Overview of ISO 27001:2022
Like many other modern management system standards, ISO 27001 requirements are considered in 10 sections.
Similarity with other management system standards continues with section 6 including the requirements of risk management including determination of applicability of a control set. The control set of is included in Annex A of the standard.
Section 01
Section 1 (Scope) introduces the standard and what is designed to achieve.
Section 02
Section 2 refers to other documents that support the ISO 27001 standard (it refers to ISO 27000 which includes an overview and vocabulary).
Section 03
Section 3 is where terms and definitions are referenced again it refers to those found in ISO 27000.
Section 04: Context of the organisation
Organisations are required to determine internal and external issues and the requirements of interested parties. The issues referred to can be further considered by considering organisational context, internal and external factors that influence the way it operates, its culture and overall environment which may impact outcomes in information security management. Further guidance on organisational context and can be found within ISO 31000 Risk Management.
Requirements of interested parties or stakeholders may include legal and regulatory requirements and extend to contractual obligations.
The organisation is also required to establish the scope of the ISMS (Information Security Management System) determining and documenting its ‘boundaries and applicability’.
Finally, this section reminds us that the ISMS must promote the ‘process approach’ in its application.
Section 5: Leadership
Top management are required to demonstrate leadership and a commitment to information security. They must ensure that their organisation’s information security policy and objectives are compatible with their strategic direction whilst ensuring that resources are available. ISMS requirements and information security practices must be integrated into business processes. Reference to the business can be broadly interpreted as core to the organisations existence with direction, support and ultimately responsibility for its success in secure information systems resting with senior leaders.
Policy elements are defined in this section too as is the consideration of roles and responsibilities.
Section 6: Planning
Central to the requirements of ISO27001, this section takes our ‘process approach’, thinking about how we do things, where information security vulnerabilities are and how we ensure controls are identified to mitigate any perceived or actual risk. This section requires a documented risk assessment process leading to the application of defined risk treatment including control options. The risk treatment process includes one of the most important documents in ISO27001 – The Statement of Applicability. Applicability of what? I hear you ask. Found in Annex A of the standard are a number of controls (again if the concept of risk management and controls is unfamiliar ISO 31000 is your friend), the standard asks that you review the controls listed and identify justification for their inclusion or exclusion where they contribute to control of your information security risks.
Objectives should be set at relevant functions and levels with assigned metrics where practicable. Are implemented. Change Management is included here too whereas in older versions of the standard it was simply included in the control set.
Section 7: Support
Resources are in place to ensure the effective operation of the ISMS. This includes competent personnel. Persons working under the control of an organisation are made aware of their contribution to the effectiveness of the information security management system Internal and external communication requirements are defined.
Documented information required by the standard and the organisational itself are considered including wider elements of document control.
Section 8: Operation
Operational processes are planned, implemented, and controlled. This section largely takes what has gone before in section 6 and promotes its application through determined criteria and controls. Importantly here we require records intended to give confidence that the processes are carried out as planned.
Section 9: Performance Evaluation
ISMS Performance and effectiveness is evaluated. What, how and when to measure is determined and analysed. (data is key). Internal audits take place. Management reviews are carried out by top management at planned intervals. The reviews consider opportunities for improvement and the status of risks and opportunities.
Section 10: Improvement
Organisations are required to actively seek out and implement improvements that will better enable the organisation to improve the suitability, adequacy, and effectiveness of the information security management system.
Non-conformities (where you have failed to meet a requirement of ISO 27001 or your ISMS) are identified, controlled, and corrected. The root cause and potential for a similar non-conformity to occur is evaluated and changes or corrective actions are made.
Annex A
Includes a reference to 93 Information Security controls across for themes to be used in context with the risk planning activities defined in section 6.
All your questions, answered.
This site has a list of frequently asked questions about ISO 27001 and other standards.
Course Checklist
QCS have prepared a checklist tool that may be useful for you to establish what you already have in place and what your organisation might need to do if it wants to seek certification.
Go HERE to download a copy of our ISO 27001 checklist (registration on this website will be required).
