Information Security Management

J/618/7447
10203300
Topic 8: ISO 27001

Eman Alzyoud
School of Computing and Informatics
Eman.Alzyoud@HTU.EDU.JO

2
Learning Objectives:
•Introduction to the ISO 27001 standard
•Benefits of implementation
•PDCA cycle
•Clause 1: Scope
•Clause 2: Normative References
•Clause 3: Terms And Definitions
•Clause 4: Context Of The Organization
•Clause 5: Leadership
•Clause 6: Planning
•Clause 7: Support
•Clause 8: Operation
•Clause 9: Performance Evaluation
•Clause 10: Improvement

3
 INTRODUCTION :TO THE STANDARD
• The challenge that most businesses struggle with is how to provide appropriate protection. In
particular, how do they ensure that they have identified all the risks they are exposed to and how can
they manage them in a way that is proportionate, sustainable and cost effective?
•The ISO/IEC 27000 Family of Information Security Standards
•The ISO 27000 family of information security management standards is a series of mutually supporting
information security standards that can be combined to provide a globally recognised framework for best-
practice information security management.
•The mainstay of the series is ISO 27001, which sets out the specification for an ISMS (information security
management system).
•The series is developed and published by the ISO (International Organization for Standardization) and the
IEC (International Electrotechnical Commission).

•ISO 27001 is the internationally-recognised standard for Information Security Management Systems (ISMS).
It provides a robust framework to protect information that can be adapted to all types and sizes of
organization. Organizations that have significant exposure to information-security related risks are
increasingly choosing to implement an ISMS that complies with ISO 27001.

4
 The 27000 Family

•There are currently over 50 published standards in the ISO 27000 series. Of these, ISO 27001 is the only standard
intended for certification. The other standards all provide guidance on best practice implementation. Some provide
guidance on how to develop ISMS for particular industries; others give guidance on how to implement key information
security risk management processes and controls.

Three of the standards are particularly helpful to all types of organizations when implementing an ISMS.
These are:

•ISO 27000 Information Technology – Overview and vocabulary

•ISO 27002 Information technology – Security techniques – Code of practice for information security
controls. This is the most commonly referenced, relating to the design and implementation of the 114
controls specified in Annex A of ISO 27001.

•ISO 27005 Information Technology – Security techniques – Information security management.

5
 Published ISO 27000 standards

ISO has officially designated the ISO 27000 set of standards for information security purposes. This, of course, corresponds to a
host of other standards, including ISO 9000 (quality management) and ISO 14000 (environmental management). The 27000
series comprises a variety of standards and documents. Several of these are now well-known, having been published.
The following are ISO 27000 series standards already published and adopted by organisations:
• ISO/IEC 27000 — Information security management systems.
• ISO/IEC 27001 — Information technology – Security Techniques – Information security management.
• ISO/IEC 27002 — Code of practice for information security controls.
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation.
• ISO/IEC 27005 — Information security risk management.
• ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems.
• ISO/IEC 27007 — Guidelines for information security management systems auditing.
• ISO/IEC TR 27008 — Guidance for auditors on ISMS controls.
• ISO/IEC 27009 — Internal document for the committee developing sector/industry-specific versions
• ISO/IEC 27010 — Information security management for inter-sector and inter-organisational communications.
• ISO/IEC 27011 — Information security management guidelines for telecommunications organisations based on ISO/IEC 27002.
• ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
• ISO/IEC 27014 — Information security governance.
• ISO/IEC TR 27015 — Information security management guidelines for financial services.
• ISO/IEC TR 27016 — information security economics.
6
•ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
•ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
•ISO/IEC 27019 — Information security for process control in the energy industry.
•ISO/IEC 27021 — Competence requirements for information security management systems professionals.
•ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity.
•ISO/IEC 27032 — Guideline for cybersecurity.
•ISO/IEC 27033 — IT network security.
•ISO/IEC 27033-1,2,3,4 — Network security
•ISO/IEC 27034-1,2,3,4,5,6,7 — Application security
•ISO/IEC 27035-1,2,3,4 — Information security incident management
•ISO/IEC 27036-1,2,3,4 — Information security for supplier relationships – Part 1: Overview and concepts.
•ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence.
•ISO/IEC 27038 — Specification for Digital redaction on Digital Documents.
•ISO/IEC 27039 — Intrusion prevention.
•ISO/IEC 27040 — Storage security.
•ISO/IEC 27041 — Investigation assurance.
•ISO/IEC 27042 — Analysing digital evidence.
•ISO/IEC 27043 — Incident investigation.
•ISO/IEC 27050-1 — Electronic discovery
•ISO/IEC 27701 — Information technology – Security Techniques – Information security management systems — Privacy Information
Management System (PIMS).
•ISO 27799 — Information security management in health using ISO/IEC 27002 – guides health industry organisations on how to protect
personal health information using ISO/IEC 27002.

7
 Benefits Of Implementation
Information security is becoming increasingly important to organizations, and the adoption of ISO 27001 therefore more
and more common. Most organizations now recognise that it is not a question of if they will be affected by a security
breach; it is a question of when.
Implementing an ISMS and achieving certification to ISO 27001 is a significant undertaking for most organizations.
However, if done effectively, there are significant benefits for those organizations that are reliant on the protection of
valuable or sensitive information. These benefits typically fall into three areas:

COMMERCIAL PEACE OF MIND OPERATIONAL

Having independent third-party Many organizations have information that is
mission-critical to their operations, vital to The holistic approach of ISO 27001
endorsement of an ISMS can
sustaining their competitive advantage or an supports the development of an
provide an organization with a
inherent part of their financial value. internal culture that is alert to
competitive advantage, or enable it
Having a robust and effective ISMS in place information security risks and has a
to ‘catch up’ with its competitors.
enables business owners and managers with consistent approach to dealing with
Customers that are exposed to
responsibility for managing risks to sleep them. This consistency of approach leads
significant information security risks
easier at night knowing that they are not exposed to controls that are more robust in
are increasingly making certification
to a risk of heavy fines, major business disruption or dealing with threats. The cost of
to ISO 27001
a significant hit to their reputation. implementing and maintaining them is
For organizations that want to work
In today’s knowledge-based economy, almost also minimised, and in the event of them
with this type of customer, having an
all organizations are reliant on the security of key failing the consequences will be
ISO 27001 certified ISMS is a key
information. Implementation of a formal ISMS is a minimised and more effectively
requirement for sustaining and
proven method of providing such security. mitigated.

ISO 27001 is an internationally recognised

framework for a best practice ISMS and compliance
with it can be independently verified to both
enhance an organization’s image and give
confidence to its customers.
 PDCA CYCLE

•ISO 27001 is based on the Plan-Do-Check-Act (PDCA) cycle, also known as the Deming
wheel or Shewhart cycle. The PDCA cycle can be applied not only to the management
system as a whole, but also to each individual element to provide an ongoing focus on
continuous improvement.

Plan: Do: Check: Act:

Establish Implement Monitor and Take action to
objectives, what was measure processes improve
resources required, planned. to establish performance, as
customer and performance necessary.
stakeholder against policies,
requirements, objectives,
organizational requirements and
policies and identify planned activities
risks and and report the
opportunities. results.
 PDCA CYCLE

PDCA model ISO 27001

INFORMATION SECURITY MANAGEMENT
SYSTEM (4)

ESTABLIS
INTERESTE H ISMS INTERESTE
D D
10
PARTIES PARTIES
Pla D
n o
MAINTAIN IMPLEMENT
AND AND
IMPROVE OPERATE
THE ISMS THE ISMS

INFORMATION
SECURITY Ac Chec MANAGED
REQUIREMENT
S AND t MONITOR k
INFORMATIO
N SECURITY
EXPECTATION AND
S REVIEW
THE ISMS

Plan-Do-Check-Act is an example of a closed-loop system. This ensures the learning from the ‘do’ and ‘check’ stages are
used to inform the ‘act’ and subsequent ‘plan’ stages. In theory this is cyclical, however it’s more of an upward spiral as
the learning moves you on each time you go through the process.

7
 The 10 Clauses Of Iso 27001:2013

•ISO 27001 is made of up 10 sections known as

Clauses.
INTERESTED PARTIES

•As with most other ISO management system standards, the USE VALUE

requirements of ISO 27001 that need to be satisfied are REGULATE

specified in Clauses 4.0 – 10.0. Unlike most other ISO

management system standards, an organization must

VULNERABILITIE
comply with all of the requirements in Clauses 4.0 – 10.0; THREATS INFORMATIO
N CONFIDENTIALIT
RISKS

Y
they cannot declare one or more clauses as being not INTEGRIT
Y

applicable to them. AVAILABILIT

Y
CONTRO

S
•In ISO 27001, in addition to Clauses 4.0-10.0 there is a L
ACCESS

further set of requirements detailed in a section called ASSETS

CONTROLS
Annex A, which is referenced in Clause 6.0. Annex A
contains 114 best practice information security
controls. Each of these 114 controls needs to be MONITOR
CONTINUAL
IMPROVEMEN

considered. To be compliant with ISO 27001 the T

organization must implement these controls, or an

acceptable justification must be given for not implementing
a particular control.
11
The Scope section of ISO 27001 sets out

•the purpose of the standard;

•the types of organizations it is designed to apply to; and
•the sections of the standard (called Clauses) that contain requirements that an
organization needs to comply with in order for the organization to be certified as
“conforming” to it (i.e. being compliant).

ISO 27001 is designed to be applicable to any type of organization. Regardless of size,

complexity, industry sector, purpose or maturity, your organization can implement and
maintain an ISMS that complies with ISO 27001.

12
 Clause 2: Normative References

In ISO standards, the Normative References section lists any other standards that contain
additional information that is relevant to determining whether or not an organization complies
with the standard in question. In ISO 27001 only one document is listed – ISO 27000 Information
Technology - Overview and vocabulary.

Some of the terms used or requirements detailed in ISO 27001 are explained further in ISO
27000. Reference to ISO 27000 is very useful in helping you to understand a requirement better
or identify the best way to comply with it.

TIP – External auditors will expect you to have taken the information contained in ISO 27000 into
account in the development and implementation of your ISMS.

13
 Clause 3: Terms And Definitions
the most important terms used in ISO 27001 are:
Access Controls
•processes that ensure that only the people that need to have access to a certain asset have that access and the “need”
•is determined with reference to both business and security requirements.
Effectiveness
•the extent to which planned activities (e.g. processes, procedures) are executed as planned or specified and achieve the planned results or outputs.
Risk
•a combination of the likelihood of an information security event occurring and the resulting consequences.
Risk Assessment
•the process of identifying risks, analyzing the level of risk posed by each risk and evaluating whether additional action is needed to reduce each risk to a
more tolerable or acceptable level.
Risk Treatment
•processes or actions that reduce identified risks to a tolerable or acceptable level.
Top Management
•the group of individuals who are the most senior decision makers in an organization. They are likely to be accountable for setting its strategic direction
and for determining and achieving stakeholder objectives.

14
 Clause 4: Context Of The Organization

• The purpose of your ISMS is to protect your organization’s Information Assets, so that the
organization can achieve its goals.

• How you go about this and the specific areas of priority will be driven by the context your
organization operates in, both:
• internal – the things over which the organization has some control; and
• external – the things over which the organization has no direct control.

• A careful analysis of the environment your organization operates in is fundamental to

identifying the inherent risks posed to the security of your Information Assets. The analysis is
the foundation that will enable you to assess what processes you need to consider adding or
strengthening to build an effective ISMS.

15
 Internal Context

The following are examples of the areas that can be considered when assessing the internal issues that may have a bearing on
the ISMS risks:
• Maturity: are you an agile start-up with a blank canvas to work on, or a 30+ year old institution with well-established
processes and security controls?
• Organization culture: is your organization relaxed about how, when and where people work, or extremely
regimented? Might the culture resist the implementation of Information Security controls?
• Management: are there clear communication channels and processes from the organization’s key decision makers through to
the rest of the organization?
• Resource size: are you working with an Information Security Team, or is one person doing it all?
• Resource maturity: are the available resources (employees/ contractors) knowledgeable, fully trained, dependable and
consistent, or are personnel inexperienced and constantly changing?
• Information asset formats: are your information assets mainly stored in hard-copy (paper) format, or are they stored
electronically on a server on-site, or in remote cloud-based systems?
• Information asset sensitivity/value: does your organization have to manage highly valuable or particularly sensitive
information assets?
• Consistency: do you have uniform processes in place across the organization, or a multitude of different operating practices
with little consistency?
• Systems: does your organization have many legacy systems running on software versions that are no longer supported by the
manufacturer, or do you maintain the most up to date and best available technology?
• System complexity: do you operate one main system that does all the heavy lifting, or multiple departmental systems with
limited information transfer between them?
• Physical space: do you have a dedicated secure office facility, or do you operate in a space shared with other organizations?

16
 External Context
•The following are examples of the areas that can be considered when assessing the external issues that
may have a bearing on the ISMS risks:
• Competition: do you operate in a rapidly changing and innovative market, requiring many system
upgrades to stay competitive, or in a mature, stable market with little innovation year-to-year?
• Landlord: do you need approval to upgrade physical security?
• Regulators / enforcement bodies: is there a requirement in your sector to make regular statutory
changes, or is there little oversight from regulators in your market sector?
• Economic/political: do currency fluctuations impact your organization; will Brexit in the UK have an
impact.
• Environmental considerations: is your site on a flood plain with the server(s) located in a basement? Are
there factors making your site(s) a possible target for a break-in or a terrorist attack (e.g. in a
prominent city centre location; next to a possible target)?
• Prevalence of information security attacks: does your organization operate in a sector which regularly
attracts interest from hackers (criminals, hacktivists)?
• Shareholders: are they very concerned about the vulnerability of the organization to data breaches?
How concerned are they about the cost of the organization’s efforts to improve its information
security?

17
 Clause 5: Leadership
The Importance of Leadership

Leadership in this context means active involvement in setting the direction of the ISMS, promoting its
implementation and ensuring appropriate resources are made available. This includes:

• ensuring that the ISMS objectives are clear and aligned with overall strategy;
• that there is clarity on responsibilities and accountabilities;
• that risk-based thinking is at the heart of all decision making;
• that there is clear communication of this information to all individuals within your ISMS scope.

ISO 27001 places great importance on active engagement by Top Management in the ISMS, based on
the assumption that the engagement of Top Management is crucial in ensuring the effective
implementation and maintenance of an effective ISMS by the wider employee group.

18
 Clause 6: Planning
ISO 27001 is at heart a risk management tool that steers an organization to identify the drivers of its information
security risks from the full range of sources. As such, the underlying purpose of an ISMS is to:

• identify the strategically important, blatantly obvious, and hidden but dangerous risks;
• ensure that an organization’s day-to-day activities and operating processes are designed, directed and
resourced to inherently manage those risks; and
• automatically respond and adapt to changes to cope with new risks and continually reduce the
organization’s risk exposure.

Having a detailed action plan that is aligned, updated and supported by regular reviews and monitoring is crucial,
and provides the best evidence to the auditor of clearly defined system planning.

19
 Clause 7:support
• Clause 7 concerns itself with resources. This applies to people, infrastructure and environment as
much as physical resources, materials, tools etc. There is also a renewed focus on knowledge as a
significant resource within your organization. When planning your quality objectives, a major
consideration will be the current capacity and capability of your resources as well as those you may
need to source from external suppliers / partners.

• To implement and maintain an effective ISMS you need to have supporting resources in place.
These resources will need to be sufficiently:

• capable – if they are equipment or infrastructure; and

• competent – if they are people.

• at Management Review meetings.

20
 Clause 8: Operation

• So, after all the planning and risk assessment, we’re ready to move on to the “do” stage. Clause 8
is all about having appropriate control over the creation and delivery your product or service.

• Managing your information security risks and achieving your objectives requires the formalization
of your activities into a set of clear and coherent processes.

• Many of these processes are likely to exist already (e.g. induction, training) and will simply need
modifying to include elements relevant to information security. Other processes may happen in an
ad-hoc fashion (e.g. supplier approvals), while some may not currently exist at all (e.g. internal
audit).

21
 Clause 9: Performance Evaluation

There are three main ways in which the performance of an ISMS is evaluated. These are:

• monitoring the effectiveness of the ISMS controls;

• through internal audits; and

• at Management Review meetings.

Monitoring, Measurement, Analysis and Evaluation

• organization will need to decide what needs to be monitored to be assured that ISMS process and
information security controls are operating as intended. It is impractical for an organization to monitor
everything all the time; if you attempt to do so, it is likely that the volume of data would be so great
that it would be virtually impossible to use it effectively. Therefore, in practice, you will need to take an
informed decision about what to monitor.

22
Internal Audits

• The purpose of internal audits is to test your ISMS processes for weaknesses and identify
opportunities for improvement. They are also an opportunity to provide a reality check to Top
Management on how strongly the ISMS is performing. When done well, internal audits can ensure
that there are no surprises at your external audits.

The internal audits you perform should check:

• how consistently processes, procedures and controls are followed and applied;

• how successful your processes, procedures and controls are at generating the intended results; and

• whether your ISMS remains compliant with ISO 27001 and the requirements of interested parties.

23
 Clause 10: Improvement
• The key aim of implementing an ISMS should be to reduce the likelihood of information security events occurring and

their impact. No ISMS is likely to be perfect. However, a successful ISMS will improve over time and increase the

organization’s resilience to information security attacks.

Nonconformity and Corrective Action

One of the main drivers of improvement is to learn from security incidents, issues identified in audits, performance

issues identified from monitoring, complaints from interested parties and ideas generated at management reviews.

For each learning opportunity identified you must maintain a record of:

• what occurred;

• if the event had undesirable consequences, what action was taken to contain and mitigate those;

• the root cause of the event (if determined);

• the action taken to eliminate the root cause (if needed); and

• an assessment of the effectiveness of any action taken.

24
 Root cause analysis
To identify effective corrective action, it is strongly advisable to complete a root cause analysis of the issue that occurred. If you don’t get to the bottom
of why or how it happened, then it is likely that whatever fix you implement will not be fully effective. A simple approach such as “5 Whys” is a good
root cause analysis tool: start with the issue, then ask “Why” enough times to reach the root cause. Usually 5 times of asking is enough, but for more
complex problems you may need to dig deeper.

For example:

Problem statement:

The organization was infected by the Wannacry virus

Why?

Someone clicked on a link in an email and it downloaded the virus and infected their PC

Why?

They had not received any training in clicking on links in emails they are not expecting to receive

Why?

The training manager is on maternity leave and the organization has not implemented cover for them

Why?

The maternity leave process is not covered in the Change Management Procedure and so a risk assessment was not completed to identify any
information security risks.

25
 Reference

• Alexander, D., Finch, A., Sutton, D. and Taylor, A. (2020) Information Security
Management Principles BCS. 3rd edn. BCS The Chartered Institute for IT.

• Calder, A. and Watkins, S. (2019) IT Governance: An International Guide to Data

Security and ISO27001/ISO27002. 7th edn. Kogan Page.

• Chapple, Mike - CISSP Official Study Guide (2021, Sybex). 9th edn.

26