Ring in the Holiday Season with Blazing Offers on
Most Popular Courses. Upto 50% OFF

A Basic Introduction to ISO 27001

Information security is a global issue affecting international trading, mobile communications, social media, and the various systems and services that make our digital world and national infrastructures. Managing information security is an even more crucial issue, as it includes using and managing the policies, procedures, processes, control measures, and supporting applications, services, and technologies that are needed to be protected. Information security management needs to be effective, suitable, and appropriate if it is to protect information from the risks that businesses and society face in this digital age. Information could be disclosed and accessible to unauthorized users, corrupted or modified either in some unauthorized or accidental way or lost or unavailable due to a system failure. An organization requires to assess its risks in terms of the potential impact that a security incident might have on its business and the likelihood of this security incident occurring. It needs to adopt an approach to risk assessment that is effective, suitable, and appropriate to its business, and this approach is known as ISO implementation.

A Basic Introduction to ISO 27001

What is ISO?

The International Standards Organization (ISO) is a non-governmental organization that holds a unique position between the public and private sectors. Its members include national standards organizations who often are a part of government structures in their countries or mandated by these governments. The role of ISO is to facilitate the international coordination and the standardization of industrial standards. To reach these objectives, ISO publishes technical standards. These standards contribute to the development, manufacturing, and delivery of products and services that are more effective, safer, and clearer. They facilitate fair trade between countries. In addition, they bring a technical foundation for health, security, and environmental legislation to governments; and they help to transfer technologies to developing countries. ISO standards are also used to protect consumers and general users of products and services.

What is ISO 27001?

ISO 27001 is the international standard that provides the specification for an Information Security Management System (ISMS). This systematic approach consists of people, processes, and technology that helps you protect and manage all your organization’s information through risk management. It is a set of normative requirements for establishing, implementing, operating, monitoring, and reviewing to update and develop an Information Security Management System (ISMS). ISO 27001 is also used for selecting security controls tailored to each organization’s needs based on industry best practices.

ISO 27001 checklist

An ISO 27001 checklist is used to define if an organization satisfies the international standard requirements for implementing an efficient ISMS (Information Security Management System). Information Security Officers apply an ISO 27001 template when managing internal ISO 27001 audits. This checklist is divided into 14 categories from section 5 to section 18, and all section includes various things that are as follows:

Section 5: Information Security Policies

  • Security policies exist
  • All policies approved by management
  • Evidence of compliance

Section 6: Organization of Information Security

  • Roles and responsibilities defined
  • Segregation of duties defined
  • Verification body/authority contacted for compliance verification
  • Establish contact with special interest groups regarding compliance
  • Evidence of information security in project management
  • Defined policy for mobile devices
  • Defined policy for working remotely

Section 7: Human Resources Security

  • Defined policy for screening employees prior to employment
  • Defined policy for HR terms and conditions of employment
  • Defined policy for management responsibilities
  • Defined policy for information security awareness, education, and training
  • Defined policy for disciplinary process regarding information security
  • Defined policy for HR termination or change-of employment policy regarding information security

Section 8: Asset Management

  • Complete inventory list of assets
  • Complete ownership list of assets
  • Defined “acceptable use” of assets policy
  • Defined return of assets policy
  • Defined policy for classification of information
  • Defined policy for labeling information
  • Defined policy for handling of assets
  • Defined policy for management of removable media
  • Defined policy for disposal of media
  • Defined policy for physical media transfer

Section 9. Access Control

  • Defined policy for user asset registration and de-registration
  • Defined policy for user access provisioning
  • Defined policy for management of privileged access rights
  • Defined policy for management of secret authentication information of users
  • Defined policy for review of user access rights
  • Defined policy for removal or adjustment of access rights
  • Defined policy for use of secret authentication information
  • Defined policy for information access restrictions
  • Defined policy for secure log-in procedures
  • Defined policy for password management systems
  • Defined policy for use of privileged utility programs
  • Defined policy for access control to program source code

Section 10. Cryptography

  • Defined policy for use of cryptographic controls
  • Defined policy for key management

Section 11. Physical and Environmental Security

  • Defined policy for physical security perimeter
  • Defined policy for physical entry controls
  • Defined policy for securing offices, rooms, and facilities
  • Defined policy for protection against external and environmental threats
  • Defined policy for working in secure areas
  • Defined policy for delivery and loading areas
  • Defined policy for equipment siting and protection
  • Defined policy for supporting utilities
  • Defined policy for cabling security
  • Defined policy for equipment maintenance
  • Defined policy for removal of assets
  • Defined policy for security of equipment and assets off-premises
  • Secure disposal or re-use of equipment
  • Defined policy for unattended user equipment
  • Defined policy for clear desk and clear screen policy

Section 12. Operations Security

  • Defined policy for documented operating procedures
  • Defined policy for change management
  • Defined policy for capacity management
  • Defined policy for separation of development, testing, and operational environments
  • Defined policy for controls against malware
  • Defined policy for backing up systems
  • Defined policy for information backup
  • Defined policy for event logging
  • Defined policy for protection of log information
  • Defined policy for administrator and operator log
  • Defined policy for clock synchronization
  • Defined policy for installation of software on operational systems
  • Defined policy for management of technical vulnerabilities
  • Defined policy for restriction on software installation
  • Defined policy for information system audit control

Section 13. Communication Security

  • Defined policy for network controls
  • Defined policy for security of network services
  • Defined policy for segregation in networks
  • Defined policy for information transfer policies and procedures
  • Defined policy for agreements on information transfer
  • Defined policy for electronic messaging
  • Defined policy for confidentiality or non-disclosure agreements
  • Defined policy for system acquisition, development, and maintenance

Section 14. System Acquisition, Development, and Maintenance

  • Defined policy for information security requirements analysis and specification
  • Defined policy for securing application services on public networks
  • Defined policy for protecting application service transactions

Section 15. Supplier Relationships

  • Defined policy for supplier relationships

Section 16. Information Security Incident Management

  • Defined policy for information security management

Section 17. Information Security Aspects of Business Continuity Management

  • Defined policy for redundancies

Section 18. Compliance

  • Defined policy for identification of applicable legislation and contractual requirements
  • Defined policy for intellectual property rights
  • Defined policy for protection of records
  • Defined policy for privacy and protection of personally identifiable information
  • Defined policy for regulation of cryptographic control
  • Defined policy for compliance with security policies and standards
  • Defined policy for technical compliance review

Reasons to adopt ISO 27001

The ISO 27001 standard provides better awareness of information security mechanisms to measure the effectiveness of the management system. It also provides the opportunity to identify the weaknesses of the ISMS and to provide corrections.

It also gives accountability to the highest management for information security and satisfaction of conditions of the customer and other stakeholders.

How can I get ISO 27001 Certification?

InfosecTrain provides certification training and necessary preparation guidance for ISO 27001 certification exams. It is one of the best consulting organizations, focusing on a wide range of IT security training. Highly skilled and qualified instructors with years of industry experience to deliver interactive training sessions on ISO 27001 standard certification exam. You can visit the following link to prepare for the ISO certification exam.

Aakanksha Tyagi ( )
Infosec Train
Aakanksha Tyagi is pursuing her Master's degree in Information Security and Management. She works with full dedication and enjoys working on Information Security blogs. Currently, Aakanksha is working as a content writer in Infosec Train.
Establishing Governance and Risk-Managemen