ISO 27001 compliance can be confusing because the sheer volume of standards is overwhelming, but the right program can ensure business continuity. If an ISO certification is on your compliance roadmap, here’s a quick primer to get you up to speed and jumpstart your ISO compliance efforts.
What is ISO 27001?
The ISO 27001 family, published by the International Organization for Standardization, includes a set of standards for information security. Deciphering the various numbers can be confusing at first, but each standard is numbered and deals with a specific facet of managing your company’s information security risk management efforts.
At a minimum, you need to know ISO/IEC 27001 and 27002. The 27001 standard provides requirements for businesses to implement and operate an Information Security Management System, or ISMS. The ISMS provides tools for management to make decisions, exercise control, and audit the effectiveness of InfoSec efforts within the company.
ISO 27002 provides a library of control objectives for InfoSec, which can be used within the framework of your ISMS (e.g. conducting an inventory of assets, securing networks, etc.). The same controls also appear in ISO 27001, Annex A, which can lead to confusion but don’t worry, a good GRC tool will provide you with the appropriate objectives from both 27001 and 27002!
Within the ISO 27001 family there are a host of other important documents. If you’re new to compliance or an ISO program you can likely ignore these for now, but it is important to know they exist. They include:
- ISO 27005: Information security risk management This standard provides guidance for companies that are maturing their ISMS and controls programs. Rather than implementing controls as a checkbox activity, risk-driven organizations proactively choose controls that best mitigate their risks.
- ISO 27006: Requirements for bodies providing audit and certification of information security management systems The auditor’s blueprint for conducting a certification audit against the ISO 2700n standards.
- ISO 27017: Code of practice for information security controls based on ISO 27002 for cloud services This one’s got a tough name, but it’s very important! This standard provides additional guidance on top of the 27002 controls specific to cloud service providers and consumers.
- ISO 27018: Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors If you’re dealing with PII, chances are the cloud is a scary but soon-to-be-necessary part of your life. This standard provides additional guidance on top of the 27002 controls specific to securing PII in a cloud environment.
Managing ISO Certification
While the ISO 27001 family is a complex and confusing body of standards governing your business and third parties, having a good GRC tool can really alleviate some of the compliance burden, including managing the risk assessment process and creating a security policy . All ISO 27001, 27002, 27017, and 27018 content is available in ZenGRC as part of standard licenses. In addition, the team of GRC experts at Reciprocity has created consolidated objectives mappings, which can help you leverage your existing compliance work to meet ISO 27001 objectives.