\r\n| \r\n Clause<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n Summary of ISO\/IEC 27001 Requirements<\/span><\/b> <\/span><\/p>\r\n<\/td>\r\n | \r\n Mandatory<\/b>-Only Documentation<\/b>\u00a0<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 4 Context of the organization<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n This clause in ISO\/IEC 27001 asks organizations to consider both external and internal factors that could affect how they manage information security. It also asks you to understand the needs and expectations of stakeholders, and to identify any key relationships or dependencies. All of this is considered when defining the scope of your ISMS.<\/p>\r\n Your ISMS scope<\/strong> sets the boundaries for which data and information will be protected under the system, and which will not. This applies no matter where the information is stored or accessed, whether it is in your offices, in the cloud, or from a remote location.<\/p>\r\nISO\/IEC 27001 refers to the scope as the \u201cboundary and applicability\u201d of the ISMS. In simple terms, it is about being clear on what is included in your security efforts, and what sits outside of them.<\/p>\r\n<\/td>\r\n \r\n The ISMS Scope<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 5 Leadership<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n ISO\/IEC 27001 is frequently referred to as a \u201ctop-down management driven\u201d management system. One of the standard\u2019s key clauses outlines what is expected from top management. It requires them to show clear leadership and commitment<\/strong>, set and share a high-level Information Security Policy<\/a>, and make sure that everyone involved in the ISMS knows their roles, responsibilities and authority. In short, it is about strong governance and clear communication from the top.<\/p>\r\n<\/td>\r\n| \r\n An Information Security Policy<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 6 Planning<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n As the clause title indicates, organizations are required to plan<\/strong> the establishment and implementation of their ISMS.<\/p>\r\nThis involves identifying and addressing risks and opportunities, assessing, and treating information security risks, setting clear information security objectives, and planning for change.<\/p>\r\n These objectives should be communicated effectively and, where practical, monitored and measured, taking into account security requirements as well as the outcomes of risk assessments and treatments.<\/p>\r\n Plans should be developed to achieve these objectives, detailing the \u201cwhat,\u201d \u201chow,\u201d \u201cwhen,\u201d and \u201cwho.\u201d<\/p>\r\n Additionally, any changes to the ISMS must be managed in a planned and controlled manner. <\/span>\u00a0<\/span><\/p>\r\n<\/td>\r\n \r\n Information security risk assessment process<\/span><\/p>\r\nInformation security risk treatment process<\/span><\/p>\r\nInformation security objectives<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 7 Support<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n Another well-named clause in ISO\/IEC 27001 sets out what is needed to properly support<\/strong> an ISMS.<\/p>\r\nThis includes making sure the organization provides enough time, people, funding, information, and infrastructure to run it effectively.<\/p>\r\n It also covers the competence of personnel<\/strong>, with a requirement to take action if someone lacks the necessary skills.<\/p>\r\nEveryone in the organization must have a basic level of information security awareness<\/strong>. On top of that, communication around the ISMS must be planned and purposeful, and the management of ISMS-related documents (known as \u201cdocumented information<\/strong>\u201d) needs to be handled in a clear, efficient, and effective way.<\/p>\r\n<\/td>\r\n| \r\n Evidence of competence (for all relevant ISMS roles<\/i>)<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 8 Operation<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n Building on previous clause requirements which establish and implement an ISMS, organizations now need to operate<\/strong> and maintain<\/strong> (including continual improvement) their ISMS.<\/p>\r\nClause 8 focuses on putting the ISMS into action. It outlines what is needed to run the system day to day and make sure it meets the standard\u2019s requirements and supports your organization\u2019s ISMS objectives.<\/p>\r\n This includes planning, implementing, and controlling all relevant processes. To do this, you need to set clear criteria for how processes should work and make sure they are followed.<\/p>\r\n The clause also highlights the need to manage changes effectively, oversee any outsourced processes, and keep up with ongoing risk assessment and treatment.<\/p>\r\n<\/td>\r\n \r\n The results of operationalised<\/i> risk assessment and treatment<\/span><\/p>\r\nAdditionally, optional<\/i> documentation can be generated to underpin organizational confidence that ISMS processes are carried out as planned<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 9 Performance evaluation<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n This clause focuses on using data and insight to support continual improvement<\/b> of the ISMS. It sets out requirements for monitoring, measuring, analysing and evaluating<\/b> how the system is performing. The organization decides what to monitor, how to do it, when it should happen and who is responsible.\u00a0<\/span><\/p>\r\nIt also covers the need for internal audits<\/b> and regular management reviews<\/b> at planned intervals.\u00a0<\/span><\/p>\r\nIn short, this clause asks organizations to review how well their ISMS is working, and whether it continues to be suitable, effective and fit for purpose.\u00a0<\/span><\/p>\r\n<\/td>\r\n | \r\n The results of monitoring, measurement, analysis and evaluation<\/span><\/p>\r\nA fully documented internal audit program<\/span><\/p>\r\nThe results of ISMS review by Top Management<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 10 Improvement<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n Building on the results from performance evaluation in Clause 9, this final mandatory clause focuses on continual improvement<\/b> of the ISMS.\u00a0<\/span><\/p>\r\nIt requires organizations to regularly review how suitable, adequate and effective their ISMS is. It also covers how to handle nonconformities<\/b> when something doesn\u2019t meet the standard by taking the right corrective action<\/b>.\u00a0<\/span><\/p>\r\nNonconformities might be spotted during internal or external audits, reviews of security incidents, or day-to-day observations. Addressing these issues properly is a key part of keeping the ISMS effective over time.\u00a0<\/span>\u00a0<\/span><\/p>\r\n<\/td>\r\n | \r\n Nonconformities (the nature of<\/i>), corrective actions and their results<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n <\/p>\r\n \r\n \r\n\r\n\r\n| \r\n Annex A Information Security Controls Reference <\/span><\/p>\r\n<\/th>\r\n<\/tr>\r\n<\/thead>\r\n\r\n\r\n| \r\n IMPORTANT NOTE: The controls provided in Annex A are NOT MANDATORY as the standard specifies that organizations can design their own controls as required or identify them from any source\u2014of course including from Annex A. Irrespective of the source of an organization\u2019s controls, they are only implemented when determined necessary to implement risk treatment options (in response to analyzed unacceptable risk to the confidentiality, integrity and availability of organizational information and information processing facilities).<\/p>\r\n<\/th>\r\n<\/tr>\r\n | \r\n| \r\n Clause<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n Summary of Requirements<\/b>\u00a0<\/span><\/p>\r\n<\/td>\r\n | \r\n Example<\/i><\/b>, <\/b>typical or suggested\/inferred <\/i><\/b>documentation<\/b>\u00a0<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 5 Organizational controls<\/b> (37 Controls)<\/span><\/p>\r\n<\/th>\r\n | \r\n This group includes 37 controls<\/b> that are organizational in nature<\/b>. They focus on managing risks linked to governance, management, and day-to-day operations rather than technical systems, people, or physical security.<\/span><\/p>\r\nLike all Annex A controls, these can be preventive<\/b>, detective<\/b> and\/or corrective<\/b> in how they work.\u00a0<\/span><\/p>\r\nExamples include controls related to information security governance (policies, procedures, roles and responsibilities, segregation of duties, contacts, etc.<\/i>), threat intelligence, asset management, Identity and Access Management (IAM<\/i>), supplier relations, information security incident management, legal, statutory, regulatory and contractual requirements (including IP, record and PII protection, independent review and compliance<\/i>).\u00a0<\/span><\/p>\r\n<\/td>\r\n | \r\n Information security and topic-specific policies<\/span><\/p>\r\nInventory of assets<\/span><\/p>\r\nRules for acceptable use of assets (mandatory<\/i><\/b>)<\/span><\/p>\r\nInformation classification and labelling procedures<\/span><\/p>\r\nRules for physical and logical access<\/span><\/p>\r\nSupplier agreements (to include organizational information security requirements<\/i>)<\/span><\/p>\r\nInformation security incident management procedures (mandatory<\/i><\/b>)<\/span><\/p>\r\nInformation security continuity (plans, testing, etc.<\/i>)<\/span><\/p>\r\nLegal, statutory, regulatory and contractual requirements and approach to compliance (mandatory<\/i><\/b>)<\/span><\/p>\r\nDocumented information process and information process facilities operating procedures (mandatory<\/i><\/b>)<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 6 People controls (8 Controls)<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n This section includes 8 controls<\/strong> that are HR-related. They focus on managing risks connected to people<\/b> in the organization and how they interact with information and the systems used to process it.\u00a0<\/span><\/p>\r\nLike all Annex A controls, these can be preventive, detective <\/b>and\/or corrective <\/b>in how they work.\u00a0<\/span><\/p>\r\nExamples include controls related to pre-employment (screening, terms and conditions, confidentiality\/NDAs<\/i>), during employment (awareness, disciplinary process, remote working, incident reporting<\/i>) and personnel termination (responsibilities after termination or change<\/i>).\u00a0<\/span><\/p>\r\n<\/td>\r\n \r\n Personnel terms and conditions of employment (including information security responsibilities<\/i>)<\/span><\/p>\r\nFormal disciplinary process<\/span><\/p>\r\nConfidentiality or non-disclosure agreements (mandatory<\/i><\/b>)<\/span><\/p>\r\nRemote working requirements<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 7 Physical controls (14 Controls)<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n Contains a selection of 14 controls<\/strong> designed to primarily respond to or modify risks associated with the physical site and environment<\/b>.\u00a0\u00a0<\/span><\/p>\r\nLike all Annex A controls, these can be preventive, detective <\/b>and\/or corrective <\/b>in how they work.\u00a0<\/span><\/p>\r\nExamples include controls for physical perimeter, entry and the internal security of offices, rooms and facilities (all including monitoring<\/i>), procedures for working in secure areas, protection of all physical assets (onsite and offsite<\/i>), equipment maintenance, secure disposal and clear desk and screen.\u00a0<\/span><\/p>\r\n<\/td>\r\n \r\n Building and services schematics<\/span><\/p>\r\nProcedures for working in secure areas<\/span><\/p>\r\nRules for clear desks and screens<\/span><\/p>\r\nRules for the management of the lifecycle of storage media (can be related to organizational asset management controls, including classification and labelling<\/i>)<\/span><\/p>\r\nEquipment maintenance agreements and records (can be related to organizational supplier relation controls<\/i>)<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n\r\n| \r\n Clause 8 Technological controls (34 Controls)<\/b>\u00a0<\/span><\/p>\r\n<\/th>\r\n | \r\n Contains a selection of 34 controls<\/strong> designed to primarily respond to or modify risks associated with the use of technology<\/b>.\u00a0\u00a0\u00a0<\/span><\/p>\r\nAs with all Annex A controls, they have preventive, detective<\/b> and\/or corrective <\/b>attributes.\u00a0<\/span><\/p>\r\nExamples include controls for IT operations (configuration management, capacity management, end point device management, information and utility access restrictions, authentication, malware protection, technical vulnerability management, backup, data masking and leakage prevention, redundancy, logging and monitoring<\/i>), network operations (network security, services, segregation, filtering<\/i>), cryptography, secure software development (lifecycle, policy, principles, coding, testing, outsourcing<\/i>) and change management.\u00a0<\/span><\/p>\r\n<\/td>\r\n \r\n Technical vulnerability management process and procedures<\/span><\/p>\r\nConfiguration management (mandatory<\/i><\/b>)<\/span><\/p>\r\nBackup policy<\/span><\/p>\r\nLogging and monitoring procedures and activities<\/span><\/p>\r\nNetwork diagrams<\/span><\/p>\r\nRules for secure development (lifecycle and secure coding<\/i>)<\/span><\/p>\r\nChange management procedure or process<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n\u00a0<\/h2>\r\nWhat To Expect From the ISO\/IEC 27001 Certification Process<\/h2>\r\nUndertaking ISO\/IEC 27001 certification is a strategic investment, helping an organization to improve its information security management.<\/span>\u00a0<\/span><\/p>\r\nThe journey begins with a <\/span>Stage 1 Audit\u00a0<\/span><\/b>by a qualified auditor, who will review the readiness of the ISMS and identify, if necessary, any potential nonconformities. An organization will then implement any necessary changes before continuing the certification process.<\/span>\u00a0<\/span><\/p>\r\nOnce the identified issues are addressed, the organization will progress to the <\/span>Stage 2 Audit.<\/span><\/b> | | | | | | | | | | | | | | | | | | | | | |