ISO27001

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies)

An ISMS (Information Security Management System) consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s information security to achieve business objectives. It is based on a risk assessment and the organization’s risk acceptance levels, designed to effectively treat and manage risks.

OF THE ISO27001 STANDARDS ONLY 27001 CAN BE AUDITED

Audits are part of the work of many organizations (if not most). If you have worked in an office, perhaps you have already participated in an audit.

The audits of ISO standards are conducted using a special standard called ISO 19011, which details how to carry it out and provides different language related to the world of audits.

This normative includes topics like scope, program, plan, criteria, evidence, objectives, team members, and responsibilities, in that way can have the findings and a final conclusion.

There are three types of audits:

First-Party Audits:

First-party audits, or internal audits, are typically performed inside a company to measure the strengths and weaknesses relative to its internal business objectives. This ISO audit is basically a conformity assessment to check for compliance gaps and prepare an organization for an external ISO certification audit, i.e., a third-party audit.

Second-Party Audits:

A second-party audit, or external audit, is usually performed at the request of a customer (or a company contracted to act on the customer’s behalf) on a supplier of products or services.

Third-Party Audits:

The third-party audit is the certification audit. An organization typically undertakes a third-party audit when it wants to achieve an ISO certification. During the certification audit, a certification body auditor assesses whether an enterprise complies with the appropriate ISO standard.

At the moment of planning an audit, the team needs to determine an objective; this can be different for each organization. Some examples can be getting a stronger ISMS, determining risks and opportunities, gaining trust from vendors, or complying with legal requests.

There are also two kinds of audit methods:

Onsite Audit:

This is face-to-face; the auditor goes to the physical site and checks all the documentation.

Remote Audit:

This is done from a distance, using the internet as a tool to achieve the audit objectives. This one can apply to first and second parties’ audits.

Since the pandemic, remote audits are more common, so now you can check official documentation on how to conduct a remote audit. You can check the docs here: https://www.iaf.nu/articles/Mandatory_Documents_/38

So... Maybe you were thinking, 'Why are you teaching me 19011? This was not a 27001 room?' Well, yes, you are right; this is an ISO 27001 room, but maybe you won't ever have 27001 audits, but this normative can apply to any kind of ISO family standards

Let's talk about ISO 27001 again; this time, I am going to introduce you to different things that an ISMS should consider when going into development.

People/Employees:

It's important to share and sensitize everyone in the organization; in that way, they can commit to their obligations and responsibilities to the ISMS. Even directors and administrators should be committed to the ISMS. If the directors don't have enough time, they can delegate their responsibilities to someone who could be committed to the ISMS.

Technology:

This includes cipher controls, app developers, and all the other technology needed by the organization to complete its processes during a regular workday. You might think, 'Well, my organization doesn't do any development.' Maybe that's correct, but perhaps the organization hires a third-party service for that. Well, that service should be documented and be competent about security.

Legislation:

You need to consider any laws that can affect your processes. This could include intellectual property laws (which may vary for each country).

Organization:

Here, we are talking about all the policies, processes, plans, incident responses, vendors; in other words... a lot of documentation. The core of our ISMS needs to be CID.

4. Context of the Organization

Here we can talk about technology, finance, and sociocultural topics and the ISMS scope and improvement.

Internal

• Employees
• Managers
• Owners
• Contractors

External

• Suppliers
• Society
• Government
• Creditors
• Clients
• Citizens
• Distributors
• Shareholders
• Investors
• Insurers
• Regulators

5.- Leadership

5.1 Top management must demonstrate their commitment to the management system.

5.2 Creation of the information security plan.

5.3 Assign roles and responsibilities that are capable of making decisions and that can make changes to the process.

6.- Planning

This is one of the hardest parts, that's because you need to consider other parts of ISO 27001 (like 4.1 & 4.2). This part is about reducing incidents and risks and how to act when an incident occurs. You need to think about how you are going to qualify your plan; it could be quantitative estimate (if you can give it a number) or qualitative estimation (by eliminations).

7.- Support

7.1 Resources

Take into account the current resources of the organization, people, team capacity, organizational knowledge, and restrictions that you may run into, such as budgets or time.

7.2 Competence

Here again, you have to think based on risks (I always say that they pay me for being paranoid) taking into account their responsibilities and authorities that have been put into the processes.

7.3 Awareness

Make sure that people are aware of their work in the ISMS as well as their sanctions in case of not fulfilling their responsibilities.

7.4

When? What? To whom? By what means? What should it say? These are all issues that must be taken into account when establishing our needs.

7.5 Documented Information

The norm asks us to have all the documentation clear and especially within reach; it is not worth having our documentation lost and unclassified.

8.- Operation

8.1 Operational planning and control

Keep any documentation that you consider pertinent to demonstrate your planned processes, as well as to put a change control and justify the change made. Do not think that because it is an external process or subcontracting there is no need to document it; this must also be done to find out how to control if it impacts our ISMS.

8.2 Information security risk assessment

This document should include your calculation of the risk level, compare this calculation with acceptance criteria (how acceptable is my risk, for example, how long can I operate without electricity before an irrecoverable loss for the organization), who participates in this assessment (here they look for people who really know the organization), what is the current perception about what is important talking about threats.

8.3 Information security risk treatment

To implement our treatment plan and document everything we can rely on the implementation points not only of 27001 but also of 27002 (Code of good practice for information security controls).

9.- Performance Evaluation

9.1 Monitoring measurement, analysis, and evaluation.

Here, he talks about everything involved in our evaluation. What will be monitored, how it will be monitored, how it will be evaluated (so that this evaluation is valid and reproducible), when it will be evaluated, who will evaluate, when the results are analyzed, and who analyzes and evaluates the results.

9.2 Internal Audit

As I had already mentioned, many standards ask us to carry out internal audits, and clearly ISO 27001 is no exception. These internal audits are carried out to know the performance and effectiveness of our system in an impartial manner, as this not only ensures the effectiveness of the system but also that it is really being maintained. This also serves to obtain feedback (and even advice from the auditor) and serves as an extra guarantee that the system complies with ISO 27001.

9.3 Management Review

This review must be planned every so often, say every week, month, semester, etc. The review can also be done at various levels so that senior management is also aware of this data. For example, every week it will be reviewed by an immediate boss, every month by an ISMS manager, every six months by a member of senior management, and every year by the owner of the company.

10 .-Improvement

10.1 Nonconformity and Corrective Action

Faced with a non-conformity, you must react, evaluate the necessary actions, implement measures, see if a change to our ISMS is necessary, and once again document these actions.

10.2 Continual Improvement

This section serves to guarantee the continuous improvement of the system, to see that the system is working and that work is being done to correct the findings and refine them if necessary.

Wait... Why do I start since the number 4? Well, this is because points 1, 2 & 3 talk about the scope, references, and terms, so that has nothing to do on our part.

Well first we need to know how to interpret this table

A.5 Clause

A.5.1 Category

A5.1.1 Control

This consist in 18 domains/clause (when the first 4 are nonauditable)

Take this one like the CIS Controls. If you're interested in the blue team and IMSI, you should read about this one too.

These controls cover different topics and objectives; they could include backups, information classification, access controls, and many more topics related to infosec.

ISO 27001 might be something hard to afford for many organizations. Don't worry about it; it's not necessary to pursue this certification if you don't need it. However, what you could do is take what you need; some controls are really cost-effective or are just configurations.

Now it's your turn. Go there and implement defense!

This was my first room
I´ll be glad to any feedbacks ;)

Instagram (opens in new tab)

I decide to did this room really fast and introductory cause I know this is not a topic who a lot of people enjoy, so I´ll be glad to do another room about more deep topics in the ISMS world
So let me know about what you want to learn or any suggestions

Plus ultra!