ISO 27001 Framework

Has your business considered implementing an information security management system? Do you know much about the ISO 27001 framework?

ISO 27001 is the most widely used standard for information security management systems (ISMS). The ISO 27001 framework outlines the specifications an information security management system must meet.

Companies of every size and from all industries can use the ISO 27001 framework as a guide for creating, implementing, maintaining, and continuously improving an information security management system.

Clients of ours that comply with ISO 27001 have implemented a system to manage risks relating to the security of data that it owns or handles, and that system adheres to all the best practices and guiding principles outlined in this internationally recognised standard.

We support businesses in getting started with ISO 27001 by creating bespoke management systems and offering advice throughout audit days to ensure audits and surveillances run smoothly. We also offer ongoing maintenance to ensure management systems are maintained, up to date and accurate.

We have a framework that is built entirely around your organisation working with what documentation you already have in place. Depending on how much information you already have we can provide timescales with milestones that work for you. We can also provide templates, documentation and policies that you may not already have.

Understanding the ISO 27001 certification process can help you plan for a successful audit and take a lot of the worry out of the process.

One of the major benefits of implementing ISO 27001 is that it can support businesses with tendered work and in gaining access to corporate frameworks. Compliant has helped a number of businesses in becoming ISO 27001 certified to get onto certain frameworks and supplier lists including the NHS supplier framework.

For more ISO 27001 benefits view the full article ‘Benefits of ISO 27001’ here.

Changes to ISO 27001:2013

The most recent version of ISO 27001, ISO 27001:2022, was released this month, October 2023. Companies with ISO 27001:2013 certification have three years to upgrade their information security management system. This is something that we are supporting current clients with.

Our team has undertaken the British Assessment Bureau’s ISO/IEC 27001:2022 Transition training course to gain a thorough understanding of the critical differences between ISO 27001:2013 and ISO 27001:2022. This professional course explored the transitioning requirements as well as potential approaches to efficient and effective transition implementation, which will support us in guiding our clients through the standard’s updates.

The majority of ISO 27001:2022 changes are related to Annex SL, which include:

Context and Scope

Businesses must establish which criteria from interested parties are “relevant” and which requirements the information security management system will address.

The “processes needed and their interactions” must now be included directly in the information security management system.

Planning

Monitoring and “being available as documented information” are increasingly requirements for information security objectives.

The planning of updates to the information security management system has a new clause. You should consider how you can prove that modifications to the information security management system have been planned as this does not specify any processes that must be included.

Support

A requirement to define “how to communicate” has taken the place of requirements to define who will communicate and the procedures for achieving communication.

Operation

The duty to create criteria for processes to implement the actions listed in Clause 6 and to control those processes in accordance with the criteria has taken the place of the requirement to plan how to accomplish information security objectives.

Instead of only controlling processes, organisations must now also manage “externally provided processes, products, or services” that are pertinent to the information security management system.

Annex A

A revision was made to Annex A to bring it into compliance with ISO 27002:2022. The section below goes over the Annex A controls.

We can support your business in addressing any of the changes listed above and have a library of documentation that can be tailored to your business.

Read on to discover more about the ISO 27001 framework.

ISO 27001 Framework; What are the controls for ISO 27001?

There are 14 domains in ISO 27001 Annex A, which are effectively groups of controls. You only need to implement the 114 controls that make sense for your organisation to be compliant. These controls include more than just IT security; they also cover organisational management of processes, human resources, legal compliance, physical security, and other areas.

A.5. Information security policies

These controls describe how the organisation should handle its information security policies. We can provide a range of audit proof information security policies including;

Master Information Security Policy
Access Control Policy
Cryptographic Policy
Physical Security Policy
Clear Desk and Clear Screen Policy
Anti-Malware Policy
Backup Policy
Logging and Monitoring Policy
Software Policy
Technical Vulnerability Management Policy
Network Security Policy
Electronic Messaging Policy
Secure Development Policy
Availability Management Policy
IP and Copyright Compliance Policy
Records Retention and Protection Policy
Privacy and Personal Data Protection Policy

A.6. Organisation of information security

These controls provide a framework for information security by defining the internal organisation, such as roles and responsibilities, as well as other information security aspects of the organisation such as the use of mobile devices, project management and even teleworking.

A.7. Human resource security

This domain presents controls that tackle the information security aspects of HR. For this section our management packs include Segregation of Duties Guidelines, Authorities and Specialist Group Contacts, Information Security Guidelines for Project Management, Mobile Device Policy, Teleworking Policy and a Segregation of Duties Worksheet.

A.8. Asset management

These controls concern assets that are used in information security as well as designating responsibilities for their security. We can support with an Information Classification Procedure, an Information Labelling Procedure and show you how to correctly record IT assets in your asset register.

A.9. Access control

These controls limit access to information assets and are both logical access controls and physical access controls. Our Access Control Policy and User Access Management Process are key documents for this annex.

A.10. Cryptography

This domain presents us with a proper basis for use of encryption to protect the confidentiality, authenticity and integrity of your organisation’s information.

A.11. Physical and environmental security

These controls are concerned with physical areas, equipment and facilities and protect against intervention, both by humans and nature.

A.12. Operations security

These controls ensure that the organisation’s IT systems, operating systems and software are protected. Our Operating Procedure, Change Management Process, Capacity Plan, Technical Vulnerability Assessment Procedure and Information Systems Audit Plan will ensure this annex is covered with supporting evidence from the following policies which we will create for you;

Anti-Malware Policy
Backup Policy
Logging and Monitoring Policy
Software Policy
Technical Vulnerability Management Policy

A.13. Communications security

These are controls for the network (infrastructure and services) and the information that travels through it. It is important to ensure that Network Services Agreements, Information Transfer Agreements, Information Transfer Procedures, Schedule of Confidentiality Agreements and Non-Disclosure Agreements are all in place for this annex.

A.14. System acquisition, development and maintenance

Controls to ensure that information security is paramount when purchasing or upgrading information systems.

A.15. Supplier relationships

These controls are meant to ensure that suppliers/partners use the right Information Security controls and describe how third-party security performance should be monitored. For this annex we can support by offering Information Security Policy for Supplier Relationships, Supplier Information Security Agreements and a Supplier Due Diligence Assessment Procedure.

A.16. Information security incident management

This domain contains controls related to security incident management related to security incident handling, communication, resolution and prevention of incident reoccurrence.

A.17. Information security aspects of business continuity management

Controls to ensure information security management continuity during disruptions as well as information system availability. Our Business Continuity Plan, BC Exercising and Testing Schedule, Business Continuity Test Plan and Business Continuity Test Report have been tested on numerous audits and will ensure you are covered for this annex.

A.18. Compliance

The controls in this domain are a framework to prevent legal, regulatory, statutory and breaches of contract. They also can be used to audit whether your implemented information security is effective based upon the ISO 27001 standard.

We have proven evidence for all of the annexes listed above and are happy to walk clients through any of the documents and how they can be put to use in real working environments.

When will I be able to obtain ISO 27001:2022 certification?

You can already obtain certification against ISO 27001:2022, as accreditation organisations like UKAS (United Kingdom Accreditation Service) are required to be prepared to evaluate certifying bodies against new standards within six months of its publication.

From 30 April 2024, all certification agencies must only offer certification for the 2022 edition of ISO 27001.

This indicates that you have until April 29, 2024, to obtain certification in accordance with ISO 27001:2013. Regardless of how long they have been in existence, all ISO 27001:2013 certificates will expire or be removed on October 31, 2025.

So if you need support in moving your management system to the 2022 version of ISO 27001 please reach out to us today.

Is ISO 27001 necessary?

Considering threats like data theft, cybercrime, and accountability for privacy leaks it is essential for all organisations today. You must strategically consider its information security requirements in relation to goals, procedures, size, and structure. Your business can implement a risk management approach that is customised to your size and needs using the ISO 27001 framework, and you can scale it as needed with our support.

While the majority of ISO 27001-certified businesses are in the information technology (IT) sector, the advantages of this standard have persuaded businesses from all industries as shown by our range of case studies.

Businesses that follow the comprehensive strategy outlined in ISO 27001 will make sure information security is integrated into management controls, information systems, and organisational processes. They become more effective and frequently become leaders in their respective sectors.

Why we recommend having ISO 27001 in place

To make sure your information security incident management is well thought out and clearly successful.
To protect all assets, including the private financial data and intellectual property of your company.
To guide activities, such as your access control policy, communications security, system acquisition, information security parts of business continuity planning, and many others, put established information security policies in place.
To perform information security risk assessment and management tasks in a transparent, straightforward, and realistic way.
To make sure that important stakeholders and other parties are aware of, on board with, and, when necessary, fully compliant with your information security safeguards.
To comply with any industry-specific rules or standards established by the appropriate regulatory organisations.
To protect the personal information of customers and staff.

Check out an earlier article of ours where we explore in detail the benefits of having ISO 27001 in place.

How long does ISO 27001 certification take?

Compliant can get a company through ISO 27001 certification in just 14 days if needed. However, we recommend an initial 6-week period to enable time for discussions, implementation and making the management system bespoke to the individual company.

We then move onto a stage 1 audit with your chosen UKAS certified certification body. Compliant ensures that clients are fully ready for stage 2 audits and ongoing surveillances. The stage 2 audit is always within 3 months of the stage 1 audit.

A 6-month period is our recommended allocation time for becoming ISO 27001 certified.

ISO 27001 Framework; Our top tips for keeping information secure

If you are still pondering whether ISO 27001 is right for your business here are some of our top tips for keeping information safe and secure:

Deliver appropriate training on information security for staff to reduce internal risks.
Establish processes and policies to ensure the secure destruction of information and data.
Implement an effective continuity plan.
Monitor information security risks.
Record any information security failings.

Why partner with Compliant for ISO 27001

As part of National Cyber Security Awareness Month, we want all businesses to consider the benefits of having an information security management system in place and in particular ISO 27001.

We have supported companies from a range of industries in getting started with ISO 27001. Show your commitment to information security this National Cyber Security Awareness Month with a UKAS certified ISO certification from Compliant.