2021 saw at least 1,862 data breaches, 68 percent more than the number of breaches in 2020 and a new record that surpassed the previous record of 1,506 set in 2017. Moreover, the average cost of a breach climbed from $3.86 million in 2020 to $4.24 million in 2021.

That $4.24 million includes the costs of investigating an incident and implementing or strengthening the controls needed to mitigate the harm. There may also be other expenses such as legal fees, fines, and the opportunity cost of lost business and customers.

To avoid such costs and protect their information from bad actors, every modern organization needs a robust information security management system (ISMS).

If your organization aims to implement an ISMS, the wise move is to use a set of well-established standards and codes of practice to guide your project. One such standard is ISO 27001.

This article will tell you everything you need to know about the ISO/IEC 27001 standard to implement and strengthen your ISMS.

What Is an Information Security Management System?

An ISMS is an ecosystem of controls, policies, tools, and systems that allows organizations to manage their information, reduce information security risks, and optimize overall information security.

A robust ISMS can help you design, implement, manage, and maintain appropriate information security controls that are essential to protect the confidentiality, availability, and integrity – also known as the “CIA Triad” – of all your information assets.

You can also identify the threats and vulnerabilities affecting your data and take steps to boost the data’s security and privacy. You can protect your data from bad actors and prevent it from being compromised in a cyberattack or attempted breach. Even if a breach does happen, the ISMS can limit its impact on sensitive information resources.

With a documented and optimized ISMS, you can also demonstrate your approach to strengthening the security and privacy of business-critical or sensitive data; that can sooth customers or business partners nervous about entrusting their data to you. Indeed, an ISMS can help you to:

  • Gain customers’ trust and build stronger relationships;
  • Reduce the remediation costs of breaches and cyberattacks;
  • Comply with regulatory standards, such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and PCI-DSS (Payment Card Industry Data Security Standard);
  • Avoid or reduce regulatory and legal costs, such as legal fees or fines;
  • Enhance brand value and strengthen your reputation;
  • Enter new markets and win new business.

What Is ISO 27001?

To achieve all the benefits of an ISMS, you need to understand its various requirements and streamline its implementation. Here’s where ISO 27001 comes in.

The ISO 27001 standard (also known as ISO/IEC 27001) was first published in 2005 by the International Organization for Standardization (ISO). The latest version of the standard is ISO 27001:2013. It is an internationally recognized standard that clarifies the various requirements and best practices for all kinds of organizations to establish their ISMS.

ISO 27001 recommends a list of security controls to help you implement the policies and procedures required to protect your information for business, contractual, or regulatory compliance purposes.

By adhering to ISO 27001’s best practices, you can optimize the security of many types of information assets, including financial or healthcare information, intellectual property, business secrets, employee details, and information entrusted by third parties.

With an ISO 27001 certification, you document the information security policies, procedures, and controls you have implemented as part of your ISMS. This reassures customers, third parties, and other stakeholders that you follow globally accepted recommendations for information security, risk management, risk remediation, and vendor due diligence.

ISO/IEC 27001 certification is not a mandatory requirement. If you achieve it, however, you show that your ISMS aligns with all or most of the standard’s controls and that an accredited certification body has confirmed this alignment. You can also reduce the impact and cost of data breaches.

Key Controls in ISO 27001

There are two key parts in the ISO/IEC 27001:2013 standard:

  1. Clauses 0-10
  2. Annex A

Clauses 0-10

Clauses 0, 1, 2, and 3 (Introduction, Scope, Normative References, Terms and definitions) introduce the standard.

Clauses 4-10 specify the minimal requirements to achieve ISO 27001 certification. The provisions of these clauses are as follows:

Clause Requirement
Clause 4: Context of the organization Understand the company’s context, external and internal issues (including regulatory issues), and interested parties/stakeholders to define the scope of the ISMS
Clause 5: Leadership
  • Establish the objectives of the ISMS from the top down according to the organization’s strategic objectives
  • Provide the resources required for the ISMS
  • Establish policies around information security
  • Assign roles and responsibilities to meet ISO 27001 requirements and report on ISMS performance
Clause 6: Planning Perform an information security risk assessment to set ISMS objectives and create a risk treatment plan based on the controls listed in Annex A
Clause 7: Support Provide staff training to improve ISO/IEC 27001 awareness and communication
Clause 8: Operation
  • Plan, implement, and control processes to implement and maintain information security
  • Put risk assessment and risk treatment plan into action
Clause 9: Performance evaluation Conduct regular internal certification audits and management reviews to monitor, measure, analyze, and evaluate the ISMS
Clause 10: Improvement Take corrective actions to address any non-conformities identified during performance evaluations and implement a continual improvement process to maintain the ISMS

Annex A

Annex A provides guidelines around the 114 reference control objectives and controls you might implement as part of your risk management process. Implementing these controls can help your organization meet its 27001 requirements and drive a robust ISMS structure.

You don’t need to implement all of the ISO 27001 control sets of Annex A. Conduct a gap analysis of your current degree of compliance and implement those controls required to achieve full compliance.

The 114 controls in Annex A are divided across 14 domains or categories:

Control What these controls can help with
A.5 Information security policies Create and handle your information security policies
A.6 Organization of information security
  • Define the organizational aspects of information security, including project management, use of mobile devices, and remote work
  • Define the roles and responsibilities for implementing and operating information security
A.7. Human resource security Train and manage employees and third parties to assure that information and organizational security are maintained
A.8. Asset management Identify and classify all information security assets to assure that each asset is properly and securely handled
A.9. Access control Control physical and logical access to information assets
A.10. Cryptography Encrypt sensitive data to protect its confidentiality, authenticity, and integrity
A.11. Physical and environmental security Protect equipment and facilities from unauthorized access and compromise
A.12. Operations security
  • Secure all IT systems from data loss
  • Record all cybersecurity events
  • Conduct regular vulnerability assessments
  • Take steps to prevent internal/external audits from disrupting operations
A.13. Communications security Protect all communications and communications systems from breaches
A.14. System acquisition, development and maintenance Consider data security needs when purchasing new information systems or upgrading existing systems
A.15. Supplier relationships Ensure that all third parties implement appropriate information security controls and monitor the security performance of all controls
A.16. Information security incident management
  • Ensure that all security incidents are properly handled and communicated to relevant stakeholders
  • Define how evidence will be preserved after each incident’s investigation
  • Define a plan to learn from incidents and prevent their recurrence
A.17. Information security aspects of business continuity management Ensure continual information availability even during disruptions
A.18. Compliance Audit whether the ISMS aligns with the requirements and procedures specified in ISO 27001

ISO 27001 Compliance Implementation Checklist

Here is a simple ISO 27001 compliance checklist to help you implement ISO 27001 compliance:

Set the Tone from the Top

Senior management support is critical to implementing an ISMS and achieving ISO 27001 compliance. Top management should provide the funds and resources required to work on the project and regularly review the ISMS to assure that it continually adheres to ISO 27001 standards.

Define ISMS Scope

Understand the various controls and define which ones should be implemented to develop a robust ISMS and achieve ISO 27001 compliance. Conduct a gap analysis to find missing controls, understand the company’s business context, and determine its risk landscape.

Create an Information Security Policy (ISP)

An ISP (also known as an ISMS policy) defines the basic information security requirements. It should stipulate all information security rules and procedures, clarify the ISMS strategy, define its benefits, and specify the roles and responsibilities of who will enact the policy.

Define the Risk Assessment Methodology

An ISO 27001 risk assessment is critical to identify the various risks that affect your organization, the potential impacts, and the probability. This helps define acceptable risk levels, create scenarios about possible attacks, and understand threat actors’ techniques and motivations. To perform your risk assessment, you should first assure that the method you use to assess risk involves all stakeholders in your enterprise and can be repeated consistently year after year.

Write the Statement of Applicability (SoA)

A statement of applicability in ISO 27001 is required to understand which ISO 27001 Annex A controls should be implemented based on your risk assessment. It should list all applicable controls and describe how you will implement them. You also specify the controls you are not using for ISMS implementation and why.

Design the Risk Treatment Plan

After completing a risk assessment, create a plan and process for risk treatment. The objective is to decrease unacceptable risks by using the Annex A controls. The implementation plan defines which controls will be implemented, by when, and by whom.

A risk assessment report documents the steps taken during risk assessment and risk treatment.

Measure the Effectiveness of Controls

Define how you plan to measure the effectiveness of the controls implemented when setting up the ISMS. Clear security metrics help you report the progress of ISMS implementation and ISO 27001 compliance. Determine how you will assess if the ISMS has fulfilled the security objectives identified during scoping.

Streamline ISO 27001 Compliance with Reciprocity ZenComply

ISO/IEC 27001 compliance can be a time-consuming and overwhelming endeavor if you use spreadsheets and emails to manage the process. Reciprocity ZenComply provides a faster path to compliance with automated request and task workflows.

ZenComply integrates with Reciprocity ZenRisk and ZenGRC to give you a real-time view of risk and compliance. Get the contextual insights you need to make fast, strategic decisions to secure your organization, accelerate vendor onboarding, and achieve successful ISO 27001 compliance.

Leverage ZenComply’s guided, content-rich approach to become audit-ready in minutes instead of days or weeks. It enables you to assess the effectiveness of your compliance program and prioritize activities to reduce risk, strengthen compliance, and earn the trust of your customers and stakeholders.

Schedule a demo to learn more about ZenComply’s prescriptive guidance, real-time reporting, and compliance-driven risk management capabilities.