and measuring ISMS performance. |
2 | Develop a monitoring and measurement plan, including timelines and responsibilities. |
3 | Conduct regular monitoring and measurement activities. |
4 | Analyse and evaluate the collected data against the defined criteria. |
5 | Document the results and use them to improve the ISMS. |
9.2 Internal Audit
ISO 27001 requires internal audits to ensure compliance with the standard. Clause 9.2 is divided into 3 sub-clauses that detail the auditing requirements.
9.2.1 General
First is a general requirements clause summarising the need to conduct internal audits against the ISO 27001 criteria and the organisation's requirements (anything you'd defined as uniquely 'you').
Requirement Summary
Conduct internal audits at planned intervals to provide information on whether the ISMS:
Conforms to the organisation's own requirements for its ISMS.
Conforms to the requirements of ISO 27001.
It is effectively implemented and maintained.
What an Auditor is Looking For
· An internal audit program with scheduled audits.
· Audit plans, criteria, scope, and methods.
· Records of audit results and findings.
· Evidence of corrective actions taken in response to audit findings.
Key Implementation Steps
Step | Description |
1 | Develop an internal audit program covering all ISMS aspects. |
2 | Define the scope, criteria, and methods for each audit. |
3 | Schedule and conduct audits as per the audit plan. |
4 | Document audit findings and communicate them to relevant parties. |
5 | Implement corrective actions and track their effectiveness. |
9.2.2 Internal Audit Program
Clause 9.2.2 follows the General statement of 9.2.1 and fleshes out the expectations. It states that you must have a clear audit program (who, what, when) and document your audit results.
Requirement Summary
Plan, establish, implement, and maintain an audit program that includes frequency, methods, responsibilities, planning requirements, and reporting.
Consider the importance of the processes and previous audits' results.
Define the audit criteria and scope for each audit.
Select auditors and conduct audits to ensure objectivity and impartiality.
Ensure that the results of the audits are reported to relevant management.
Retain documented information as evidence of the implementation of the audit program and audit results.
What an Auditor is Looking For
Documented audit program and plan.
Evidence of auditor qualifications and selection criteria.
Records of audit criteria, scope, and methodology.
Audit reports and records of follow-up actions.
Key Implementation Steps
Step | Description |
1 | Develop and document the internal audit program and plan. |
2 | Determine audit frequency, methods, and responsibilities based on process importance and previous audit results. |
3 | Define the criteria and scope for each audit. |
4 | Select qualified auditors, ensuring their objectivity and impartiality. |
5 | Conduct audits and report findings to relevant management. |
6 | Maintain records of audits and any follow-up actions. |
9.3 Management Review
This clause stipulates the need to have regular management reviews of various data, risks, audit results, etc.
9.3.1 General
The first part is the general requirement outline, which is that top management needs to be involved. So, call them together at least once a year and review the outputs of the ISMS. More frequently is desired but not mandated.
Requirement Summary
Top management must review the organisation's ISMS at planned intervals.
Ensure the ISMS's continuing suitability, adequacy, and effectiveness.
Reviews must be comprehensive and cover various aspects of the ISMS.
What an Auditor is Looking For
Evidence of scheduled management reviews.
Documentation showing that reviews are conducted at planned intervals.
Records of topics discussed and decisions made during the reviews.
Key Implementation Steps
Step | Description |
1 | Schedule management reviews at regular intervals (e.g., quarterly, annually). |
2 | Prepare review agendas covering all necessary ISMS aspects. |
3 | Ensure participation from top management and relevant stakeholders. |
4 | Document the outcomes and action items from each review. |
5 | Follow up on the implementation of action items to ensure continual improvement. |
9.3.2 Management Review Inputs
The standard outlines the inputs to the reviews. So, what information does the management team need to consider during the review?
Requirement Summary
The management review must consider the following:
The status of actions from previous management reviews.
Changes in external and internal issues relevant to the ISMS.
Feedback on the ISMS performance includes trends in nonconformities and corrective actions, monitoring and measurement results, audit results, and fulfilling information security objectives.
Opportunities for continual improvement.
What an Auditor is Looking For
Comprehensive documentation of review inputs.
Evidence that all required inputs were considered during the review.
Records showing the analysis of ISMS performance and the identification of improvement opportunities.
Key Implementation Steps
Step | Description |
1 | Gather data on the status of actions from previous reviews. |
2 | Collect information on changes in external and internal issues affecting the ISMS. |
3 | Compile performance data, including nonconformities, corrective actions, and audit results. |
4 | Prepare a report summarising the review inputs for discussion. |
5 | Ensure all relevant inputs are analysed and discussed during the review. |
9.3.3 Management Review Outputs
Then, once the management review is conducted, what are the outputs from the review?
Requirement Summary
The results of the management review must include decisions and actions related to:
Opportunities for continual improvement.
Any need for changes to the ISMS.
Resource needs.
What an Auditor is Looking For
Documentation of decisions made during the review.
Records of action items related to continual improvement and ISMS changes.
Evidence of resource allocation to address identified needs.
Key Implementation Steps
Step | Description |
1 | Document decisions and action items resulting from the management review. |
2 | Assign responsibilities and deadlines for each action item. |
3 | Allocate necessary resources to implement the decisions. |
4 | Track the progress of action items and ensure their completion. |
5 | Review the effectiveness of implemented changes and improvements in subsequent reviews. |
Clause 10: Improvement
Clause 10 is the 'Act' part of the improvement cycle; PLAN-DO-CHECK-ACT.
The standard requires organisations to constantly improve their Information Security Management System (ISMS) and not allow it to go stale and stagnate, which, frankly, is relatively easy to do.
The good news is that if you've done everything else, such as setting up your monitoring, reporting, cycles of actions, and audits, then this should be done.
10.1 Continual Improvement
Clause 10.1 is another of the single-line statements that you need to improve continually, but if you aren't sure exactly what that might mean or look like, then here are some suggestions;
Requirement Summary
Continually improve the suitability, adequacy, and effectiveness of the ISMS.
Enhance information security performance.
What an Auditor is Looking For
Evidence of a structured approach to continual improvement.
Records showing actions taken to improve the ISMS.
Documentation of improvements and their impacts on ISMS performance.
Key Implementation Steps
Step | Description |
1 | Establish a process for continual improvement within the ISMS framework. |
2 | Regularly review and assess ISMS performance data. |
3 | Identify areas for improvement based on performance assessments. |
4 | Implement improvement actions and document the process. |
5 | Monitor and evaluate the effectiveness of implemented improvements. |
10.2 Nonconformity and Corrective Action
Nonconformities are a standard ISO term meaning records of where your system didn't work as expected.
So, for example,
Noncompliance with policies or procedures
Failure for something to happen as the ISMS laid out
A lack of evidence of training & awareness.
Such nonconformities can come from all sorts of sources, including audits and management reviews, and it's essential to make sure they are recorded somewhere and actioned upon so that you plug the gap and make sure it doesn't happen again.
Requirement Summary
When a nonconformity occurs, react to the nonconformity and, as applicable:
Take action to control and correct it.
Deal with the consequences.
Evaluate the need for actions to eliminate the causes of nonconformities to prevent recurrence.
Implement any action needed.
Review the effectiveness of corrective actions taken.
Make changes to the ISMS if necessary.
Retain documented information as evidence of the nature of the nonconformities, any subsequent actions taken, and the results of any corrective action.
What an Auditor is Looking For
Records of identified nonconformities and corrective actions taken.
Evidence that corrective actions are effective.
Documentation of changes made to the ISMS to prevent recurrence.
Key Implementation Steps
Step | Description |
1 | Establish a process for identifying and documenting nonconformities. |
2 | Analyse nonconformities to determine their causes and impacts. |
3 | Develop and implement corrective actions to address the root causes. |
4 | Document the corrective actions taken and their outcomes. |
5 | Review and assess the effectiveness of the corrective actions. |
6 | Update the ISMS documentation and processes as necessary. |
10.3 Continual Improvement of the ISMS
To fully comply with ISO 27001, you must provide evidence of continually improving the ISMS.
Below is some additional guidance.
Requirement Summary
Continually improve the suitability, adequacy, and effectiveness of the ISMS through the information security policy, information security objectives, audit results, analysis of monitored events, corrective actions, and management reviews.
What an Auditor is Looking For
Evidence of ongoing improvement activities.
Documentation shows how feedback from audits, reviews, and monitoring drives improvements.
Records of implemented improvements and their effects on the ISMS.
Key Implementation Steps
Step | Description |
1 | Use outputs from audits, reviews, and monitoring to identify improvement opportunities. |
2 | Set clear objectives for improvement based on identified opportunities. |
3 | Develop and implement improvement plans. |
4 | Document and communicate improvements within the organisation. |
5 | Monitor the effectiveness of improvements and make further adjustments as needed. |
That's it for the ISO 27001:2022 standard and my whistle-stop tour; however, here is a warning…
ISO 27001 is really a standard in two parts: the main clauses, as per clauses 1 to 10 explored here, and the Annex A controls, which are captured in the Statement of Applicability. For example, the controls ask, ‘How do you handle malware?’ You explain your approach, or if the control is irrelevant to you, you explain why you omitted it. So, don't think you've met all the requirements by meeting the Clauses in 27001. Go back and review Clause 6.1.3. Then, look at Annex A of the standard.
|
Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.
Comments