Itβs fair to say that security-conscious organizations worldwide really care about ISO 27001.
If your jobβor the one you wantβinvolves information security, you need to know about this international standard and understand its controls.
So what exactly is this standard and whoβs it for? What are the ISO 27001 controls, and what actions do they require of you? What courses and certifications should you focus on to develop your knowledge and prove your expertise in this area?
To help you understand all of this, hereβs our deep dive into ISO 27001 and ISO 27001 controls. To help you on your way to compliance, weβve also included an ISO 27001 controls checklist for you to keep, use, and adapt as needed.
If youβre ready, then read on!
Understanding ISO 27001:2022 Security Controls
Hereβs a closer look at ISO 27001's purpose and scope and the role of security controls within it.
What Is ISO 27001?
ISO 27001 is a standard created by the International Organization for Standardization (ISO). In simple terms, it sets out what organizations need to do to establish and maintain an effective ISMS (Information Security Management System).
What Is an ISMS?
An ISMS is defined by TechTarget as βa set of policies and procedures for systematically managing an organizationβs sensitive data.β If itβs devised and implemented in the right way, it should enable an organization to do four main things:
- Identifying specific risks to which the organizationβs information assets are exposed.
- Setting out measures (i.e., controls) to protect those assets.
- Providing a plan of action in case of an information security breach.
- Identifying the individuals responsible for each step of the information security process.
What Is the Role of ISO 27001 Security Controls?
ISO 27001 isnβt prescriptive.
In other words, it doesnβt tell you what to do at a technical levelβsuch as precisely what authentication measures to put in placeβor how often you should carry out backups.
But if it doesnβt show you what to do, then whatβs the point? This standard provides a framework for identifying the specific protection your organization requires.
There are two main elements to this: the need for risk management and assessment and the application of ISO 27001 controls. You need to consider them side-by-side.
Risk assessment
This is the starting point in creating an ISO 27001-compliant ISMS. The standard requires you to carry out a risk assessment by identifying and evaluating the information security risks faced by your organization. You need to evaluate the threats, vulnerabilities, and potential impact of security incidents on your organizationβs information assets.
ISO 27001 controls
The standard includes a comprehensive framework of controls organized into themed domains (more on this below). It requires you to review these controls systematically in the context of your risk assessment to identify those relevant to your risk profile.
Who Is ISO 27001 For?
ISO 27001 is for pretty much everyone.
Any organization can adopt ISO 27001 controls and implement the standard to boost its information security resilience. However, some choose to go a step further by gaining an ISO 27001 certification.
According to ISOβs 2022 survey, over 70,000 valid ISO 27001 certificates are in place across 150 countries.
If an organization holds the certification, it shows it has implemented a system to manage the risks related to data security and adheres to the best practices and principles set out in the standard.
About a fifth of all certificates are held by IT companies (e.g., software developers, managed support, and cloud service providers). The rest span virtually all sectors, including banking and financial services, healthcare, education, retail, manufacturing, and more.
If you handle sensitive data and itβs important to your customers, investors, and other stakeholders that you are committed to managing data responsibly, the ISO 27001 certification is almost certainly worth considering.
The Structure of ISO 27001 Controls
ISO 27001 is built on the core concepts of ISMS best practices.
The requirements for ISO 27001 compliance are described in the main body of the standard (the clauses). An accompanying annex contains the more specific processes and policies you may need to put in place to achieve compliance (i.e., controls). Hereβs how this all fits together.
ISO 27001 Concepts
At the heart of the standard lie three core concepts: confidentiality, integrity, and availability, commonly referred to as the CIA triad. To be ISO 27001-compliant, an ISMS must be designed and implemented in such a way that each of these topline areas is addressed.
1. ConfidentialityΒ
Information should only be accessible to authorized individuals with appropriate permissions. Measures to achieve this include implementing access controls and network security measures such as firewalls, intrusion detection systems, and encryption of data both in transit and at rest.
2. IntegrityΒ
This involves making sure that the data you are responsible for remains trustworthy and free from tampering. Integrity is maintained only if data remains authentic, accurate, and reliable.
Specific safeguards to ensure integrity include configuring auditing and logging mechanisms to track data access and modifications, using digital signatures, and implementing robust version controls.
3. AvailabilityΒ
This describes the basic requirement that authorized individuals should be able to access all relevant information, right at the point of need. For this to happen, all systems, networks, and applications must be functioning at the right time.
Regular backups are a key part of this, along with the creation of a comprehensive disaster recovery plan complete with provisions for restoring data and systems in the event of a breach or failure.
With cloud computing now the norm, careful choice of cloud service providers is also important, with an emphasis on availability guarantees and vendor uptime track records.
ISO 27001 Mandatory Clauses
The main body of ISO 27001 consists of ten sections (i.e., clauses).
The first three clauses provide general introductory information, terms, and definitions. Clauses four to ten contain mandatory requirements: you must follow these sections to become ISO 27001-compliant.
Hereβs an outline of the key points under each mandatory clause:
Clause 4: The context of the organization
- There are obviously big differences between the information security aspects and needs of an online retailer and a healthcare provider. This clause requires you to assess and understand your organization's specifics.
- You need to consider the needs and interests of all relevant stakeholders, such as customers, employees, and professional regulators.
- You must document the boundaries and scope of your ISMS with reference to this organization-specific context.
Clause 5: Leadership
- Top organizational management must demonstrate leadership with respect to the ISMS.
- Management is responsible for establishing an information security policy.
- Management is also responsible for assigning and communicating roles and responsibilities linked to the ISMS.
Clause 6: Planning
- Organizations must adopt a risk-based approach to information security management.
- This includes the creation of a security risk assessment.
- The risk assessment needs to be accompanied by an information security risk treatment plan, including the selection of required risk treatment options and determining all controls necessary to implement the risk treatment options chosen.
Clause 7: Support
- Organizations must determine and provide the resources needed for the establishment, implementation, maintenance, and continued improvement of the ISMS.
- This includes providing competent personnel, including training where necessary.
- The ISMS must be documented and communicated.
Clause 8: Operation
- Organizations must plan, implement, and control the processes needed to meet ISO 27001 requirements.
- An information security risk assessment is not a one-off event. Additional assessments must be carried out at planned intervals or when significant changes take place.
Clause 9: Performance evaluation
- Organizations must determine what needs to be monitored and measured (and how) to ensure the continued effectiveness of the ISMS. Monitoring and measurement data should be documented.
- Organizations should carry out audits at regular planned intervals to assess the continued effectiveness of their ISMS.
- Top management should review the ISMS at planned intervals.
Clause 10: Improvement
- Organizations should continually improve the suitability, adequacy, and effectiveness of their ISMS.
- Action should be taken to react to nonconformity, and corrective actions should be appropriate to the effects of the nonconformities encountered. This should all be documented.
ISO 27001 Controls
Immediately after the ten clauses, youβll find Annex A. This contains 93 information security controls grouped according to theme.
Youβre not expected to implement each of these controls.
Rather, when youβre undergoing your information security risk treatment process (see Clause 6 above), you need to go through Annex A to determine what controls your specific organization needs and verify that no necessary controls have been omitted.
ISO 27001:2022 Annex A Controls
As weβve seen, the ISO 27001 main text tells you what you need to do to become compliant, whereas the Annex A controls are more concerned with how youβll do it. Hereβs a closer look at Annex A.
ISO 27001 Annex A Controls List
The controls are broken down into four numbered sections. These sections correspond with Clauses five to eight of a linked standard, ISO 27002, which provides more detailed guidance on how ISO 27001 controls can be implemented.
The four categories are as follows:
- Clause 5: Organizational (37 controls)
- Clause 6: People (8 controls)
- Clause 7: Physical (14 controls)
- Clause 8: Technological (34 controls)
Overview of Annex A Controls Categories
Clause 5: OrganizationalΒ Β
This section focuses on how an organization approaches information security, including the rules, procedures, and policies it has in place and how seriously it takes them.
Examples of areas covered:
- Drawing up security policies
- Infosec roles and responsibilities
- How information is classified and labeled
- Identity and access controls
- Planning for how to maintain information security during disruption
Clause 6: PeopleΒ
As our recent guide to insider threat statistics highlighted, the majority of data breaches are linked in some way to insider actionsβparticularly human error. This section of controls addresses the human aspect of information security.
Examples of areas covered:
- Information security awareness and training
- Screening of job candidates
- Disciplinary processes
- Applicability of confidentiality and non-disclosure agreements
- Information security measures in the context of remote working
Clause 7: PhysicalΒ
How easy is it for someone to just walk into your server room? This section is focused mostly on controls to protect the physical environment where information assets are stored or processed.
Examples of areas covered:
- Physical security perimeters and the design of measures to protect offices, rooms, and facilities
- Protection against natural disasters and other environmental threats
- Clear desk and clear screen rules
- Secure disposal and reuse of equipment
Clause 8: TechnologicalΒ
The controls in this section focus on technological measures for protecting information, IT assets, systems, and networks from unauthorized access, misuse, or compromise.
Examples of areas covered:
- Access control, including authentication measures
- Encryption mechanisms to protect data in transit and at rest
- Network security, including intrusion detection, VPN usage, and network segmentation
- Vulnerability management
- Incident detection and response
Implementation: ISO 27001 Controls Checklist
Getting your information security management system ISO 27001-compliant requires planning, time, and know-how. Here are some of the challenges that can arise, and how you can overcome them.
ISO 27001 Implementation Challenges
1. Achieving management buy-inΒ
If the boss isnβt into it, your ISO 27001 project probably isnβt worth it. Organizational leaders need to be on board from the outset. You may need to sell them on the idea of ISO 27001 compliance, stressing that building a compliant system will boost the companyβs resilience and reputation but that itβll require resources to get it right.
2. Time and resourcesΒ
The CTO cannot leave this to an administrator to sort out as a quick, discrete task. It requires allocating workforce resources and time, conducting risk assessments, and developing or updating security policies and procedures. Depending on what technical gaps you need to fill, any new control measures will also require a budget.
3. Staying ISO 27001-compliant
ISO 27001 isnβt a one-off event. Many of the clauses and controls within the standard stress the importance of continuous monitoring, review, and improvement of your ISMS. To take it seriously, you need to be ready to assess your information security posture on a regular basis.
4. Expertise
Effective ISO 27001 implementation requires knowledge. Key areas of expertise include the ability to map and understand your IT estate, knowledge of current threats, and the know-how required to select and implement appropriate security measures. To get familiar with all of this, cyber security professionals should consider upskilling through training in this area (see below).
ISO 27001 Implementation Best Practice
1. Risk assessmentΒ
As per the mandatory requirement of clause 6 of ISO 27001, you need to carry out a thorough risk assessment. Make sure you map your entire environment and inventory all information assets under your control. Next, identify potential threats and vulnerabilities and evaluate the likelihood and impact of identified threats.
2. Define your desired outcome
Set out your organizationβs security objectives and priorities, flagging up the areas where security controls are most needed to mitigate the risks identified in your risk assessment.
3. Approach the ISO 27001 controls systematicallyΒ
Review Annex A in full. Be ready to identify which controls are relevant to your risk profile and organizational objectives. Remember that the standard also requires you to justify which controls are not relevant and why.
4. PrioritizationΒ
Implement your controls in a phased approach, starting with the most critical and high-priority controls (again, with reference to your risk assessment and security objectives).
Download Our ISO 27001:2022 Annex A Controls Checklist Template
Are you worried that youβve missed or forgotten to update a policy or form regarding ISO 27001 compliance? Download, adapt, and keep our ISO 27001 Annex A Controls List template to help you stay on top of your obligations.
The template is available in three formats:
- ISO 27001 Controls List Excel
- ISO 27001 Controls PDF
- ISO 27001 Controls Google Sheets
ISO 27001 Certifications
What does it take for organizations to get ISO 27001 certified? How can information security professionals boost their credentials in this area? Hereβs what you need to know.
How Does an Organization Get ISO 27001 Certified?
ISO doesnβt actually perform certification or issue certificates itself. For this, you need to go through an external certification body. The process involves an audit of your ISMS documentation, accompanied by an examination of your operating environment and interviews with your team.
The ISO Certification Page is a great starting point to identify certification bodies in your locality.
ISO 27001 Certification for Information Security Professionals
The following accreditations are definitely worth considering to increase your knowledge in this area and boost your employability in organizations seeking to become or remain ISO 27001-certified.
ISO 27001 Foundations Certification
Several bodies offer certifications that help you develop and demonstrate a fundamental knowledge of the ISO 27001 standard and its requirements. Three examples are as follows:
- PECB (Professional Evaluation and Certification Board) offers an ISO 27001 Foundations Certification course that covers the basic principles of ISMS and provides an overview of the standardβs requirements.
- EXIN also offers an ISO 27001 Foundations Certification with content similar to the above. It examines organizational security, threats and risks, and mitigation measures in the context of ISO 27001 compliance.
- ISC2βs Certified Information Systems Security Professional (CISSP) is also definitely worth considering. Although itβs not specifically focused on this particular standard, it gives you a thorough understanding of the principles and practices surrounding it.
ISO 27001 Certified Internal Auditor Certification
These certifications help you showcase your knowledge on how to assess and benchmark an organizationβs ISMS against ISO 27001 requirements:
- The PECB ISO/IEC 27001 Lead Auditor certification covers the knowledge needed for information security professionals to plan and conduct an audit in accordance with ISO/IEC 17021-1 requirements, ISO 19011 guidelines, and other best practices of auditing.
- Although itβs not an ISO 27001-specific certification, the ISACA Certified Information Systems Auditor (CISA) certification gives you a broad understanding of how to audit IT frameworks. This certification provides detailed information about auditing practices related to the organization of information systems security. You might want to consider this alongside an ISO 27001-specific foundations course.
ISO 27001 ISMS Certified Implementer Certification
These certifications demonstrate that you have the know-how necessary to implement an ISMS in line with the standard:
- Suitable for experienced cyber security professionals, project managers, and consultants, the PECB Certified ISO/IEC 27001 Implementer certification enables participants to acquire and demonstrate the knowledge necessary to effectively plan and implement an ISO 27001-compliant ISMS.
- The APMG International ISO/IEC 27001 PractitionerβInformation Security Officer certification is for internal managers and personnel seeking to implement, maintain, and operate an ISMS that meets the standard.
ISO 27001 Training
Becoming ISO 27001-compliant is far from being a box-ticking exercise.
It demands familiarity with the standard itself, an understanding of the threat landscape, and the know-how necessary to implement the right controls. Training is essential for maximizing the likelihood of a successful project and for boosting employability in this area.
To get you on the right track for ISO 27001 success, take a look at these training courses:
ISO 27001 Foundations Training
Completely new to information security and ISO standards? This course is a great starting point. By the end of it, youβll have a solid grounding in ISO 27001, and on successful completion, youβll earn a certificate proving youβve attained information security management systems competency.
ISO 27001 Auditor Training
Learn everything you need to know about how to perform an internal ISO 27001 audit within your company.
ISO 27001 Lead Implementer Training
Get real-life training on how to implement an ISO-compliant ISMS from scratch in any organization.
Conclusion
All information security professionals should be knowledgeable about ISO 27001. Even if your organization doesnβt feel the need to obtain formal certification, itβs still crucial to follow best practices in designing a resilient, fit-for-purpose ISMS.
Against this backdrop, ISO 27001 isnβt a tick-box compliance exercise. Itβs actually a very useful framework for ensuring that nothingβs missing from your security management system.
Want to dive right into the best ISO 27001 courses and other ISMS-related resources? The StationX Accelerator Program makes it easy to plug the gaps in your knowledge.
Suitable for cyber security and infosec professionals of all levels, the program gives you instant access to 1,000+ training classes, virtual labs, exam simulations, and more.
We build your very own study roadmap, provide one-on-one expert support and mentorship, and guide you through your career and learning goals.
Itβs one of the best ways to learn ISO 27001 and all other essential security standards.