Introduction to ISO /IEC 27001:2013 Security Controls

ISO/IEC 27001 is an international standard for effectively managing information security to safer heights. The information security standard got published jointly by ISO and IEC in 2005 and later got amended in 2013. ISO/IEC 27001:2013 standard sharpens and centres on establishing, building, maintaining, and continually improving information security management systems or the ISMS.

The motto behind the ISO 27001 implementation is to examine an organization’s information security risks, identifying the threat vectors and their impacts. In order to exploit the situation, an organization would require a coherent and comprehensive suite of security controls. Furthermore, these security controls require effective management processes to catch up and ensure the needs of business enterprises.

Responding to a security incident isn’t a random jump to the park. It requires effective risk treatment plans and appropriate security controls in line with the data security standard. Risk assessments have become much simpler and meaningful to the organization. ISO 27001 risk assessment entails a total of 114 controls in 14 groups & 35 control categories.

1. Information Security Policies | 2 controls

The controls in this group include the best policies for information security that are to be defined and approved by management, communicated to employees and other external parties. All policies are required to be reviewed at regular intervals or upon any significant changes. The review is a part of ensuring stability, adequacy, and overall effectiveness.

2. Organization of Information Security | 7 controls

The controls run around defining and allocating information security responsibilities throughout the management framework. It calls for the segregation of conflicting duties and areas of responsibility, and at the same time, requires organizations to keep appropriate contacts with authorities and special interest groups. Here, information security gets prioritized throughout the entire management lifecycle.

3. Human Resource Security | 6 controls

The set of controls secures human resource responsibilities pointing to pre-employment screening, background checking and contractual agreements. All employees and contractors, who are relevant should receive appropriate education, training, and periodic updates on organizational policies. The controls also speak about the strict disciplinary process in case of employees commit information security breaches. Lastly, it ties the string over employee termination and movement processes.

4. Asset Management | 10 controls

The set of controls require organizations to identify assets and implement appropriate protection policies. These controls draw insights on maintaining inventory, ownership, use and return of the assets. As information is the biggest asset of an organization, information classification is necessary. It should reflect criticality, sensitivity, and value with the classified. Labelling and handling procedures are to be developed and implemented in line with the classifieds. Additionally, management of removable media, its disposal and protection are considered significant.

5. Access Control | 14 controls

These are the most significant controls in the ISO 27001 documentation that encircles business requirements, user access management, user responsibilities, and system & application access control. It stresses user management with registration and de-registrations, account provisioning, managing privileged accounts, password administration, and reviewing user access rights. Access control policies also extend towards a secure login, restricting utility programmes and access to source codes.

6. Cryptography | 2 controls

The two controls reflect the effective use of cryptography related to information flow and transfer. Organizations must ensure their information gets protected to the core utilizing cryptographic techniques. They should make sure that confidentiality, integrity, and authenticity of the information stay high to the peak. Furthermore, the controls insist organizations develop a standard policy on the use, protection, and lifetime of all cryptographic keys. In total, these controls specify the development of a universal organizational policy for key management and cryptographic techniques.

7. Physical & Environmental Security | 15 controls

Physical & Environmental security targets preventing illegal physical access, interference or damage to the information and information processing facilities associated with the organization. It also aims for the shielding of organizational assets, damages or thefts connected to operations. These security controls define security perimeters, appropriate entry controls, physical protection for offices and other facilities, protection against natural disasters and implementing safe working procedures all around. The operations phase adjoins equipment siting & protection, supporting utility, cabling protection, and overall equipment protection and policies.

8. Operations Security | 14 controls

Operation security starts off by documenting operation procedures and making them available to all users who need them. It lays control on any changes to business processes or facilities and calls for strict monitoring of resources, including separation of development, testing, and operational environment. It also focuses on security against malware, backup policies, protection and review of logging activities and facilities. These controls also shape up control of operational software, technical vulnerability management and information system audit considerations as a part of ISO 27001 vulnerability management.

9. Communications Security | 7 controls

The first set of controls in the communication security group targets network security management. It mainly includes network controls, security of network services and the expected segregations. The information transfer security in the communication space involves developing security policies and strategies for the smooth flow of data. Organizations should also make security agreements with third parties to ensure information safety is well managed and documented. Additionally, all electronic messaging require protection with regular review of non-disclosure agreements.

10. System Acquisition, Development & Maintenance | 13 controls

This set of controls mainly revolve around security requirements of information systems and in development and support processes. Organizations must ensure adding security information with new system requirements and necessary protection for public or open networks. ISO 27001 compliance also requires organizations to protect application service transactions. Organizations need to establish and adhere to ethical rules while developing software and systems, use formal control change procedures in the development cycle, enable technical review of applications, put restrictions on software package changes and system security testings.

11. Supplier relationship | 5 controls

Supplier relationship controls intents to protect organizations assets that are accessible by suppliers. It involves building a security policy for supplier relationships, addressing security within supplier agreements, addressing information security risks connected to the information & communication technology supply chain. Some of the other controls run around monitoring & managing supplier services. These controls help organizations maintain an expected level of data security and service delivery in line with supplier agreements.

12. Incident Management | 7 controls

The security controls in this group lean on establishing management responsibilities and procedures for swift incident response. It also requires organizations to report on incidents and security weaknesses more promptly. All information security events are to be accessed, and incident response must follow the documented procedures. The controls also speak about learning from security incidents and leveraging those insights on future security incidents. The set of controls aid organizations to ensure a uniform approach to the management of information security incidents, adhering to ISO 27001 standard.

13. Business Continuity Management | 4 controls

The controls in this group require information security get planted in business continuity management systems. Organizations should ensure continuity of information security management in the event of adverse situations. They should maintain the required level of continuity by establishing, documenting, building, and maintaining processes, procedures, and controls. The controls must ensure the availability of information processing facilities, and they should get implemented with redundancy ample to meet availability obligations.

14. Compliance | 8 controls

The controls must stick to identification, documentation and updation of statutory, regulatory, and contractual agreements. Organizations need to develop and implement procedures and policies to ensure compliance with these agreements. Business organizations should protect their information records and ensure the privacy and security of Personally Identifiable Information. All the cryptographic controls should adhere to the agreements, legislations, and regulations. It also requires independent reviews of information security as a part of ISO 27001 compliance and risk assessment. Top tier professionals should regularly review the compliance of information processes and procedures with security policies and requirements.

Summing Up

ISO 27001 certification is a valued standard for business organizations that defines the requirements of an ISMS (Information Security Management System). The systematic approach of ISMS requires organizations to implement various controls that we have so far discussed. A solid defence mechanism reflects the current position and posture of your security controls implemented with your ISMS. Having the valuable certification gleams the benefit of hiked reputation, improved structure and focus, reduction in the frequency of audits, and helps you escape regulatory fines in the aftermath. Good knowledge of security controls is vital and marks the top priority of organizations while looking for ISO 27001 compliance.