All key stakeholders in an organization need to be familiar with the structure and use of ISO 27001 before they attempt to obtain certification. ISO 27001 can be broken down into 12 sections.
An introduction describes information security and how an organization should manage it.
The scope is a high-level requirement for ISMSs to apply to all types of organizations.
Normative Refers – This document explains the relationship between ISO 27000 standards and 27001 standards.
Terms & Definitions – This section covers the complicated terminology used in the standard.
The Organization provides information about the roles and responsibilities of stakeholders in the creation, maintenance, and development of an ISMS.
Leadership describes how leaders in an organization should be committed to ISMS policies.
Planning provides an overview of how risk management should look across an organization.
Support describes how to raise awareness and assign responsibilities about information security.
Operation describes how to manage risks and how to document your work to meet audit standards.
Performance Evaluation provides guidelines for how to measure and monitor the performance of ISMSs.
Improvement This document explains how an ISMS should always be updated and improved, particularly after audits.
Reference Control Objectives – An annexe describing the elements of an audit.
What are the ISO 27001 Audit Controls and what do they look like?
The ISO 27001 documentation breaks down best practices into 14 separate controls. During compliance checks, certification audits will include controls from each of these. This is a quick summary of each standard and how it can be applied to real-life audits.
Information Security Policy – This section describes how policies should be created in the ISMS, and then reviewed for compliance. Auditors will want to know how you document and review your procedures regularly.
The organization of Information Security describes which parts of an organization should be responsible for what tasks or actions. Auditors expect to see an organizational structure with clear responsibilities and high-level roles.
Human Resource Security describes how employees should be educated about cybersecurity when they start, leave, or change jobs. Auditors will be looking for clear procedures for information security onboarding and offboarding.
Asset Management describes the steps involved in managing data assets. It also explains how they should be secured. Auditors will examine the way your organization tracks hardware, software, or databases. Any common tools and methods that you use to maintain data integrity should be included in the evidence.
Access Control provides guidelines on how employees should be restricted to certain types of data. Auditors will need to know how access privileges are created and who is responsible for maintaining them.
Cryptography – covers best encryption practices. Auditors will inspect your system for sensitive data. They will also examine the type of encryption used such as DES or RSA.
Physical and Environmental Security describes the procedures for protecting buildings and equipment. Auditors will inspect the site for vulnerabilities, and determine whether access to offices or data centers is allowed.
Operations Security provides guidance on how to secure data can be stored and collected. This process has become more urgent since the 2018 passage of the General Data Protection Regulation. Auditors will want to see evidence of data flows as well as explanations about where the information is stored.
Communications Security covers the security of all communications within an organization’s network. Auditors should be able to view a list of communication systems used (email, videoconferencing) and the security measures taken to protect their data.
System Acquisition and Development – outlines the steps for managing systems within a secure environment. Auditors will need evidence that new systems are maintained to the highest standards of security.
Supplier Relations – describes how an organization should interact and ensure security with third parties.
Information Security Incident Management describes best practices to address security concerns. Auditors may request to conduct a fire drill to observe how the organization handles incidents. It is useful to have software such as SIEM that can detect and categorize abnormal behavior.
Information Security Aspects Of Business Continuity Management – covers how major disruptions should be managed. Auditors could cause a variety of disruptions, and the ISMS should cover the steps required to recover.
Compliance identifies which government regulations or industry regulations apply to the organization. Auditors want evidence that the business is in full compliance with all areas where it operates.
Many organizations make the mistake of entrusting all responsibility for ISO certification to local IT teams. While information technology is the heart of ISO 27001 certification, all departments must share the procedures and processes. This idea is at the core of transitioning.