ISO 27001 enables organizations of any size to manage the security of assets such as employee information, financial information, intellectual property, employee details, and third-party information.
ISO 27001 is primarily known for providing requirements for an information security management system (ISMS) and is part of a much larger set of information security standards.
An ISMS is a standards-based approach to managing sensitive information to make sure it stays secure. The core of an ISMS is rooted in the people, processes, and technology through a governed risk management program.
Many organizations follow ISO 27001 standards, while others instead seek to obtain an ISO 27001 certification. It is important to note that certification is evaluated and granted by an independent third party that conducts the certification audit by working through an internal audit.
Once the audit is complete, the organizations will be given a statement of applicability (SOA) summarizing the organization’s position on all security controls.
Why is an ISO 27001 checklist important?
Information security policies and information security controls are the backbone of a successful information security program.
Risk assessments, risk treatment plans, and management reviews are all critical components needed to verify the effectiveness of an information security management system. Security controls make up the actionable steps in a program and are what an internal audit checklist follows.
Annex A has a complete list of controls for ISO 27001 but not all the controls are information technology-related.
The best way to think of Annex A is as a catalog of security controls, and once a risk assessment has been conducted, the organization has an aid on where to focus.
Annex A contains the following controls:
- Annex A.5 — Information Security Policies
- Annex A.6 — Organization of Information Security
- Annex A.7 — Human Resource Security
- Annex A.8 — Asset Management
- Annex A.9 — Access Control
- Annex A.10 — Cryptography
- Annex A.11 — Physical and Environmental Security
- Annex A.12 — Operations Security
- Annex A.13 — Communications Security
- Annex A.14 — System Acquisition, Development, and Maintenance
- Annex A.15 — Supplier Relationships
- Annex A.16 — Information Security Incident Management
- Annex A.17 — Information Security Aspects of Business Continuity Management
- Annex A.18 — Compliance
How do organizations typically put together an ISO 27001 checklist?
A typical ISO 27001 checklist has several main components.
- The organization must assess the environment and take an inventory of hardware and software.
- Select a team to develop the implementation plan.
- Define and develop the ISMS plan.
- Establish a security baseline.
- Establish a risk management program and identify a risk treatment plan.
- Implement a risk treatment plan.
- Monitor, conduct management reviews, and take corrective action leveraging the ISMS.
Once the ISO 27001 checklist has been established and is being leveraged by the organization, then ISO certification may be considered.
There are several tips and tricks when it comes to an ISO 27001 checklist. When you look at what a checklist needs, a good rule is to break down the end goal of the checklist.
Are you looking for ISO certification or to simply strengthen your security program? The good news is an ISO 27001 checklist properly laid out will help accomplish both. The checklist needs to consider security controls that can be measured against.
For instance, the checklist should mimic Annex A 5-18 to get an understanding of whether the organization has the right security controls in place.
Create your own ISO 27001 checklist
There are many ways to create your own ISO 27001 checklist. The important thing to remember is that the checklist should be designed to test and prove that security controls are compliant.
Consult with your internal and external audit teams for a checklist template to use with ISO compliance or for basic security control validation. ISO 27001 standards are an important baseline for a successful information security program. Remember, an ISO 27001 checklist is not a one and done implementation.
True compliance is a cycle and checklists will need constant upkeep to stay one step ahead of cybercriminals.