TÜV SÜD

White paper

ISO/IEC 27001 Information securitymanagement systemand the road tocertification

AbstractAn information security management system (ISMS) is an essential part of an organisation’s defence against cyberattacks and data breaches. ISO/IEC 27001 provides a practical framework for the development and implementation of an effective ISMS. Certification to ISO/IEC 27001 can reduce overall information security risks, ease compliance with applicable security regulations and requirements, and help organisations foster the development of a culture of security.

2 ISO/IEC 27001 | TÜV SÜD

Contents

INTRODUCTION 4

WHAT IS ISO/IEC 27001? 5

THE STRUCTURE AND REQUIREMENTS OF ISO/IEC 27001:2013 6

ROAD TO ISO/IEC 27001 CERTIFICATION 8

THE BENEFITS OF ISO/IEC 27001 CERTIFICATION 9

CONCLUSION 10

Alexander HäußlerProduct Compliance Manager and Lead Auditor, TÜV SÜD Alexander Häußler is a Product Compliance Manager and a Lead Auditor for TÜV SÜD. Before joining TÜV SÜD, he was a software developer, systems administrator and project leader, responsible for introducing ISO/IEC 27001 at an automotive supplier. He then became the Information Security Officer at the same company. Alexander Häußler can be reached at alexander.haeussler@tuev-sued.de.

About the TÜV SÜD expert

3TÜV SÜD | ISO/IEC 27001

ISO/IEC 27001 | TÜV SÜD4

Introduction

In the 21st century, digitised data is as essential to everyday life as air and water. Unfortunately, cyberattacks and breaches of digitised data are becoming all too common, increasing the risk of fraud for businesses, institutions and ordinary consumers, and inflicting a huge price on those affected. Even more frightening is the risk to critical infrastructure elements, such as power generation facilities, where cyberattacks could potentially bring

major cities and communities to a standstill.

An effective information security management system (ISMS) can help enterprises of all sizes defend themselves against cyberattacks and other malicious data breaches. The standard ISO/IEC 27001 – Information security management system, provides a detailed framework for the development, implementation and maintenance of just such a

management system. Certification to ISO/IEC 27001 can represent an important step in an organisation’s efforts to protect its IT infrastructure and to secure digitised data in its possession.

This white paper discusses the origins and structure of ISO/IEC 27001, describes the overall certification process, and highlights potential benefits.

5TÜV SÜD | ISO/IEC 27001

ISO/IEC 27001 is an internationally recognised standard, published by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard specifies the requirements for implementing and maintaining an effective ISMS to protect against the root causes of information security risks. Organisations that achieve ISO/IEC 27001 certification strengthen their ability to protect themselves against cyberattacks and help prevent unwanted access to sensitive or confidential information.

First published in 2005, ISO/IEC 27001 is based on BS 7799 Part 2, Information Security Management

Systems – Specification with guidance for use, which was issued by the British Standards Institute in 1999. As originally published, ISO/IEC 27001 was largely based on the “plan-do-check-act” (PDCA) model, also widely used by other management system standards. However, a 2013 revision of the standard adopted the framework detailed in Annex SL of the Consolidated Supplement of the ISO/IEC Directives. Annex SL mandates the use of a common structure and terminology in all new and newly revised management system standards, and maintains the PDCA model only as a basic principle.

ISO/IEC 27001:2013 also emphasises the importance of measuring and evaluating the effectiveness of an ISMS. Furthermore, the catalogue of proposed controls, as included in Annex A, was updated to reflect the latest technological developments.

The scope of ISO/IEC 27001 is intended to cover all types of information, regardless of its form. These forms can include digitised data, documents, drawings, photographs, electronic communications and transmissions, and recordings.

What is ISO/IEC 27001?

ISO/IEC 27001 | TÜV SÜD6

The structure and requirements of ISO/IEC 27001:2013

After adopting the structure and terminology detailed in Annex SL of the Consolidated Supplement of the Directives, ISO/IEC 27001:2013 looks considerably different from the original 2005 edition of the standard. In addition, the standard has been streamlined to eliminate redundant elements, and to provide greater flexibility in the application of its requirements.

A brief summary of the clauses of ISO/IEC 27001:2013 can be found below.

CLAUSE NUMBER CLAUSE DESCRIPTION

Clause 0: Introduction The standard follows a process approach for the implementation of an ISMS. The 2013 edition deletes specific references to the “plan-do-check-act” model.

Clause 1: Scope The standard specifies general requirements for an ISMS that can be implemented in an organisation of any type or size.

Clause 2: Normative references – ISO/IEC 27000, Information technology

Security techniques – Information security management systems – Overview and vocabulary, is the only mandatory normative reference for ISO/IEC 27001.

Clause 3: Terms and definitions The standard references ISO/IEC 27000 for all terms and definitions.

Clause 4: Context of the organisation

The standard requires that an organisational evaluates and accounts for all internal and external factors that could affect the implementation of an ISMS. Such factors could include formal governance policies, contractual and legal obligations, regulatory requirements, environmental conditions, and organisational culture.

Clause 5: Leadership

This clause of the standard requires an organisation’s senior management to establish an information security policy, to provide overall leadership by assigning responsibility and authority to implement that policy, and to actively promote an organisation-wide understanding of the importance of information security.

Clause 6: Planning and objectives

The planning clause involves assessing an organisation’s specific risks regarding information security and developing a treatment plan to address those risks. This clause references Annex A for possible risk control mechanisms to be considered, but an organisation is ultimately responsible for the determination of the specific controls necessary to address the risks it identifies.

Clause 7: SupportThe standard requires an organisation to provide the necessary resources to establish, implement, maintain and continuously improve its ISMS. It also requires the development and control of documented information about the ISMS.

Clause 8: OperationThis clause addresses the execution of the policies, practices and processes, which are covered in the earlier clauses, and the requirement to maintain suitable records that document the results. It also stipulates the conduct of risk assessments at planned intervals.

Clause 9: Performance evaluation Per the requirements of this clause, an organisation must monitor, measure, analyse and evaluate its ISMS at planned intervals, to assess its suitability and effectiveness.

Clause 10: ImprovementThis final clause embraces the concept of continual improvement and the importance of identifying nonconformities, and taking corrective action to improve the effectiveness of the ISMS.

7TÜV SÜD | ISO/IEC 27001

In addition to these ten clauses, ISO/IEC 27001:2013 also includes Annex A, entitled “Reference Control Objectives and Controls”. This Annex describes 114 specific controls that have been identified by the ISO and IEC experts as suitable measures. The controls are categorised under one of 14 different “information security domains”, and are as follows.

ANNEX NUMBER ANNEX DESCRIPTION

A.5: Information security policies (2 controls) Covers how information security policies are written, reviewed and revised

A.6: Organisation of information security (7 controls)

Details how responsibilities are assigned; also includes controls for mobile devices and teleworking

A.7: Human resource security (6 controls) Addresses controls before, during, and after employment

A.8: Asset management (10 controls) Outlines appropriate protection responsibilities of information assets within the scope of the ISMS

A.9: Access control (14 controls) Covers all aspects of access, such as access control requirements, user access management, and system and application access and control

A.10: Cryptography (2 controls) Addresses encryption and key management controls

A.11: Physical and environmental security (15 controls) Details controls applicable to secure areas and equipment

A.12: Operations security (14 controls)Includes controls applied to IT security operations, such as control of operational software, protection from malware, backup, logging and monitoring, technical vulnerability management and audit considerations

A.13: Communication security (7 controls) Encompasses controls related to network security, segregation, network services, transfer of information and messaging

A.14: System acquisition, development and maintenance (13 controls)

Addresses controls for security requirements of information systems, and security in development and support processes

A.15: Supplier relationships (5 controls) Covers controls for monitoring suppliers throughout the supply chain

A.16: Information security incident management (7 controls)

Includes controls for reporting security events and weaknesses, response procedures and the collection of evidence

A.17: Information security aspects of business continuity management (4 controls)

Details controls required for the planning of secure business continuity, including procedures, verification practices and system redundancy

A.18: Compliance (8 controls) Applies to the controls needed to identify applicable security laws and regulations, and the conduct of information security reviews

As previously noted, the controls identified in Annex A are offered as possible risk control mechanisms for addressing the requirements found in Clause 6 of the standard. However, an organisation is required to make a full and independent determination of the specific control mechanisms that are appropriate to address the specific risks it faces.

ISO/IEC 27001 | TÜV SÜD8

The road to ISO/IEC 27001 certificationImplementing an ISMS according to the requirements of ISO/IEC 27001, and obtaining certification includes a number of specific steps. Of course, not all ISMS implementation efforts are identical, since individual organisations will have unique issues to address, and vary in their degree of system readiness. However, the following steps apply to most organisations, regardless their industry or level of preparedness:

Obtain management commitment The successful implementation of any management system, including an ISMS, requires a commitment from leadership at the highest level of the organisation. Without such a commitment, other business priorities will inevitably erode implementation efforts.

Define the information security policy The organisation identifies and defines its information security policy based on the specific goals and objectives that it hopes to achieve. This policy will serve as a framework for future development efforts by establishing a direction and set of principles regarding information security.

Define the scope of the ISMS With its information security policy in place, the organisation then identifies those specific aspects of information systems security that can be effectively addressed within the scope of its ISMS.

Complete a risk assessment of current information security practices Applying the most appropriate methodology, the organisation then conducts a thorough risk assessment to identify the risks that are currently being addressed, as well as system vulnerabilities and threats that require attention.

Identify and implement risk measures and controls The organisation implements measures and practices to mitigate all of the risks identified in the risk assessment. The results of these measures and practices are then monitored and modified as required to improve their effectiveness.

Conduct an ISMS pre-audit With a tested and proven ISMS in place, the organisation conducts a certification assessment pre-audit to identify any potential issues that could negatively impact the outcome of the certification audit. Any nonconformities with the requirements of ISO/lEC 27001 are then addressed and/or corrected.

Conduct surveillance audits Organisations that achieve ISO/lEC 27001 certification are subject to yearly surveillance audits to confirm continued compliance with the requirements of the standard. A full recertification audit is required every third year following certification.

Conduct an ISMS certification audit Finally, an independent certification body is employed to conduct a formal audit of the organisation’s ISMS for compliance with ISO/lEC 27001. A successful audit results in a recommendation for certification, which is then issued by the certification body.

9TÜV SÜD | ISO/IEC 27001

The benefits of ISO/IEC 27001 certification

Organisations that certify their ISMS to the requirements of ISO/IEC 27001 gain a number of important benefits, including the following:

Regulatory compliance An ISO/IEC 27001-certified ISMS can help an organisation meet the legal and regulatory requirements applicable in many jurisdictions, as well as contractual requirements for doing business with other entities.

Systematic approach ISO/IEC 27001 provides a formal, systematic approach to information security, increasing the level of protection of sensitive and confidential information.

Reduced risk Improved information security can result in a reduction in overall business risk and help to mitigate consequences when breaches actually occur.

Reduced costs By reducing the risk of security breaches, ISO/IEC certification can actually lower the total costs associated with IT security, as well as the costly consequences associated with data breaches.

Market advantage An ISO/IEC 27001 certification demonstrates a strong commitment to the security of confidential information, and can deliver a significant marketplace advantage. Furthermore, an increasing number of companies only work with suppliers that have implemented an ISO/IEC 27001 certified ISMS.

ISO/IEC 27001 | TÜV SÜD10

Conclusion

The prevalence of cyberattacks and data breaches are increasing daily, and now threaten organisations of every size and in every industry. Such breaches compromise the security of sensitive data and can result in significant financial damage and reputational harm. In cases involving critical infrastructure elements, data breaches can affect the safety of millions of people, and threaten the well-being of communities of all sizes.

An ISMS is a critical element in the effort to control or mitigate the

risk associated with cyberattacks against digitised data. ISO/IEC 27001 provides a formal framework for the implementation and maintenance of an effective ISMS, and organisations that achieve ISO/IEC 27001 certification can significantly reduce the risks and consequences associated with data breaches. Finally, ISO/IEC 27001 is compatible with other management systems standards, easing the auditing process for organisations certified to multiple management systems standards.

TÜV SÜD is a global provider of management system certification services and a leading registrar for ISO/IEC 27001, ISO 9001, ISO 14001 and other management systems standards. Having issued more than 54,000 management systems certifications to date, we have the expertise to provide comprehensive auditing and certification services to organisations of all types and in all industries.

11TÜV SÜD | ISO/IEC 27001

COPYRIGHT NOTICEThe information contained in this document represents the current view of TÜV SÜD on the issues discussed as of the date of publication. Because TÜV SÜD must respond to changing market conditions, it should not be interpreted to be a commitment on the part of TÜV SÜD, and TÜV SÜD cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. TÜV SÜD makes no warranties, express, implied or statutory, as to the information in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of TÜV SÜD.TÜV SÜD may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from TÜV SÜD, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.ANY REPRODUCTION, ADAPTATION OR TRANSLATION OF THIS DOCUMENT WITHOUT PRIOR WRITTEN PERMISSION IS PROHIBITED, EXCEPT AS ALLOWED UNDER THE COPYRIGHT LAWS. © TÜV SÜD Group – 2019 – All rights reserved – TÜV SÜD is a registered trademark of TÜV SÜD Group.

DISCLAIMERAll reasonable measures have been taken to ensure the quality, reliability, and accuracy of the information in the content. However, TÜV SÜD is not responsible for the third-party content contained in this publication. TÜV SÜD makes no warranties or representations, expressed or implied, as to the accuracy or completeness of information contained in this publication. This publication is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in this publication is not intended to constitute consulting or professional advice or services. If you are seeking advice on any matters relating to information in this publication, you should – where appropriate – contact us directly with your specific query or seek advice from qualified professional people. The information contained in this publication may not be copied, quoted, or referred to in any other publication or materials without the prior written consent of TÜV SÜD. All rights reserved © 2019 TÜV SÜD.

2019

© T

ÜV S

ÜD A

G | M

KG/M

S/66

.0/e

n/DE

Protect your information assets

Add value. Inspire trust.TÜV SÜD is a trusted partner of choice for safety, security and sustainability solutions. It specialises in testing, certification and auditing services. Since 1866, the company has remained committed to its purpose of enabling progress by protecting people, the environment and assets from technology-related risks. Through more than 24,000 employees across over 1,000 locations, it adds value to customers and partners by enabling market access and managing risks. By anticipating technological developments and facilitating change, TÜV SÜD inspires trust in a physical and digital world to create a safer and more sustainable future.

TÜV SÜD AGWestendstr. 199,80686 Munich, Germany+49 89 5791-0www.tuvsud.com

www.tuvsud.com/iso-27001

systemcertification@tuvsud.com