Heimdal
article featured image

Contents:

ISO 27001, sometimes referred to as ISO/IEC 27001 is an international standard that addresses organizational information security.

Issued in 2005 and with a second revision in 2013, the ISO 27001 standard describes the Information Security Management Systems requirements for global controls and safeguards meant to preserve data privacy, protect sensitive information, optimize the organizational cybersecurity posture, and reduce business risk across all vital areas.

The document is comprised of two parts – the main part, which contains clauses one through eleven, plots the organizational requirements for adopting ISO 27001, sets the roles and responsibilities, and outlines the global framework.

The second part of the standards, also called Annex A or the ISO 270001 controls, describes the guidelines for implementing the 114 controls and objectives of the ISO/IEC 27001 standard. In this article, we are going to tackle sections A5 through A18 of Annex A and discuss scopes, objectives, adopting challenges, and more. Enjoy!

Navigating Annex A of ISO 27001

Annex A of the standard contains 114 controls, which are divided into 14 areas or domains. Each domain contains an objective (i.e., scope), several controls (i.e., safeguards), and the guidelines for implementing the safeguards.

For instance, clause A.5 (i.e., Security policy) of Annex A has the objective to issue directions and support any type of information security endeavor within the confines of relevant laws/regulations and in accordance with the organization’s requirements.

Clause A5 contains 3 controls (i.e., Information security policy, Information security policy document, and Review of the information security policy) and instructions on how these safeguards should be implemented.

For example, in order to enforce sub-clause 1.1 of the A.5 domain, the owner (i.e., a member of the staff charged with information security tasks), must produce an information security document and subsequently circulate it with the management. If approved by management, the document will be made available to all employees and relevant employees, in written or digital form.

For ease of navigation, we have outlined Annex A’s domains and controls.


Domains


ClauseDescription
A5Security policy.
A6Organization of information security.
A7Human resource security.
A8Asset Management.
A9Access Control.
A10Cryptography.
A11Physical and environmental security.
A12Operations security.
A13Communications security.
A14System acquisition, development, and maintenance.
A15Supplier relationships.
A16Information security incident management.
A17Information security aspects of business continuity management.
A18Compliance.

Controls


Main clause and sub-clauseControl description
6.1Internal organization
6.1.1 Information security roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
6.1.5 Information security in project management
6.2Mobile devices and teleworking
6.2.1Mobile device policy
6.2.2 Teleworking
7Human resource security
7.1Prior to employment
7.1.1 Screening
7.1.2 Terms and conditions of employment
7.2During employment
7.2.1 Management responsibilities
7.2.2 Information security awareness, education and training
7.2.3 Disciplinary process
7.3Termination and change of employment
7.3.1 Termination or change of employment responsibilities
8Asset management
8.1Responsibility for assets
8.1.1 Inventory of assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.1.4 Return of assets
8.2Information classification
8.2.1 Classification of information
8.2.2 Labelling of information
8.2.3 Handling of assets
8.3Media handling
8.3.1 Management of removable media
8.3.2 Disposal of media
8.3.3 Physical media transfer
9Access control
9.1Business requirements of access control
9.1.1 Access control policy
9.1.2 Access to networks and network services
9.2User access management
9.2.1 User registration and de-registration
9.2.2 User access provisioning
9.2.3 Management of privileged access rights
9.2.4 Management of secret authentication information of users
9.2.5Review of user access rights
9.2.6Removal or adjustment of access rights
9.3User Responsibilities
9.3.1Use of secret authentication information
9.4System and application access control
9.4.1Information access restriction
9.4.2Secure log-on procedures
9.4.3Password management system
9.4.4Use of privileged utility programs
9.4.5Access control to program source code
10Cryptography
10.1.Cryptographic controls
10.1.1Policy on the use of cryptographic controls
10.1.2Key management
11Physical and environmental security
11.1Secure areas
11.1.1Physical security perimeter
11.1.2Physical entry controls
11.1.3Securing offices, rooms and facilities
11.1.4Protecting against external and environmental threats
11.1.5Working in secure areas
11.1.6Delivery and loading areas
11.2Equipment
11.2.1Equipment siting and protection
11.2.2Supporting utilities
11.2.3Cabling security
11.2.4Equipment maintenance
11.2.5Removal of assets
11.2.6Security of equipment and assets off-premises
11.2.7Secure disposal or reuse of equipment
11.2.8Unattended user equipment
11.2.9Clear desk and clear screen policy
12Operations security
12.1Operational procedures and responsibilities
12.1.1Documented operating procedures
12.1.2Change management
12.1.3Capacity management
12.1.4Separation of development, testing and operational environments
12.2Protection from malware
12.2.1Controls against malware
12.3Backup
12.3.1Information backup
12.4Logging and monitoring
12.4.1Event logging
12.4.2Protection of log information
12.4.3Administrator and operator logs
12.4.4Clock synchronization
12.5Control of operational software
12.5.1Installation of software on operational systems
12.6Technical vulnerability management
12.6.1Management of technical vulnerabilities
12.6.2Restrictions on software installation
12.7Information systems audit considerations
12.7.1Information systems audit controls
13Communications security
13.1Network security management facilities
13.1.1Network controls
13.1.2Security of network services
13.1.2
13.1.3Segregation in networks
13.2Information transfer
13.2.1Information transfer policies and procedures
13.2.2Agreements on information transfer
13.2.3Electronic messaging
13.2.4Confidentiality or nondisclosure agreements
14System acquisition, development and maintenance
14.1Security requirements of information systems
14.1.1Information security requirements analysis and specification
14.1.2Securing application services on public networks
14.1.3Protecting application services transactions
14.2Security in development and support processes
14.2.1Secure development policy
14.2.2System change control procedures
14.2.3Technical review of applications after operating platform changes
14.2.4Restrictions on changes to software packages
14.2.5Secure system engineering principles
14.2.6Secure development environment
14.2.7Outsourced development
14.2.8System security testing
14.2.9System acceptance testing
14.3Test data
14.3.1Protection of test data
15Supplier relationships
15.1Information security in supplier relationships
15.1.1Information security policy for supplier relationships
15.1.2Addressing security within supplier agreements
15.1.3Information and communication technology supply chain
15.2Supplier service delivery management
15.2.1Monitoring and review of supplier services
15.2.2Managing changes to supplier services
16Information security incident management
16.1Management of information security incidents and improvements
16.1.1Responsibilities and procedures
16.1.2Reporting information security events
16.1.3Reporting information security weaknesses
16.1.4Assessment of and decision on information security events
16.1.5Response to information security incidents
16.1.6Learning from information security incidents
16.1.7Collection of evidence
17Information security aspects of business continuity management
17.1Information security continuity
17.1.1Planning information security continuity
17.1.2Implementing information security continuity
Verify, review and evaluate information security continuity
17.1.3
17.2Redundancies
17.2.1Availability of information processing facilities
18Compliance
18.1Compliance with legal and contractual requirements
18.1.1Identification of applicable legislation and contractual requirements
18.1.2Intellectual property rights
18.1.3Protection of records
18.1.4Privacy and protection of personally identifiable information
18.1.5Regulation of cryptographic controls
18.2Information security reviews
18.2.1Independent review of information security
18.2.2Compliance with security policies and standards
18.2.3Technical compliance review

Benefits of Adopting ISO 27001 Controls

Adopting ISO 27001 controls offers a multitude of advantages for organizations. Firstly, it enhances data security by providing a systematic framework for identifying, managing, and mitigating information risks.

This not only safeguards sensitive data but also builds trust with customers and stakeholders. ISO 27001 promotes operational efficiency through clearly defined processes, reducing the likelihood of security breaches and downtime.

Additionally, it aids in compliance with legal and regulatory requirements, preventing costly fines and legal issues. The certification also bolsters an organization’s competitive edge, as it demonstrates a commitment to data security and can be a differentiator in the marketplace.

Furthermore, ISO 27001’s continuous improvement approach ensures that security measures remain up-to-date and effective, thus contributing to a more resilient, secure, and trustworthy business environment.

ISO 27001 Controls Explained

Below, you can find all controls encompassed in the ISO 27001 standard. For additional details, press the “+” button situated next to each clause.

A.5. Security Policy

A.5.1 Information Security Policy

Objective: This section aims to establish management guidance and endorsement for information security, aligning it with business needs and applicable laws and regulations.

A.5.1.1 Documenting the Information Security Policy

Control

The information security policy document must receive approval from management, be made accessible to all employees and relevant external parties, and be effectively communicated to them.

A.5.1.2 Periodic Review of the Information Security Policy

Control

The information security policy should undergo regular assessments at planned intervals or when significant changes arise to ensure its continued appropriateness, sufficiency, and effectiveness.A.6 Organization of information security

A.6.1 Internal Organization

Objective: Ensure effective management of information security within the organization.

A.6.1.1 Commitment of Management to Information Security

Control

Management must actively endorse and support security within the organization by providing clear guidance, demonstrating their commitment, explicitly assigning roles, and acknowledging information security responsibilities

A.6.1.2 Coordination of Information Security

Control

Information security activities should be coordinated by representatives from various parts of the organization who hold relevant roles and job functions.

A.6.1.3 Allocation of Information Security Responsibilities

Control

All information security responsibilities must have well-defined and clear descriptions.

A.6.1.4 Authorization Process for Information Processing Facilities

Control

An established management authorization process for new information processing facilities must be defined and put into practice.

A.6.1.5 Confidentiality Agreements

Control

Requirements for confidentiality or non-disclosure agreements that align with the organization’s information protection needs should be identified and regularly reviewed.

A.6.1.6 Communication with Authorities

Control

Appropriate communication channels with relevant authorities must be maintained.

A.6.1.7 Engagement with Special Interest Groups

Control

Appropriate connections with special interest groups and other specialized security forums and professional associations should be upheld.

A.6.1.8 Independent Review of Information Security

Control

The organization’s approach to managing information security, including control objectives, controls, policies, processes, and procedures, must be independently reviewed at planned intervals or when significant changes to the security implementation occur.

A.6.2 External Parties

Objective: Safeguard the organization’s information and information processing facilities accessed, processed, communicated to, or managed by external parties.

A.6.2.1 Identification of Risks Related to External Parties

Control

Identify risks to the organization’s information and information processing facilities arising from business processes involving external parties, and implement appropriate controls before granting access.

A.6.2.2 Addressing Security when Dealing with Customers

Control

Address all identified security requirements before providing customers access to the organization’s information or assets.

A.6.2.3 Addressing Security in Third-Party Agreements

Control

Ensure that agreements with third parties involving access, processing, communication, or management of the organization’s information or information processing facilities, or the addition of products or services to information processing facilities, cover all relevant security requirements.

A.7 Asset management

A.7.1 Responsibility for Assets.

Objective: To establish and maintain the appropriate protection for organizational assets.

A.7.1.1 Asset Inventory

Control

All assets must be clearly identified, and a comprehensive inventory of significant assets should be created and kept up-to-date.

A.7.1.2 Ownership of Assets

Control

Information and assets associated with information processing facilities should be under the ownership of a designated department within the organization.

A.7.1.3 Acceptable Use of Assets

Control

Regulations governing the acceptable use of information and assets linked to information processing facilities need to be identified, documented, and put into practice.

A.7.2 Information Classification

Objective: Ensure that information receives the appropriate level of protection.

A.7.2.1 Classification Guidelines

Control

Information should be classified based on its value, legal requirements, sensitivity, and criticality to the organization.

A.7.2.2 Information Labeling and Handling

Control

A suitable set of procedures for labeling and handling information should be developed and implemented in alignment with the organization’s chosen classification scheme.

A.8. Human Resources Security.

A.8.1 Prior to Employment

Objective: Ensure that employees, contractors, and third-party users comprehend their responsibilities, are suited for their roles, and minimize the risk of theft, fraud, or facility misuse.

A.8.1.1 Roles and Responsibilities

Control

Clearly define and document the security roles and responsibilities of employees, contractors, and third-party users in accordance with the organization’s information security policy.

A.8.1.2 Screening

Control

Conduct background checks on all job candidates, contractors, and third-party users in compliance with relevant laws, regulations, ethics, and commensurate with business requirements, the information access classification, and perceived risks.

A.8.1.3. Terms and Conditions of Employment.

Control

As part of their employment contract, employees, contractors, and third-party users should agree to and sign the terms and conditions, outlining their and the organization’s responsibilities for information security.

A.8.2 During Employment

Objective: Ensure that all employees, contractors, and third-party users are aware of information security threats, their responsibilities, and liabilities, and are equipped to uphold the organization’s security policy in their regular work, reducing the risk of human error.

A.8.2.1 Management Responsibilities.

Control

Management should require employees, contractors, and third-party users to adhere to security practices as per the organization’s established policies and procedures.

A.8.2.2 Information Security Awareness, Education, and Training

Control

All organization employees, and where applicable, contractors and third-party users, should receive relevant awareness training and regular updates on organizational policies and procedures tailored to their job function.

A.8.2.3 Disciplinary Process

Control

A formal disciplinary process should be in place for employees who breach security regulations.

A.8.3 Termination or Change of Employment

Objective: Ensure that employees, contractors, and third-party users depart from the organization or change their employment status in an orderly manner.

A.8.3.1 Termination Responsibilities

Control

Responsibilities for handling employment termination or employment changes should be clearly defined and assigned.

A.8.3.2 Return of Assets

Control

Upon the termination of their employment, contract, or agreement, all employees, contractors, and third-party users should return all of the organization’s assets in their possession.

A.8.3.3 Removal of Access Rights

Control

Access rights to information and information processing facilities should be revoked upon the termination of employment, contract, or agreement or adjusted in the event of a change.

A.9. Physical and environmental security.

A.9.1. Secure areas

Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information.

A.9.1 Physical Security

Objective: To safeguard organizational assets appropriately.

A.9.1.1 Physical Security Perimeter

Control

Security perimeters, including walls, card-controlled entry gates, or manned reception desks, should be deployed to protect areas housing information and information processing facilities.

A.9.1.2 Physical Entry Controls

Control

Secure areas must have effective entry controls in place to ensure only authorized personnel gain access.

A.9.1.3 Securing Offices, Rooms, and Facilities

Control

Physical security measures for offices, rooms, and facilities need to be designed and implemented.

A.9.1.4 Protection Against External and Environmental Threats

Control

Physical safeguards against threats like fire, flood, earthquakes, explosions, civil unrest, and other natural or man-made disasters should be planned and implemented.

A.9.1.5 Working in Secure Areas

Control

Guidelines and physical protections for working in secure areas should be established and put into practice.

A.9.1.6 Public Access, Delivery, and Loading Areas

Control

Access points like delivery and loading areas, where unauthorized individuals could potentially enter the premises, should be controlled and, if feasible, separated from information processing facilities to prevent unauthorized access.

A.9.2 Equipment Security

Objective: To prevent loss, damage, theft, or compromise of assets and minimize disruptions to organizational activities.

A.9.2.1 Equipment Siting and Protection

Control

Equipment should be appropriately placed or protected to mitigate environmental risks and unauthorized access.

A.9.2.2 Supporting Utilities

Control

Equipment must be safeguarded against power failures and disruptions caused by utility failures.

A.9.2.3 Cabling Security

Control

Protect power and telecommunications cabling used for data or information services to prevent interception or damage.

A.9.2.4 Equipment Maintenance

Control

Ensure equipment is regularly maintained to guarantee its continued availability and integrity.

A.9.2.5 Security of Off-Site Equipment

Control

Apply security measures to off-site equipment while considering the unique risks of working outside the organization’s premises.

A.9.2.6 Secure Disposal or Reuse of Equipment

Control

All equipment with storage media should be checked to ensure sensitive data and licensed software are removed or securely overwritten before disposal.

A.9.2.7 Removal of Property

Control

Equipment, information, or software should not be taken off-site without prior authorization.

A.10. Communications and Operations Management.

A.10.1 Operational Procedures and Responsibilities

Objective: To ensure correct and secure operation of information processing facilities.

A.10.1.1 Documented Operating Procedures

Control

Document, maintain, and provide operating procedures to all users who require them.

A.10.1.2 Change Management

Control

Manage changes to information processing facilities and systems effectively.

A.10.1.3 Segregation of Duties

Control

Separate duties and areas of responsibility to minimize opportunities for unauthorized or unintentional modification or misuse of organizational assets.

A.10.1.4 Separation of Development, Test, and Operational Facilities

Control

Keep development, test, and operational facilities separate to reduce the risk of unauthorized access or changes to the operational system.

A.10.2 Third-Party Service Delivery Management

Objective: Implement and maintain the appropriate level of information security and service delivery in line with third-party service delivery agreements.

A.10.2.1 Service Delivery

Control

Ensure that the security controls, service definitions, and delivery levels outlined in third-party service delivery agreements are effectively implemented, operated, and maintained by the third party.

A.10.2.2 Monitoring and Review of Third-Party Services

Control

Regularly monitor and review the services, reports, and records provided by third parties, and conduct regular audits.

A.10.2.3 Managing Changes to Third-Party Services

Control

Manage changes to service provision, including the maintenance and enhancement of existing information security policies, procedures, and controls. Consider the criticality of business systems and processes and reassess risks.

A.10.3 System Planning and Acceptance

Objective: Minimize the risk of system failures.

A.10.3.1 Capacity Management

Control

Monitor resource utilization, tune systems, and project future capacity requirements to ensure required system performance.

A.10.3.2 System Acceptance

Control

Establish acceptance criteria for new information systems, upgrades, and new versions, and conduct suitable tests during development and prior to acceptance.

A.10.4 Protection Against Malicious and Mobile Code

Objective: Protect the integrity of software and information.

A.10.4.1 Controls Against Malicious Code

Control

Implement detection, prevention, and recovery controls to safeguard against malicious code, along with appropriate user awareness procedures.

A.10.4.2 Controls Against Mobile Code

Control

Configure authorized mobile code to operate according to a clearly defined security policy and prevent unauthorized mobile code from executing.

A.10.5 Backup

Objective: Maintain the integrity and availability of information and information processing facilities.

A.10.5.1 Information Backup

Control

Regularly create backup copies of information and software following the agreed backup policy and test them for reliability.

A.10.6 Network Security Management

Objective: Ensure information in networks and the supporting infrastructure is protected.

A.10.6.1 Network Controls

Control

Properly manage and control networks to protect against threats and maintain security for systems and applications using the network, including information in transit.

A.10.6.2 Security of Network Services

Control

Identify the security features, service levels, and management requirements for all network services, whether in-house or outsourced and include them in network services agreements.

A.10.7 Media Handling

Objective: Prevent unauthorized disclosure, modification, removal, or destruction of assets and business interruptions.

A.10.7.1 Management of Removable Media

Control

Establish procedures for managing removable media.

A.10.7.2 Disposal of Media

Control

Dispose of media securely and safely when no longer needed, following formal procedures.

A.10.7.3 Information Handling Procedures

Control

Establish procedures for handling and storing information to protect it from unauthorized disclosure or misuse.

A.10.7.4 Security of System Documentation

Control

Protect system documentation against unauthorized access.

A.10.8 Exchange of Information

Objective: Maintain the security of information and software exchanged within the organization and with external entities.

A.10.8.1 Information Exchange Policies and Procedures

Control

Implement formal policies, procedures, and controls to protect the exchange of information using various communication facilities.

A.10.8.2 Exchange Agreements

Control

Establish agreements for the exchange of information and software between the organization and external parties.

A.10.8.3 Physical Media in Transit

Control

Protect media containing information from unauthorized access, misuse, or corruption during transportation beyond the organization’s physical boundaries.

A.10.8.4 Electronic Messaging

Control

Ensure the security of information involved in electronic messaging.

A.10.8.5 Business Information Systems

Control

Develop and implement policies and procedures to protect information related to interconnected business information systems.

A.10.9 Electronic Commerce Services

Objective: Ensure the security of electronic commerce services and their secure use.

A.10.9.1 Electronic Commerce

Control

Protect information involved in electronic commerce when transmitted over public networks from fraudulent activity, contract disputes, unauthorized disclosure, and modification.

A.10.9.2 On-line Transactions

Control

Secure information involved in online transactions to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay.

A.10.9.3 Publicly Available Information

Control

Protect the integrity of information made available on publicly accessible systems to prevent unauthorized modification.

A.10.10 Monitoring

Objective: Detect unauthorized information processing activities.

A.10.10.1 Audit Logging

Control

Generate and maintain audit logs recording user activities, exceptions, and information security events for an agreed period to aid future investigations and access control monitoring.

A.10.10.2 Monitoring System Use

Control

Establish procedures for monitoring the use of information processing facilities and regularly review the results.

A.10.10.3 Protection of Log Information

Control

Safeguard logging facilities and log information from tampering and unauthorized access.

A.10.10.4 Administrator and Operator Logs

Control

Log the activities of system administrators and operators.

A.10.10.5 Fault Logging

Control

Log faults, analyze them, and take appropriate action.

A.10.10.6 Clock Synchronization

Control

Synchronize the clocks of all relevant information processing systems within an organization or security domain with a reliable time source.

A.11 Access Control

Objective: To manage access to information.

A.11.1 Business Requirement for Access Control

Control

Establish, document, and periodically review an access control policy based on business and security requirements.

A.11.2 User Access Management

Objective: To ensure authorized user access and prevent unauthorized access to information systems.

A.11.2.1 User Registration

Control

Implement a formal procedure for user registration and de-registration to grant and revoke access to information systems and services.

A.11.2.2 Privilege Management

Control

Restrict and control the allocation and use of privileges.

A.11.2.3 User Password Management

Control

Control password allocation through a formal management process.

A.11.2.4 Review of User Access Rights

Control

Conduct regular management reviews of users’ access rights using a formal process.

A.11.3 User Responsibilities

Objective: To prevent unauthorized user access and protect information and facilities.

A.11.3.1 Password Use

Control

Ensure users adhere to good security practices when selecting and using passwords.

A.11.3.2 Unattended User Equipment

Control

Ensure unattended equipment has adequate protection.

A.11.3.3 Clear Desk and Clear Screen Policy

Control

Adopt clear desk and clear screen policies for papers, removable storage media, and information processing facilities.

A.11.4 Network Access Control

Objective: To prevent unauthorized access to networked services.

A.11.4.1 Policy on Use of Network Services

Control

Provide users access only to services they are specifically authorized to use.

A.11.4.2 User Authentication for External Connections

Control

Use appropriate authentication methods to control remote user access.

A.11.4.3 Equipment Identification in Networks

Control

Consider automatic equipment identification to authenticate connections from specific locations and equipment.

A.11.4.4 Remote Diagnostic and Configuration Port Protection

Control

Control physical and logical access to diagnostic and configuration ports.

A.11.4.5 Segregation in Networks

Control

Segregate groups of information services, users, and information systems on networks.

A.11.4.6 Network Connection Control

Control

Restrict users’ ability to connect to the network on shared networks, especially those extending across organizational boundaries, in alignment with the access control policy and business application requirements.

A.11.4.7 Network Routing Control

Control

Implement routing controls on networks to ensure that computer connections and information flows comply with the business application’s access control policy.

A.11.5 Operating System Access Control

Objective: To prevent unauthorized access to operating systems.

A.11.5.1 Secure Log-On Procedures

Control

Control access to operating systems through secure log-on procedures.

A.11.5.2 User Identification and Authentication

Control

Assign all users unique identifiers (user IDs) for personal use, and choose suitable authentication methods to confirm a user’s claimed identity.

A.11.5.3 Password Management System

Control

Implement interactive password management systems that ensure high-quality passwords.

A.11.5.4 Use of System Utilities

Control

Restrict and tightly control the use of utility programs that could potentially override system and application controls.

A.11.5.5 Session Time-Out

Control

Automatically shut down inactive sessions after a defined period of inactivity.

A.11.5.6 Limitation of Connection Time

Control

Use connection time restrictions to enhance security for high-risk applications.

A.11.6 Application and Information Access Control

Objective: To prevent unauthorized access to information in application systems.

A.11.6.1 Information Access Restriction

Control

Restrict access to information and application system functions in accordance with the defined access control policy.

A.11.6.2 Sensitive System Isolation

Control

Dedicate isolated computing environments to sensitive systems.

A.11.7 Mobile Computing and Teleworking

Objective: Ensure information security when using mobile computing and teleworking facilities.

A.11.7.1 Mobile Computing and Communications

Control

Establish a formal policy and adopt security measures to protect against the risks of using mobile computing and communication facilities.

A.11.7.2 Teleworking

Control

Develop and implement policies, operational plans, and procedures for teleworking activities.

A.12 Information Systems Acquisition, Development, and Maintenance

A.12.1 Security Requirements of Information Systems

Objective: Ensure security is an integral part of information systems.

A.12.1.1 Security Requirements Analysis and Specification

Control

Specify security control requirements in business requirements for new information systems or enhancements to existing information systems.

A.12.2 Correct Processing in Applications

Objective: Prevent errors, loss, unauthorized modification, or misuse of information in applications.

A.12.2.1 Input Data Validation

Control

Validate data input to applications to ensure correctness and appropriateness.

A.12.2.2 Control of Internal Processing

Control

Incorporate validation checks into applications to detect information corruption due to processing errors or deliberate actions.

A.12.2.3 Message Integrity

Control

Identify requirements for ensuring message authenticity and integrity in applications, and implement appropriate controls.

A.12.2.4 Output Data Validation

Control

Validate data output from applications to ensure processing of stored information is correct and appropriate to the circumstances.

A.12.3 Cryptographic Controls

Objective: Protect the confidentiality, authenticity, or integrity of information through cryptographic means.

A.12.3.1 Policy on Use of Cryptographic Controls

Control

Develop and implement a policy for the use of cryptographic controls to protect information.

A.12.3.2 Key Management

Control

Establish key management practices to support the organization’s use of cryptographic techniques.

A.12.4 Security of System Files

Objective: Ensure the security of system files.

A.12.4.1 Control of Operational Software

Control

Implement procedures to control the installation of software on operational systems.

A.12.4.2 Protection of System Test Data

Control

Carefully select, protect, and control test data.

A.12.4.3 Access Control to Program Source Code
Control

Restrict access to program source code.

A.12.5 Security in Development and Support Processes

Objective: Maintain the security of application system software and information.

A.12.5.1 Change Control Procedures

Control

Control the implementation of changes using formal change control procedures.

A.12.5.2 Technical Review of Applications After Operating System Changes

Control

Review and test critical business applications when operating systems change to ensure no adverse impact on operations or security.

A.12.5.3 Restrictions on Changes to Software Packages

Control

Discourage and strictly control modifications to software packages, limiting changes to what is necessary.

A.12.5.4 Information Leakage

Control

Prevent opportunities for information leakage.

A.12.5.5 Outsourced Software Development

Control

Supervise and monitor outsourced software development.

A.12.6 Technical Vulnerability Management

Objective: Reduce risks from exploitation of known technical vulnerabilities.

A.12.6.1 Control of Technical Vulnerabilities

Control

Obtain timely information about technical vulnerabilities in used information systems, assess the organization’s exposure to such vulnerabilities, and take appropriate measures to address associated risks.

A.13. Information Security Incident Management.

A.13.1 Reporting Information Security Events and Weaknesses

Objective: Ensure timely communication of information security events and weaknesses.

A.13.1.1 Reporting Information Security Events

Control

Promptly report information security events through appropriate management channels.

A.13.1.2 Reporting Security Weaknesses

Control

Require employees, contractors, and third-party users to report observed or suspected security weaknesses in systems or services.

A.13.2 Management of Information Security Incidents and Improvements

Objective: Apply a consistent and effective approach to manage information security incidents.

A.13.2.1 Responsibilities and Procedures

Control

Establish management responsibilities and procedures for quick, effective responses to information security incidents.

A.13.2.2 Learning from Information Security Incidents

Control

Implement mechanisms to quantify and monitor the types, volumes, and costs of information security incidents.

A.13.2.3 Collection of Evidence

Control

When pursuing legal actions against individuals or organizations after an information security incident, collect, retain, and present evidence in compliance with relevant jurisdictional rules for evidence.

A.14. Business Continuity Management.

A.14.1 Information Security Aspects of Business Continuity Management

Objective: Counteract interruptions to business activities and protect critical processes from major information system failures or disasters.

A.14.1.1 Including Information Security in the Business Continuity Management Process

Control

Develop and maintain a managed process for business continuity throughout the organization, addressing information security requirements for business continuity.

A.14.1.2 Business Continuity and Risk Assessment

Control

Identify events that can interrupt business processes, assess the probability and impact of such interruptions, and consider their consequences for information security.

A.14.1.3 Developing and Implementing Continuity Plans, Including Information Security

Control

Develop and implement plans to maintain or restore operations and ensure information availability at required levels and within specified timeframes after interruptions or critical business process failures.

A.14.1.4 Business Continuity Planning Framework

Control

Maintain a unified framework for business continuity plans to ensure consistency, address information security requirements, and identify priorities for testing and maintenance.

A.14.1.5 Testing, Maintaining, and Reassessing Business Continuity Plans

Control

Regularly test and update business continuity plans to keep them current and effective.

A.15 Compliance

A.15.1 Compliance with Legal Requirements

Objective: Avoid breaches of legal, regulatory, and contractual obligations, as well as security requirements.

A.15.1.1 Identification of Applicable Legislation

Control

Explicitly define, document, and update all relevant statutory, regulatory, and contractual requirements, as well as the organization’s approach to meeting these requirements for each information system and the organization.

A.15.1.2 Intellectual Property Rights (IPR)

Control

Implement appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements regarding the use of materials subject to intellectual property rights and proprietary software products.

A.15.1.3 Protection of Organizational Records

Control

Protect important records from loss, destruction, and falsification in compliance with statutory, regulatory, contractual, and business requirements.

A.15.1.4 Data Protection and Privacy of Personal Information

Control

Ensure data protection and privacy in accordance with relevant legislation, regulations, and contractual clauses, if applicable.

A.15.1.5 Prevention of Misuse of Information Processing Facilities

Control

Dissuade users from using information processing facilities for unauthorized purposes.

A.15.1.6 Regulation of Cryptographic Controls

Control

Apply cryptographic controls in compliance with all relevant agreements, laws, and regulations.

A.15.2 Compliance with Security Policies and Standards, and Technical Compliance

Objective: Ensure systems comply with organizational security policies and standards.

A.15.2.1 Compliance with Security Policies and Standards

Control

Ensure that managers correctly implement all security procedures within their areas of responsibility to achieve compliance with security policies and standards.

A.15.2.2 Technical Compliance Checking

Control

Regularly check information systems for compliance with security implementation standards.

A.15.3 Information Systems Audit Considerations

Objective: Maximize the effectiveness of information systems audits and minimize interference.

A.15.3.1 Information Systems Audit Controls

Control

Plan audit requirements and activities related to checks on operational systems carefully and in collaboration to minimize the risk of disruptions to business processes.

A.15.3.2 Protection of Information Systems Audit Tools

Control

Protect access to information systems audit tools to prevent misuse or compromise.

ISO 27001 Controls FAQ (Frequently Asked Questions)

Q: What are the key components of an ISO 27001 Information Security Management System (ISMS)?

A: The key components of an ISO 27001 ISMS include a structured framework, a risk assessment process, security policies and procedures, an organization’s security objectives, and a continual improvement process.

 

Q: How does ISO 27001 define the scope of an ISMS, and what documentation is required?

A: ISO 27001 defines the scope of an ISMS through the Statement of Applicability (SoA). Required documentation includes the Information Security Policy, Risk Assessment Report, and various procedures and work instructions.

 

Q: Can you explain the significance of ISO 27001 controls in mitigating information security risks?

A: ISO 27001 controls play a crucial role in mitigating information security risks by providing technical and administrative safeguards to protect sensitive data and systems, reducing vulnerabilities, and enforcing security measures.

 

Q: What’s the role of the Statement of Applicability (SoA) in ISO 27001, and how is it prepared?

A: The Statement of Applicability (SoA) is a critical document in ISO 27001, specifying which security controls are applicable and justifying their inclusion based on risk assessment. It requires technical expertise to prepare and align controls with organizational requirements.

 

Q: In the context of ISO 27001, how is risk assessed, and what methodologies can be employed?

A: ISO 27001 provides guidance on risk assessment methodologies. Common approaches include quantitative and qualitative risk analysis, as well as frameworks like OCTAVE or FAIR.

 

Q: What are the specific technical controls and safeguards outlined in ISO 27001, such as encryption or access control?

A: Technical controls in ISO 27001 encompass access control mechanisms, encryption protocols, secure configuration management, intrusion detection systems, and other safeguards to protect information and systems.

 

Q: How does ISO 27001 address the concept of business continuity and disaster recovery?

A: ISO 27001 addresses business continuity and disaster recovery through technical controls like redundant data centers, backup systems, and failover procedures to ensure data availability and system resilience.

 

Q: What is the relationship between ISO 27001 and other security standards like ISO 27002 or NIST SP 800-53?

A: ISO 27001 is harmonized with ISO 27002, which provides detailed guidelines on information security controls. Organizations often map ISO 27001 controls to other security standards, such as NIST SP 800-53, to ensure compliance with various requirements.

 

Q: Can you elaborate on the auditing and certification process for ISO 27001 compliance, including stages and criteria?

A: The auditing and certification process involves an initial audit by a certification body to assess compliance with ISO 27001. It includes stages such as planning, documentation review, on-site audit, and issuance of the ISO 27001 certificate based on established criteria.

 

Q: How does ISO 27001 promote continual improvement, and what are the technical aspects involved in this process?

A: ISO 27001 promotes continual improvement through regular reviews and updates of the ISMS. Technical aspects involve monitoring security controls, conducting vulnerability assessments, and addressing any weaknesses or gaps to enhance the overall security posture. This process is vital for adapting to evolving threats and technologies.

Conclusion

Adopting ISO 27001 is paramount for organizations in today’s data-driven landscape. It ensures robust data security, legal compliance, operational efficiency, and competitive advantage.

The benefits of ISO 27001, including enhanced trust, resilience, and continuous improvement, underscore its vital role in safeguarding sensitive information and fostering long-term success in an increasingly interconnected world.

If you want to keep up to date with everything we post, don’t forget to follow us on LinkedInTwitterFacebook, and Youtube for more cybersecurity news and topics.

Author Profile

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE