Developing an ISO 27001 compliant Information Security Management System (ISMS) requires a highly planned and coordinated approach. To help you lay the groundwork of your system, we previously covered the core activities required when planning the implementation of a cohesive ISMS, including leadership support, project scope, and the Statement of Applicability.
Now we are ready to discuss the practical steps of ISO certification and how to develop your system: exploring the mandatory clauses your ISMS must satisfy and the supporting documents that need to be created.
ISO 27001 Structure
ISO 27001 is structured into two separate parts. The first, central part, consists of 11 clauses beginning with clause 0 extending to clause 10. The second part, Annex A, provides a framework composed of 114 controls that forms the basis of your Statement of Applicability (SoA).
In clauses 0 to 3, you will find the general “metadata” of the standard. These clauses provide general information about the standard, including:
- Normative references
- Terms and definitions
The following clauses, 4 to 10 are mandatory requirements. So if your company is aiming for ISO 27001 certification, these are the required processes, documents, and policies that need to be included or created to deliver a compliant system.
Mandatory Requirements & Required Documents
Clause 4: Context of the organization
Understanding and documenting the context of the organization is a vital part of implementing an ISMS. Creating a document that lists external and internal stakeholders, regulatory environments, client lists, competitors, and other industry standards will help you systematically maintain your updated inputs.
The only mandatory documentation under Clause 4 is the ISMS Scope (4.3) that must set the boundaries of your system and the applicability of the controls.
Clause 5: Leadership
In part 1 of our guide to ISO 27001, we discussed the role of leadership and the influence management can have on system implementation. Commitment from the leadership team is so important to compliance that engagement from top management is mandatory for an ISO 27001 certified ISMS. Executive stakeholders being interviewed is a required part of the ISO audit.
Top management is also responsible for documenting and communicating a Policy Statement with employees and clients (5.2). Teams that play a role in the ISMS maintenance must be described, and internal roles and responsibilities must be assigned.
Clause 6: Planning
Careful planning is critical and cannot be overstated. As mentioned before, ISO 27001 applies a risk-based approach to information security, as detailed in clause 6.1, which covers the security risk assessment and management process (6.1).
Based on these risks and opportunities, objectives need to be established, measured and monitored (6.2). The best way to manage these objectives is to have them align with the company’s strategic goals.
Clause 7: Support
The core of this requirement is to understand how the organization is committed to providing the resources needed to establish, implement, and maintain the ISMS, based on the following foundational activities that must be documented:
- Documented Information
- Records (that must be kept)
It is essential to highlight that all documents must be controlled with the date and revision number.
Clause 8: Operation
Clause 8 asks for documented processes to mitigate the risks that might arise as a result of your company’s scoped operations. It is a high-level requirement that all security controls be assessed and used to mitigate threats. The Fulfillment of this requirement will result in:
- Risk treatment plan (8.3)
- Risk assessment report (8.2 and 8.3)
Clause 9: Performance evaluation
The first requirement (9.1) is to establish a procedure for monitoring and measurement of records. The process for monitoring and measurement must determine:
- what needs to be monitored and measured;
- the methods for monitoring;
- when the monitoring is performed; and,
- who will complete the process.
Clause 9 also requires a documented process for the performance of internal audits and management reviews. Both processes must be conducted at least once a year.
Clause 10: Improvement
Improvement follows up on the evaluations covered in Clause 9 and is an essential principle for any organization. Creating a documented process to log recommendations for improvement and nonconformities will help your organization take action, improve your services, and eliminate problems.
ISO 27001 can be broken down into 2 groups: clauses 4-10, followed by the controls in Annex A. Clauses 4 to 10 are mandatory requirements that must be satisfied by your ISMS which would contain the appropriate supporting documents and records.
It is critical for Information Security Managers to understand how the standard is structured and how the controls are organized. Under each clause and subclause, there are a set of rules to be followed to achieve compliance. Paying attention to the requirements in terms of activities, processes, and documents is vital to distinguish which controls or policies must be deployed or improved.
In Part 4 of our Guide to ISO 27001, we explore the importance of communicating with stakeholders and why it is paramount that you understand them and their needs.
How Can StandardFusion Help?
With StandardFusion, you can create, control, and share your documentation across your organization’s entire network of employees, stakeholders, and third parties. Develop your documentation from the ground up within StandardFusion, update it as needed, and keep track of historical versions. Equipped with dashboards, automated reporting, and objective management, users can easily monitor document creation, track acceptance, and align company policies and procedures with organizational information security goals. Save yourself the effort and cut down on wasted resources – schedule your demo today! See how simple it can be to manage your company policies, procedures, and notices within your ISO 27001 program with StandardFusion.
Guide to ISO 27001
Part 1 – Implementation & Leadership Support
Part 3 – Mandatory Clauses
Part 4 – Needs and Expectations of Stakeholders
Part 5 – Risk Management
Part 6 – Defining Controls
Part 7 – Competence, Training and Awareness
Part 8 – Monitoring Efficacy