Last Updated on January 5, 2016
Pivot Point Security has a tagline that reads, “Security simplified.” In that spirit, here’s how I simplify ISO 27001 for new clients.
In a nutshell, ISO 27001 requires organizations to implement seven business processes to certify their information security management.
Process 1: Context
The first business process required for ISO 27001 certification is Context, which is covered by clause 4 in the 2013 version of the standard (ISO 27001:2013). The Context process requires organizations to develop an understanding of what information they need to protect. The Context process is all about:
- Understanding the internal and external business issues that affect information security management (clause 4.1). These issues may be technical, economic, cultural, social, organizational, political, legal or environmental.
- Identifying information security stakeholders (e.g. board committee(s), management committee(s), customers, regulatory bodies, etc.) and their information security requirements (clause 4.2).
- Identifying the organization’s interfaces and dependencies (e.g. outsourced processes, subsidiaries, key suppliers, etc.) that must be accounted for when determining what needs to be protected (clause 4.3).
Process 2: Leadership
Once the organization establishes what needs to be protected, the second business process that must be implemented is Leadership, which is covered by clause 5. The Leadership process requires organizations to establish a vision for how information should be protected. The Leadership process is all about:
- Establishing leadership’s commitment to the vision of how information should be protected (clause 5.1).
- Establishing an information security policy that communicates the vision of how information should be protected (clause 5.2).
- Establishing the roles, responsibilities and authorities for information security governance (clause 5.3).
Process 3: Planning
Once the organization establishes what information needs to be protected and leadership’s vision for how it should be protected, the third business process that must be implemented is Planning, which is covered by clause 6. The Planning process requires organizations to establish how the leadership’s vision for information security will be implemented. The Planning process is all about:
- Establishing the process to identify, analyze and treat information security risks (clause 6.1).
- Establishing information security objectives and planning to achieve them (clause 6.2).
Process 4: Support
Once the organization establishes what needs to be protected, leadership establishes the vision for how it should be protected, and the plan to fulfill the vision is established, the fourth business process that must be implemented is Support, which is covered by clause 7. The Support process requires organizations to establish how the plans to fulfill leadership’s vision for information security will be supported. The Support process is all about:
- Identifying and providing the resources (e.g., people, finances, technology) needed to support the information security and risk treatment plans (clause 7.1).
- Ensuring people have the competencies necessary to support the information security and risk treatment plans (clause 7.2).
- Ensuring people are aware of leadership’s vision for information security, how they can contribute to that vision and the consequences of not complying with the requirements established by leadership’s information security policy as well as the information security and risk treatment plans (clause 7.3).
- Ensuring the necessary internal and external communications are established to ensure everyone is on the same page for the information security policy, plans and risk treatment (clause 7.4).
- Establishing a document management process and ensuring the documentation needed for certification and information security management will be available as the information security and risk treatment plans are executed (clause 7.5).
Process 5: Operation
Once the organization establishes what needs to be protected, the vision for how it should be protected, the plan to fulfill the vision and the support for the plan, the fifth business process that must be implemented is Operation, which is covered by clause 8. The Operation process requires organizations to execute the information security and risk treatment plans. The Operation process is all about:
- Ensuring the execution of information security plans is tracked and documented, changes to those plans are controlled and outsourced processes supporting the information security and risk treatment plans are properly managed and controlled (clause 8.1).
- Ensuring information security risk assessments are conducted as planned (clause 8.2).
- Ensuring information security risk treatment plans are documented and implemented (clause 8.3).
Process 6: Performance evaluation
Once the information security and risk treatment plans are put into operation, the sixth business process that must be implemented is Performance evaluation, which is covered by clause 9. The Performance evaluation process requires organizations to determine how well the information security and risk treatment plans were executed to fulfill leadership’s vision for information security management. The Performance evaluation process is all about:
- Establishing information security metrics for monitoring, measurement, analysis and evaluation of information security performance (clause 9.1).
- Planning and conducting internal audits to determine whether the information security management process complies with the organization’s requirements, complies with ISO 27001 requirements and is effectively implemented and maintained (clause 9.2).
- Establishing a process for management review of information security to determine whether leadership’s vision for information security was fulfilled (clause 9.3).
Process 7: Improvement
Once the information security performance is evaluated, the seventh and final business process that must be implemented is Improvement, which is covered by clause 10. The Improvement process requires organizations to make corrective actions and continual improvements to address nonconformities and issues identified by the performance evaluation process. The Improvement process is all about:
- Reacting to nonconformities, identifying their root causes and implementing corrective actions to prevent similar issues from occurring (clause 10.1).
- Making continual improvements to ensure information security management is reasonable, appropriate and effective (clause 10.2).
That’s all it takes to achieve ISO 27001 certification—implementation of those seven business processes. To connect with an expert that can tell you more, contact Pivot Point Security.