ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO...

9
TÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management system (ISMS) is an essential part of an organization’s defense against cyberattacks and data breaches. ISO/IEC 27001 provides a critical framework for the development and implementation of an effective ISMS. Certification to ISO/IEC 27001 can reduce overall information security risks, ease compliance with applicable security regulations and requirements, and help organizations foster the development of a culture of security.

Transcript of ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO...

Page 1: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

TÜV SÜD

White paper

ISO 27001: Information Security and the Road to Certification

AbstractAn information security management system (ISMS) is an essential part of an organization’s defense against cyberattacks and data breaches. ISO/IEC 27001 provides a critical framework for the development and implementation of an effective ISMS. Certification to ISO/IEC 27001 can reduce overall information security risks, ease compliance with applicable security regulations and requirements, and help organizations foster the development of a culture of security.

Page 2: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

2 ISO/IEC 27001 | TÜV SÜD

Contents

INTRODUCTION 3

WHAT IS ISO/IEC 27001? 3

THE STRUCTURE AND REQUIREMENTS OF ISO/IEC 27001:2013 4

ROAD TO ISO/IEC 27001 CERTIFICATION 6

THE BENEFITS OF ISO/IEC 27001 CERTIFICATION 7

CONCLUSION 7

Alexander HäußlerProduct Compliance Manager and Lead Auditor, TÜV SÜD Alexander Häußler is a Product Compliance Manager and a Lead Auditor for TÜV SÜD. Before joining TÜV SÜD, he was a software developer, systems administrator, and a project leader responsible for introducing ISO 27001 at an automotive supplier. He then became the Information Security Officer at the same company. Alexander Häußler can be reached at [email protected].

About the TÜV SÜD expert

Page 3: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

ISO/IEC 27001 | TÜV SÜD3

Introduction

In the 21st century, digitized data is as essential to everyday life as air and water. Unfortunately, cyberattacks and breaches of digitized data are becoming all too common, increasing the risk of fraud for businesses, institutions and ordinary consumers, and inflicting a huge price on those affected. Even more frightening is the risk to critical infrastructure elements, such as electric and power generation facilities, where cyberattacks could

potentially bring major cities and communities to a standstill.

An effective information security management system (ISMS) can help enterprises of all sizes defend themselves against cyberattacks and other malicious data breaches. The standard ISO/IEC 27001, Information security management systems, provides a detailed framework for the development, implementation and maintenance of

just such a management system, and certification to ISO/IEC 27001 can represent an important step in an organization’s efforts to protect its IT infrastructure and to secure digitized data in its possession.

This white paper discusses the origins and structure of ISO/IEC 27001, describes the ISO/IEC 27001 certification process, and details the potential benefits of ISO/IEC 27001 certification.

ISO/IEC 27001 is an internationally-recognized standard published by the International Organization for Standardization (or ISO). The standard specifies the requirements for implementing and maintaining an effective ISMS to protect against the root causes of information security risks. Organizations that achieve ISO/IEC 27001 certification strengthen their ability to protect themselves against cyberattacks and help prevent unwanted access to sensitive or confidential information.

First published in 2005, ISO/IEC 27001 is based on BS 7799 Part 2, Information Security Management

Systems—Specification with guidance for use, issued by the British Standards Institute in 1999. As originally published, ISO/IEC 27001 was largely based on the “plan-do-check-act” (PDCA) model then widely used by other management system standards. However, a 2013 revision of the standard adopted the framework detailed in Annex SL of the Consolidated Supplement of the ISO/IEC Directives. Annex SL mandates the use of a common structure and terminology in all new and newly revised management system standards, and maintains the PDCA model only as a basic principle.

ISO/IEC 27001:2013 also emphasizes the importance of measuring and evaluating the effectiveness of an ISMS, and includes a section on managing outsourced IT services, since a number of organizations choose to partner with outside companies for IT support rather than manage it themselves.

The scope of ISO/IEC 27001 is intended to cover all types of information regardless of its form. These forms can include digitized data, documents, drawings, photographs, electronic communications and transmissions, and recordings.

What is ISO/IEC 27001?

Page 4: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

4TÜV SÜD | ISO/IEC 27001

The Structure and Requirements of ISO/IEC 27001:2013

After adopting the structure and terminology detailed in Annex SL of the Consolidated Supplement of the Directives, ISO/IEC 27001:2013 looks considerably different from the original 2005 edition of the standard. In addition, the standard has been streamlined to eliminate redundant elements and to provide greater flexibility in the application of its requirements.

Here is a brief summary of the clauses of ISO/IEC 27001:2013:

CLAUSE NUMBER CLAUSE DESCRIPTION

Clause 0: IntroductionThe standard follows a process approach for the implementation of an ISMS. The 2013 edition deletes specific references to the “plan-do-check-act” model.

Clause 1: ScopeThe standard specifies general requirements for an ISMS that can be implemented in an organization of any type or size.

Clause 2: Normative references—ISO/IEC 27000:2014, Information technology

Security techniques – Information security management systems –Overview and vocabulary, is the only mandatory normative reference for ISO/IEC 27000.

Clause 3: Terms and definitions The standard references ISO/IEC 27000 for all terms and definitions.

Clause 4: Context of the organization

The standard requires that an organization evaluate and account for all internal and external factors that could affect its ability to successfully implement an ISMS. Such factors could include formal governance policies, contractual and legal obligations, regulatory requirements, environmental conditions and organizational culture.

Clause 5: Leadership

This clause of the standard requires an organization’s senior management to establish an information security policy, to provide overall leadership by assigning responsibility and authority to implement that policy, and to actively promote an organization-wide understanding of the importance of information security.

Clause 6: Planning

The planning clause involves assessing an organization’s specific risks regarding information security and developing a treatment plan to address those risks. This clause references Annex A for possible risk control mechanisms to be considered, but an organization is ultimately responsible for the determination of the specific controls necessary to address the risks it identifies.

Clause 7: SupportThe standard requires an organization to provide the necessary resources to establish, implement, maintain and continuously improve its ISMS. It also requires the development and control of documented information about the ISMS.

Clause 8: Operation

This clause addresses the execution of the policies, practices and processes that are covered in the earlier clauses, and the requirement to maintain suitable records that document the results. It also stipulates the conduct of performance assessments at planned intervals.

Clause 9: Performance evaluationPer the requirements of this clause, an organization must monitor, measure, analyze and evaluate its ISMS at planned intervals to assess its suitability and effectiveness.

Clause 10: ImprovementThis final clause embraces the concept of continual improvement and the importance of identifying nonconformities, and taking corrective action to improve the effectiveness of the ISMS.

Page 5: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

ISO/IEC 27001 | TÜV SÜD5

In addition to these ten clauses, ISO/IEC 27001:2013 also includes Annex A, entitled “Reference Control Objectives and Controls.” This Annex identifies 114 specific controls that are taken directly from ISO/IEC 27002, Information security management. These controls are categorized under one of 14 different “Code of practice for information security controls,” as follows:

ANNEX NUMBER ANNEX DESCRIPTION

A.5: Information security policies (2 controls) Covers how information security policies are written, reviewed and revised.

A.6: Organization of information security (7 controls)

Details how responsibilities are assigned; also includes controls for mobile devices and teleworking.

A.7: Human resource security (6 controls) Addresses controls before, during, and after employment.

A.8: Asset management (10 controls)Encompasses hard and soft assets, including information classification and media handling.

A.9: Access control (14 controls)Covers all aspects of access, such as access control requirements, user access management, and system and application access and control.

A.10: Cryptography (2 controls) Addresses encryption and key management controls.

A.11: Physical and environmental security (15 controls)

Details controls applicable to secure areas and equipment.

A.12: Operations security (14 controls)Includes controls applied to IT security operations, such as control of operational software, protection from malware, backup, logging and monitoring, technical vulnerability management and audit considerations.

A.13: Communication security (7 controls)Encompasses controls related to network security, segregation, network services, transfer of information and messaging.

A.14: System acquisition, development and maintenance (13 controls)

Addresses controls for security requirements of information systems and security in development and support processes.

A.15: Supplier relationships (5 controls) Covers controls for monitoring suppliers throughout the supply chain.

A.16: Information security incident management (7 controls)

Includes controls for reporting security events and weaknesses, response procedures and the collection of evidence.

A.17: Information security aspects of business continuity management (4 controls)

Details controls required for the planning of secure business continuity, including procedures, verification practices and system redundancy.

A.18: Compliance (8 controls)Applies to the controls needed to identify applicable security laws and regulations and the conduct of information security reviews.

As previously noted, the controls identified in Annex A are offered as possible risk control mechanisms for addressing the requirements found in Clause 6 of the standard. However, an organization is required to make a full and independent determination of the specific control mechanisms that are appropriate to address the specific risks it faces.

Page 6: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

6TÜV SÜD | ISO/IEC 27001

The Road to ISO/IEC 27001 CertificationImplementing an ISMS according to the requirements of ISO/IEC 27001 and obtaining certification includes a number of specific steps. Of course, not all ISMS implementation efforts are identical, since individual organizations will have unique issues to address, and vary in their degree of system readiness. However, the following steps apply to most organizations, regardless their industry or level of preparedness:

Page 7: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

ISO/IEC 27001 | TÜV SÜD7

The Benefits of ISO/IEC 27001 Certification

Organizations that certify their ISMS to the requirements of ISO/IEC 27001 gain a number of important benefits, including the following:

Regulatory compliance An ISO/IEC 27001-certified ISMS can help an organization meet the legal and regulatory requirements applicable in many jurisdictions, as well as contractual requirements for doing business with other entities.

Systematic approach ISO/IEC 27001 provides a formal, systematic approach to data security, increasing the level of protection of private and confidential information.

Reduced risk Greater data security can result in a reduction in overall business risks and help to mitigate consequences when breaches actually occur.

Reduced costs By reducing the risk of security breaches, ISO/IEC certification can actually lower the total costs associated with IT security, as well as the costly consequences associated with data breaches.

Market advantage Organizations that have received ISO/IEC 27001 certification clearly signal their commitment to the security of confidential information, and can enjoy an important advantage in the marketplace against non-certified competitors.

ConclusionThe prevalence of cyberattacks and data security breaches are increasing daily and now threaten organizations of every size and in every industry. Such breaches compromise the security of private or sensitive data and can result in significant financial damage and reputational harm. In cases involving critical infrastructure elements, data security breaches can affect the safety of millions of people, and threaten the well-being of communities of all sizes.An ISMS is a critical element in the effort to control or mitigate the

risk associated with cyberattacks against digitized data. ISO/IEC 27001 provides a formal framework for the implementation and maintenance of an effective ISMS, and organizations that achieve ISO/IEC 27001 certification can significantly reduce the risks and consequences associated with data breaches. Finally, ISO/IEC 27001 is compatible with other management systems standards, easing the auditing process for organizations certified to multiple management systems standards.

TÜV SÜD is a global leader in management system solutions and a leading registrar for ISO/IEC 27001, ISO 9001, ISO 14001 and other management systems standards. Having issued more than 54,000 management systems certifications to date, we have the expertise to provide comprehensive auditing and certification services to organizations of all types and in all industries. We can also assist your organization in your ISO/IEC 27001 transition planning, providing you with a smooth path to recertification.

Page 8: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

8TÜV SÜD | ISO/IEC 27001

COPYRIGHT NOTICEThe information contained in this document represents the current view of TÜV SÜD on the issues discussed as of the date of publication. Because TÜV SÜD must respond to changing market conditions, it should not be interpreted to be a commitment on the part of TÜV SÜD, and TÜV SÜD cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. TÜV SÜD makes no warranties, express, implied or statutory, as to the information in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of TÜV SÜD. TÜV SÜD may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from TÜV SÜD, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ANY REPRODUCTION, ADAPTATION OR TRANSLATION OF THIS DOCUMENT WITHOUT PRIOR WRITTEN PERMISSION IS PROHIBITED, EXCEPT AS ALLOWED UNDER THE COPYRIGHT LAWS. © TÜV SÜD Group – 2015 – All rights reserved - TÜV SÜD is a registered trademark of TÜV SÜD Group.

DISCLAIMERAll reasonable measures have been taken to ensure the quality, reliability, and accuracy of the information in the content. However, TÜV SÜD is not responsible for the third-party content contained in this newsletter. TÜV SÜD makes no warranties or representations, expressed or implied, as to the accuracy or completeness of information contained in this newsletter. This newsletter is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in this newsletter is not intended to constitute consulting or professional advice or services. If you are seeking advice on any matters relating to information in this newsletter, you should – where appropriate – contact us directly with your specific query or seek advice from qualified professional people. The information contained in this newsletter may not be copied, quoted, or referred to in any other publication or materials without the prior written consent of TÜV SÜD. All rights reserved © 2015 TÜV SÜD.

Page 9: ISO 27001: Information Security and the Road to · PDF fileTÜV SÜD White paper ISO 27001: Information Security and the Road to Certification Abstract An information security management

2015

© T

ÜV S

ÜD A

mer

ica

| US-

MKG

/MS/

2.0/

en/U

S

Secure your information system now

Choose certainty. Add value.TÜV SÜD is a premium quality, safety and sustainability solutions provider that specializes in testing, inspection, auditing, certification, training and knowledge services. Represented in over 800 locations worldwide, we hold accreditations in Europe, the Americas, the Middle East and Asia. By delivering objective service solutions to our customers, we add tangible value to businesses, consumers and the environment.

TÜV SÜD America 10 Centennial DrivePeabody, MA 01960(800) TUV-0123www.tuv-sud-america.com

www.tuv-sud-america.com

[email protected]