Today, we’re kicking off installment number one of the highly anticipated ISO 27001 Bootcamp, where we’ll be talking about project scoping and implementing the ISO 27001 Mandatory Clauses. In this series, we’ll walk you through the entire ISO 27001 compliance process, including:
- Scoping your project and tackling the Mandatory Clauses (i.e. this one)
- Implementing the Annex A Controls
- Conducting a successful audit
In this edition, Tugboat Logic’s director of InfoSec compliance and risk, Jitendra Juthani, is going to help Monica McMahen, a rep from the Bluth Company, scope their ISO 27001 project for her totally legit business “The Banana Stand”.
Read on to learn more.
Wait, What Is ISO 27001?
Chances are, you already have at least a basic understanding of what ISO 27001 is all about. But in case you don’t, or you need a refresher, here it is, straight from the mouth of Jitendra Juthani:
ISO 27001 is an international standard for information security management systems (ISMSs). It’s very popular in Europe, although it’s gaining traction internationally. It’s objectives are simple: to ensure that the availability, integrity and confidentiality of sensitive information is secure across your organization.
Now, if you’re looking for a deep dive into what the standard’s all about, feel free to check out our blog on the subject.
Why Get ISO 27001?
ISO 27001 remains one of the most popular security standards on the planet, and it’s easy to see why. Here are a few benefits it can provide:
- International recognition. Yep. ISO 27001’s got clout with companies across the planet.
- Motivate leadership to invest in your InfoSec. Senior stakeholders sometimes struggle to prioritize InfoSec. When you kickstart an ISO project, it gets them focused and invested.
- A risk-based approach to InfoSec. ISO 27001 will enable your org to adopt a risk-based approach to information security. Why does this matter? It sets you up to become more proactive about security.
- Builds trust. One of the best ways to prove your systems are trustworthy is by getting compliant with ISO 27001. That’s because a third-party evaluator assesses your systems and provides an objective opinion that your prospects and customers can rely on.
- Saves you time on security questionnaires. Plenty of the questions in those tedious security questionnaires become utterly redundant when you have ISO 27001, which means you no longer have to answer them. Your sales team will thank you.
- Differentiation. ISO 27001 proves you have a good security posture. That proof offers credibility in the marketplace that your competitors might not have.
- Win more deals. Basically, thanks to all of the benefits above, expect ISO 27001 to turbocharge your sales team.
If you’re still trying to determine whether ISO 27001 is the right fit for your business and these benefits don’t already have you convinced, this article might help.
The Structure of ISO 27001
ISO 27001 can be broken down into two major components.
First, are the mandatory clauses. These are high-level governance and process requirements you must fulfill to be ISO 27001 compliant.
The second is the Annex A Controls. These are 114 security controls. Thankfully, you don’t have to implement them all. That said, you do have to justify those you choose not to implement. We’ll be digging into these in a little more depth in part two, so stay tuned.
So How Do You Scope an ISO 27001 Project?
When it comes to scoping, you definitely don’t want to go all-in.
Ideally, you want to a hard look at your systems and processes to determine which of the ISO 27001 controls are applicable to you, instead of tackling all 114 of them. Scoping, as I’m sure you can imagine, can be time-consuming. Ultimately, it determines which controls you’ll need to operationalize to be ISO 27001 compliant.
Unfortunately, the Bluth Company doesn’t have the luxury of time. So, Jitendra walked Monica through Tugboat Logic’s scoping survey and demonstrated how the tool can automatically scope your ISO 27001 project in seconds.
The survey includes a series of questions, like:
- Does your physical office have access points such as delivery and loading areas?
- The survey includes a series of questions, like: Do you collect any personally identifiable information (PII)
- Does your company outsource any development activities?
- Do you use any vendors/suppliers to deliver your services?
- Does your organization maintain any removable storage media that contains sensitive information?
As you can see, the tool automatically identifies risks that are unique to your business. Then, based on that information, it generates a list of the 114 Annex A controls you’ll need to address, with detailed guidance on how to do so.
The ISO 27001 Mandatory Clauses
With Monica’s project scoped, it was time to tackle the ISO 27001 mandatory clauses in Tugboat Logic’s checklist tool.
The mandatory clauses are organized across the plan-do-check-act (PDCA) cycle, which covers every step in the typical audit process. You can check them out below.
Tugboat Logic categorizes each mandatory clause into the stage it falls under in the PDCA cycle. Then, it lists all the tasks you need to complete for each clause. To demonstrate, Jitendra unpacked one of the most notorious ISO 27001 clauses, clause 6, AKA Planning.
Clause 6 includes the risk assessment and risk treatment methodology, a plan where you outline your risk acceptance criteria and how you intend on treating each of your risks. The point of this exercise is to connect your risks with mitigating controls. This clause also includes the Statement of Applicability, which lists all ISO 27001 114 Annex A controls.
In it, you’ll note whether Annex A controls are or aren’t applicable to your ISMS. You’ll outline which controls you’ve implemented and which you haven’t. Finally, you’ll have to provide justifications for both. Once you’ve completed the document, it needs to be date and time-stamped. It also needs to be reviewed by the senior stakeholder for your ISMS project.
The final task for Clause 6 is to complete your information security objectives and plans. They ensure that the organization establishes information security objectives that are consistent with the ISMS policy. Those objectives should be measurable, they should be communicated across the organization, and they should be regularly reviewed and updated to reflect changes in the organization. This task must be documented and retained so that your auditor can understand how the process works for you.
Need Help With ISO 27001?
If you’re looking at kickstarting an ISO 27001 project, we can help. Feel free to get in touch and one of our audit pros will provide you with the guidance you need to take that essential first step. We also automate ISO 27001 compliance, so if you’d like to seriously reduce the level of effort that’s involved, take a look at what we offer here.