The ISO 27 0001 standard has its origins in the BS-7799-2 standard developed in the United Kingdom in 1999 and entitled "Specifications for information security management systems". It was the first to propose a framework for thinking about, and specific measures for, the development of an Information Security Management System (ISMS).
It served as the basis for the publication, 6 years later, of the ISO 27001 standard and, more broadly, of the entire family of ISO 27000 standards, which today form a consensus throughout the world and enable IT security standards to be harmonised.
The ISO 27001 standard is reviewed frequently (in 2013 and again in 2022) as the risks and threats in cyberspace evolve in line with a continuous security approach.
So what are the elements assessed for ISO 27001 certification? What are the prerequisites for ISO 27001 certification? And how does the certification process work?
Issues and scope of application of the ISO 27001 standard
The purpose of ISO 27001 is to reconcile in-depth security with efficiency issues. It is designed to be sufficiently flexible to be adapted to all types of organisation, regardless of their private or public status, their size or their purpose. The standard is not exclusive and can easily be supplemented by other safety standards.
Its approach is as comprehensive as possible, defining the responsibilities, security policies and procedures, and risk and incident management processes that form the prerequisites for a well-functioning ISMS. The standard makes it possible to protect against and respond to all types of cyberthreats, whether internal or external to the organisation, intentional or unintentional, of human, technical or natural origin, by proposing physical and logical security controls defined as follows:
Physical security: Security measures designed to protect an organisation's physical assets (IT equipment, premises, etc.) and its staff.
Logical security: Security measures designed to protect an organisation's intangible assets (software, databases, connections, applications and websites, etc.).
The ISO 27001 standard lies at the crossroads between documentation and technical measures intended for qualified personnel and documentation that can be understood by as many people as possible, with a view to empowering users, raising their awareness and integrating them into the security management process.
It should be noted that the standard helps to increase the resistance and resilience of information systems by reducing the risk of a breach of confidentiality, integrity and availability of data, and by guaranteeing the long-term viability of the organisation.
Building your ISMS step by step with ISO 27001
The certification process comprises a number of key stages, enabling IT security management to be sufficient to qualify for certification, which is valid for a maximum of 3 years. The first phase involves an internal review leading to validation of the project. It also ensures that the organisation can provide the financial and human resources needed to implement an ISMS. Next, the organisation must identify and implement the controls and documents required for certification. Finally, it is necessary to evaluate the implementation of the controls, revise them if necessary and ensure that the ISMS is functional and sustainable.
We talked about ISMS and ISO 27001 in a previous article, but the process of creating and improving an ISMS follows the DEMING model, Plan-Do-Check-Act (PDCA).
Plan: this stage involves gathering the information needed to identify security vulnerabilities and assess the risks. It is on this basis that the organisation's security processes and policies are defined.
Do: this second stage consists of applying the policies developed previously.
Check: this involves monitoring and measuring the effectiveness of the processes put in place and evaluating the results.
Act: this final stage involves improving existing processes, eliminating them or developing new ones based on the results.
Stage 1: Planning the ISMS project
The development of an ISMS using the ISO 27 001 standard is above all a reflective project on the management of risks and threats within an organisation. It requires the ability to define security requirements in line with the organisation's culture, financial and human resources, core services, management architecture and physical infrastructure. The project also needs to take account of the ecosystem in which the organisation operates, including its users or customers, its subcontractors and partners, and its political and legal framework, for example.
Once management has given its approval, it is necessary to form a team responsible for the ISMS implementation project. This may, for example, be made up of a member of management responsible for the security aspect and a member of the IT department responsible for implementation. The composition of this team varies according to the size of the organisation, and the roles may be combined in a single person or extended to include other professionals. It is also necessary to work closely with a cybersecurity expert (from within or outside the organisation) capable of guiding the project and guiding the decision-makers.
At the strategic level, the organisation must define the scope of the ISMS and the project's security objectives, which are generally determined in the light of :
Risk analysis and mapping;
The size, culture and ecosystem of the organisation;
Current regulations to which the organisation is subject;
The organisation's security requirements;
In the light of this contextual analysis, the organisation will need to draw up an action plan and decide how its Information Systems Security Policy (ISSP) is to be drawn up, giving priority to the drafting of an all-encompassing document or to the publication of specific policies for each topic covered. This decision must be taken in the light of the results of this initial reflection on the needs and resources of the organisation.
Stage 2: Designing and implementing the controls required for certification
Following this, an action plan will eventually be drawn up to define the areas to be covered by the PSSI. This policy will have to take account of the security controls already in place within the organisation, and will be reviewed and validated by management. Management's ongoing commitment is an essential principle of ISO 27001. Before the PSSI is implemented, the ISMS must be the subject of a declaration of adaptability (DoA). This sets out all the existing measures, those to be implemented, a justification for the choice of controls and an overview of their implementation. It is required for certification and is therefore mandatory.
Stage 3: Assessment of the ISMS and the adequacy of controls
To follow up the development of policies and their implementation, the organization must agree relevant key performance indicators (KPIs) specific to each structure. These will make it possible to monitor the ISMS in the short, medium and long term and assess its operational performance. The organisation must then carry out an internal audit to check that the ISMS is meeting the objectives set at the planning stage.
The management review that follows is required by the standard and covers the results of the internal audit, the assessment of corrective actions taken and the progress of the treatment plan, changes in the organisation, the state of achievement of objectives, and the search for alternative solutions if a measure appears too complex or unsuitable. By analysing the KPIs, the management review provides an overall picture of any problems or successes in the ISMS.
Stage 4: Implementation of corrective measures and continuous improvement
Following internal reviews, the organisation must call in impartial external auditors certified by COFRAC (AFNOR Certification, AB Certification, APAVE Certification, etc.) to carry out an external or initial audit. These auditors will provide an opinion to a technical committee and a validation committee, which will decide whether or not to grant certification.
However, since the ISMS is a continuous and evolving process, annual audits will have to be carried out. The ability of the organisation to bring into compliance the points that were not compliant at the time of the previous audits will be examined on the basis of the KPIs identified, taking into account changes in the organisation and ongoing projects. In the event of non-compliance, the certificate may be suspended or withdrawn.
At the end of the 3-year certification period, a renewal audit may be carried out, analysing the improvement of the ISMS on the points recommended during the annual audits.
The benefits of ISO 27 001 certification
ISO 27001 certification guarantees an organisation's commitment to a reliable IT security process over the long term, in addition to its obligation to comply with the General Data Protection Regulation (GDPR). As such, it is an important commercial tool, strengthening the confidence of customers, users, subcontractors and partners in the organisation. The standard also makes it possible to act more quickly and conscientiously in the event of an incident. On this point, it can be supplemented by the ISO 22 301 standard on business continuity management systems (BCMS), which provides the organisation with a significant capacity for resilience. More generally, making management and users accountable helps to establish a genuine culture of IT security, which has become essential in view of the growing number of cyber-attacks.
Sources:
DUMONT (F.) JEMAI (S.), XU (Z.) under the direction of DERATHE (A.) and FELAN (P.) « Information security management: Tools to help you deploy ISO/IEC 27001, Version 2013 » (in French).
« The security dashboard, a key element in the CISO/management dialogue », CLUSIF, Paris, 2018 (in French).
JALAL EL AJI, « Understanding and implementing the ISO 27001 standard », YouTube, May 10th, 2022 (in French).
Related blog posts:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
Find out more about our ISO 27001 certification support service!
We need your answers!
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!
Comments