ISO 27001 is an international standard for information security. It was published in 2015 to help organizations establish, implement, maintain and improve their information security management system (ISMS).
Information security has become a major issue for companies, especially with the exponential growth of cyber attacks, so more and more companies are implementing the standard in order to set up an effective information security management system.
Iso 27001 is a standard that frames ISMS, so more and more companies are becoming certified to manage their risks about this topic.
Today there are more than 58,000 certified companies, of which more than 16% are in the information technology sector. (These figures are from 2021 and therefore probably increased significantly since then).
In this article, we will see what the standard is and we will detail more precisely the subject of ISO 27001 controls.
According to the International Organization for Standardization :
“ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard”.
The certification establishes a set of standards to be used in your company to meet six essential objectives:
Improved information security :
Iso 27001 certification enables an organization to implement an information security management system (ISMS) that complies with international standards, ensuring that information is handled securely, and therefore reduce company’s vulnerability of cyber-attacks. According to Afnor, 89% of certified companies estimate that they have fewer security incidents.
Strengthening Stakeholder Confidence :
Stakeholders such as customers, business partners and investors are often reassured by ISO 27001 certification as it demonstrates the organization's commitment to information security.
Having the standard can also prove to be a business argument against a competitor who does not have it, or build up customer loyalty. In fact, 88% of the companies surveyed by Afnor recognize that certification has enabled them to retain some of their customers who would otherwise probably have left them.
Improved security culture :
Having certification in place promotes a culture of information security within the organization. Indeed, the employees will be sensitized during the implementation of the standard but also by the respect of new processes, the employees will be more sensitive to these subjects.
Find a complete SWOT analysis, conducted by the University of East London, to get an overview of the different opportunities, threats, weaknesses and strengths of implementing ISO 27001 in your company.
The standard is separated into two distinct parts.
Part 1 : 11 clauses to oversee the implementation of your ISMS
The first part consists of the 11 clauses below, which provide a framework for establishing the policies, procedures and practices necessary to protect the organization's sensitive information and ensure its confidentiality, integrity and availability.
Part 2 : Appendix A This appendix provides a list of information security controls that organizations can use as a basis for implementing their information security management system.
It is designed to help organizations identify the appropriate security controls to implement to achieve their ISMS objectives.
This list has been recently updated.
The standard was updated in October 2022, with the main change being in Appendix A.
Previously, in the version of iso 27001-2013, Annex A was composed of 114 controls distributed around 14 different categories, listed below.
Before 2022, the standard had been updated for the last time in 2013, in 9 years, the world of information has drastically evolved, the standard had to evolve its repository to match the current field reality.
The first major change is the iso 27001 controls list, previously 114, they are now 93 in the 2022 standard. Of the 114 controls, 35 remain unchanged, 23 have been renamed, 57 are grouped into 24 (for clarity), 11 new security controls have been created.
The 11 new controls created correspond to these different items: Threat Information, Information Security for Cloud Services, ICT Readiness for Business Continuity, Physical Security Monitoring, Configuration Management, Information Deletion, Data Masking, Data Leakage Prevention, Monitoring Activities, Web Filtering, Secure Encryption.
Secondly, these controls are now categorized into 4 different categories:
1 - Organizational controls (37 controls)
2 - People controls (8 controls)
3 - Physical controls (14 controls)
4 - Technological controls (34 controls)
Finally, the update implements five attribute categories for security controls :
The five attributes assign one or more values of each attribute to one of the security controls.
The effect of this change is to make it easier to group and sort, and thus help you find the relevant controls to implement based on your needs. For example, if you want to implement controls related to governance, you can simply filter on this topic and you will have a list of relevant controls at your disposal.
All of the controls listed in Appendix A are not mandatory to implement in your company. Appendix A is like a list, which allows you to select the controls you need according to your company. The controls you decide to implement will depend on the risk assessment and risk treatment plans you have made in the previous phases of implementing the standard.
In an organization, the responsibility for implementing ISO 27001 controls typically falls on the information security management team. This team is responsible for implementing and maintaining an information security management system (ISMS) that conforms to the requirements of ISO 27001.
However, as we saw earlier, Appendix A is composed of four different categories of controls and 34 of the 94 controls are related to information technology. Thus, in order to optimally implement the controls in Appendix A, it is necessary to have other people involved in the implementation of controls who have a field and global vision of the company on the other three different subjects.
In addition, at least one member of a company's management must be involved in the implementation of this project. This member must be responsible for providing the resources, support and commitment necessary to ensure the success of the ISMS and the effective implementation of ISO 27001 security controls.
The set of controls to be put in place to meet ISO 27001 standards can represent a significant amount of work. Imagine therefore, the workload that would be to exercise these controls at given periods, can not forget a date of a control, make the control by hand, note the result of the control in a document and then analyze all the results 🤯 This is just too time consuming for the teams that would spend most of their time doing these tasks.
With Trout Software, leverage compliance automation, for a compliance without sweat 🎣
Compliance automation refers to the use of technology to streamline and simplify compliance-related processes. The tool created by Trout Software: Security hub, allows the automation of security controls within an organization. Thus, the implementation of the control, the repetition of the control, the result of the control and the synthesis of all the controls is automated and centralized in Security Hub.
Trout Software has created dozens of ready-to-use playbooks that allow you to easily implement ISO 27001 controls. So just choose the control you want to set up, configure the access to the data required to run the playbook.
To do this, simply use the connectors pre-built by Trout Software, as you can see, below.
You will then have to select your choice and set it up with our scheduler.
Our tool allows you to automate the playbook created, thanks to our scheduler.
As you can see below, it allows you to choose the notebook you have just created, and then to create parameters according to the desired frequency of the controls.
You can set its parameters according to the frequency of checks, the date and time of the first check you want to perform and finally indicate how often you want the check to be performed.
Once you have set the parameters, you can click on "Schedule".
As you can see on our examples, for each check a red or green bar will appear depending on whether the check returns an error or not.
This allows you to exercise controls in a regular way, to have a global view on the control through time and thus to set up an ISO 27001 approach, based on continuous improvement.