All new and revised management system standards conform to the ISO Directives concerning high level structure and identical core text. The idea is that requirements that ought to be the same for all management system standards (e.g. corrective action) ought to be identically worded – and now they are. Requirements that are peculiar to a particular discipline (e.g. quality) are incorporated in what is known as “discipline-specific text”. Full details are in David Brewer’s book: “Understanding the new ISO management system standards”.
The following figure shows the high level structure (blue text) together with the discipline-specific requirement headings for ISO/IEC 27001:2013.
A detailed explanation of ISO/IEC 27001:2013 is given in in David Brewer’s book: “An introduction to ISO/IEC 27001:2013” 3rd Edition”.
ISO/IEC 27001 specifies the requirements for an Information Security Management System (ISMS). In summary:
- A management system is a way of life, a journey not a destination. To best adapt the standard to the context and established doctrine and culture of an organisation, the standard specifies what an organisation must must be done to achieve conformance not how it is to be done.
- The focus of ISO/IEC 27001 is on preserving the confidentiality, integrity, and availability of information within scope of the ISMS.
- The standard requires organisations to determine the information security controls that an organisation needs through the process of risk assessment and risk treatment.
- The risk assessment requirements are aligned with ISO 31000 (“Risk management — principles and guidelines”). The easiest way to do this is to consider events and consequences.
- As a safety net to ensure that no necessary control has been inadvertently overlooked, the standard requires organisations to compare the necessary controls that it has determined with those in ISO/IEC 27001, Annex A. It is important to understand that these Annex A controls are not requirements. The requirement is the cross-checking process.
- The Statement of Applicability (SOA) is required to include all the necessary controls and all excluded Annex A controls. There is no requirement to structure a SOA in terms of Annex A controls. However, it is prudent to be able to show the mapping between necessary controls and Annex A controls.
- Moreover, as explained in ISO/IEC 27003, necessary controls do not have to be Annex A controls. It refers to necessary controls that are not Annex A controls as custom controls.
- Whilst certification audit plans typically address Annex A controls, the ISO/IEC 27006 requirement is for auditors to review the necessary controls as specified in the organisation’s SOA. If an organisation’s risk treatment plans (RTPs) specify how the necessary controls are intended to modify risk, audit of such RTPs will ensure coverage of the organisation’s necessary controls.
- Fulfilment of the requirements for performance evaluation is best served by first determining the organisation’s information needs, as advocated by ISO/IEC 27004. Thus, first determine what you are going to do with the information that you obtain from monitoring and measuring. It is a good idea to include the fulfilment of your information security objectives in your portfolio of measurements.
- There are just sixteen requirements for documented information, albeit organisations are required to retain documented information on whatever else they deem necessary for the effectiveness of their ISMS.
ISO/IEC 27001:2013 is the second edition of the ISMS standard. The first edition was published in 2005. There are BSI publications that show the relationship between the two editions (transition guide and detailed mapping tables). An account of the revision process is given on the Gamma website.
- ISO/IEC 27002, the source of Annex A, is currently at Draft International Standard status with an expected publication date of 2021/22.
- As a consequence, ISO/IEC 27001 will need to be amended (to align Annex A to the new reference control set in ISO/IEC 27002). However, a more substantive revision will have to wait, whilst the ISO ponders the scope of the revision.
- The high level structure and identical core text (Annex SL of the ISO Directives, and the blue text in the above figure) has been revised, albeit the proposed changes are minor. This should be published in May.