The Three ISO 27001 Principles, or the CIA Triad
The heart of ISO 27001 consists of three key principles. They are Confidentiality, Integrity, and Availability. Let’s explore each of these in some detail.
Confidentiality
This is the most intuitive of the three principles. Confidentiality simply means that only the right people can access information, whatever that information may be. A risk type that confidentiality assists with is a criminal accessing information and making it widely available.
Integrity
Preserving the integrity of your data means that your organization is properly storing important data. That means not only that it is secure but also that no one is damaging or erasing the data. Damaging or erasing data can be done on purpose or accidentally, but with ISO 27001, data is set up so that accidents are far less likely to happen.
Availability
You might find it strange that availability is a principle of a cybersecurity certification like ISO 27001, but being able to get information into the right hands is just as essential as keeping confidential information out of the wrong hands. A business needs to be able to make data accessible for customers and employees while also ensuring security. Anyone who accesses your information will know that their information is protected but available to them whenever they need it. That is how companies can instill confidence with their customer base in the current cybersecurity era.
What are the ISO 27001 Requirements?
The ISO 27001 document begins with a detailed overview. ISO 27001 begins in a similar manner to ISO 9001, starting with clause four and carrying on through to clause ten. Let’s dig into those seven clauses in some detail. There are slight differences in these first seven clauses between the two ISO standards. Clause Four
Clause four can be summarized as “context of the organization.” While this may sound simple, clause four is one of the more expanded clauses in the standard. Overall, context means understanding the internal and external factors in which an organization is running. As part of your ISO 27001 process you will need to make sure you accomplish the following about your organization’s context:
- What do your customers, vendors, and employees need?
- What is the scope of your ISMS going to be? You should be able to answer this question quickly for an auditor or for any interested party who asks.
- How is your leadership going to be a resource throughout the process? Leadership commitment is essential.
Clause Five
Speaking of leadership, clause five deals entirely with the role management should place in the ISMS implementation process. It is the responsibility of management to distribute policies to employees, set objectives, define roles and responsibilities, and more. Who will be monitoring the ISMS? Who will be responsible for implementing the information security policy? All of these questions stop with the management of an organization in the ISO 27001 process.
Need some help? Contact one of our cybersecurity experts.
Click Here
Clause Six
Clause six defines how you will handle both risks and opportunities. The goal with this clause is to set objectives that can be measured with ease. Tracking progress is important as is showing continuous improvement. A good example of a goal for this clause is, “We want to reduce incidents by 20% over the next year.”
Clause Seven
We have mentioned resources a couple of times in passing, but clause seven deals entirely with resources. It easy to think of resources only as “things” or “supplies,” but they are defined differently in ISO 27001. Resources can be:
- Competence of employees
- Awareness of the information security policy and employee roles/responsibilities
- Documented information and guidance, how to store these documents and where to store them
Remember, all data must be secure yet accessible for the people who need it.
Clause Eight
Now that you have defined roles, responsibilities, the scope of your organization’s ISMS, and more, it is time to establish how your ISMS and associated policies will be assessed. At a minimum, the ISMS should be audited once a year in detail to assess the controls, but realistically, the ISMS needs to be touched daily. Especially when the ISMS is in its first months of operation, the Chief Information Security Officer (CISO) or whomever is responsibly for day-to-day operations should look for places where policies might need to be updated or where information needs to be deleted. As part of this clause, the organization needs to look at potential risks and how to eradicate those risks.
Clause Nine
While clause eight covers monitoring of controls, clause nine covers monitoring/assessing performance of the ISMS. This work is done both internally and by an external auditor.
Clause Ten
Finally, there is clause ten, which deals with non-conformities, or areas where there were weaknesses or errors in the ISMS. These non-conformities have to be documented carefully and then a treatment plan needs to be established and implemented. Once actions have been taken, those need to be documented along with the final results.
Annex A
The heart of ISO 27001 is Annex A, a series of 93 controls that truly differentiate ISO 27001 from ISO 9001.
The controls are categorized as follows:
5: Organizational - 37 controls
Ranging from how information is labeled to how information is
secured during disruptions.
6: People - 8 controls
Ranging from screening to physical security monitoring.
7: Physical - 14 controls
Includes equipment maintenance, media storage, and more.
8: Technological - 34 controls
Contain many complex controls ranging from cryptography to
securing the system's architecture and network.
ISO 27001: An Organizational Standard from Top to Bottom
As you can see, the decision to pursue an ISO 27001 certification requires a “full body workout” on the part of the organization. Everyone needs to be involved and coordinated with clarity on roles and responsibilities. ISO 27001 places a lot of emphasis on the role of management, not only to support the process but also to monitor performance and ensure all employees are receiving the training they need.
If you are interested in learning more about this standard or if you have any questions, please
contact us today.