INTRODUCTION
An organisation’s information management system, comprising people, policies, and processes, is its most valuable asset. Safeguarding this system is crucial to protect stakeholders from potential reputational and financial losses from security breaches.
Implementing an Information Security Management System (ISMS) becomes vital to address this. ISMS consists of policies and procedures that systematically manage security and mitigate potential risks associated with a company’s information security. Establishing a standardised framework ensures proper implementation and adherence to industry requirements.
The ISO 27001 framework serves as a set of rules and guidelines. It enables organisations to adopt best practices and processes for ISMS, ensuring the secure and systematic protection of their most valuable asset—information. ISO 27001 allows firms to tailor practices to their specific information systems while adhering to defined controls.
WHAT ARE ISO 27001 CONTROLS?
ISO 27001 Controls are a set of specified controls outlined in Annex A of the framework, comprising 14 domains with 114 controls. These detailed controls ensure comprehensive coverage of various control areas, providing organisations with guidelines to implement ISMS effectively.
It is important to note that not all controls in the framework are mandatory for all organisations. The ISO 27001 framework allows flexibility to adopt the guidelines based on a business's specific needs and risk considerations. While not all controls are mandatory, adherence to the requirements outlined in Clauses 4 to 10 is essential for achieving ISO 27001 certification. The clauses are specified as mentioned below:
- Clause 4: Context of the Organisation
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance Evaluation
- Clause 10: Improvement
The ISO 27001 framework includes 114 controls, but listing all of them can be overwhelming for users. The framework provides 14 domains highlighting critical controls for implementing and maintaining an Information Security Management System (ISMS) plan to simplify the process and enhance understanding. These domains serve as a focused reference, helping organisations grasp the importance of control implementation in a more manageable and comprehensible way.
Each ISO 27001 domain focuses on general best practices and control objectives for that area of information security:
- A.5 Information Security Policies: This domain has two controls that focus on ensuring the company has practices and a defined set of policies to ensure the information systems are safe and secure. This is the first domain and lays out the structure by defining the policies and processes that should be in place.
- A.6 Organisation of Information Security: This domain consists of seven controls, ensuring that the policies laid down in A.5 are implemented throughout the company.
- A.7 Human Resources Security: This domain consists of six controls that further explain the importance of every employee in ISMS and lays down requirements (including training requirements) for every employee to be aware of their information security responsibility.
- A.8 Asset Management: This domain consists of 10 controls that require a company to identify its information assets, allocate ownership, classify them, and implement processes based on those categorisations.
- A.9 Access Controls: This domain consists of 14 controls and is one of the easiest to understand. Access controls specify that information, processes, and policies must only be accessed by people concerned or working for it.
- A.10 Cryptography: Cryptography consists of two controls that are related to the encryption of information systems.
- A.11 Physical and Environmental Security: The largest domain in Annex A consists of 15 controls that protect information assets from all sorts of risks. Storage and physical location are key to data protection. Every business is expected to have controls in the right place to ensure that any change in the physical environment, natural calamity, or person could not damage information assets.
- A.12 Operations Security: This domain consists of 14 controls and focuses on the technological aspect of information systems. This domain necessitates that organisations safeguard the information processing facilities and systems that comprise their ISMS and also covers the documentation of ISMS operating processes.
- A.13 Communications Security: This domain consists of seven controls divided into two categories: Controls that help prevent attacks and controls related to information transfer—examples: Intrusion detection systems and firewalls.
- A.14 System Acquisition, Development, and Maintenance: This domain consisting of 13 controls primarily focuses on how well an organisation adapts to change and dynamically manages information system and modifies it as per the need of the hour.
- A.15 Supplier Relationship: This domain, with five controls, focuses on the external environment that an organisation has to deal with, which includes vendor relationships and agreements with suppliers.
- A.16 Information Security Incident Management: This domain consists of seven controls that focus on what should be done in case of an information security breach – how should it be reported, who should it be reported first, who can make decisions, and what measures can be taken to reduce its impact.
- A.17 Information Security Aspects of Business Continuity Management: This domain, comprising four controls, has to ensure that organisations maintain the necessary level of ongoing information security during an unlikely event.
- A.18 Compliance: The final domain consisting of eight controls, focuses on how an organisation complies with the regulatory requirements and information security laws.
Implementing an ISMS and obtaining ISO 27001 certification can seem overwhelming due to the numerous controls involved. However, TÜV SÜD's ISO 27001 Certification Services simplify and streamline the process. With their comprehensive support, experience, and training programs, companies can quickly implement an ISMS and navigate the certification process effortlessly. Additionally, TÜV SÜD's certification services and ongoing support allow firms to maintain and continually improve their ISMS without hassle.
CONCLUSION
In today's environment, implementing an ISMS framework compatible with ISO 27001 in every organisation is a must to ensure the efficacy and efficiency of the organisation and its business processes. With detailed standards and controls specified in the ISO 27001 framework, companies have the ability and liberty to implement controls as per their specific needs and requirements and to combat any potential risks and concerns of information security.
Learn more about ISO 27001 ISMS here, and our training services:
