ISO/IEC 27001 formally defines an information security management system (ISMS) as a set of activities designed to manage information security risks.

An ISMS is a management framework through which the organization identifies, analyzes and addresses information security risks. The ISMS ensures that security arrangements are relevant to security threats and vulnerabilities, and effective in managing business impacts.

The ISO27001 approach focuses on specific business risks, and offers a degree of flexibility that other standards do not.

ISO/IEC 27001 does not impose specific information security controls, since these vary from company to company. Control measures are suggested in Annex A of ISO 27001.

Organizations adopting ISO 27001 are free to choose the specific information security controls applicable to their situation or scope, selecting those listed and potentially supplementing them with other à la carte options (called extended controls).

History of the standard

ISO 27001 is a derivative of BS 7799 Part 2, published in 1999. BS 7799 Part 2 was revised by the BSI Group in 2002 to explicitly include Demings’ cyclical “Plan-Do-Check-Act” continuous improvement process, and was adopted by the ISO/IEC standards system as ISO 27001 in 2005.

In 2013, ISO27001 was extensively revised to bring it into line with other ISO-type standards. That’s why it’s called :

“ISO/IEC 27001:2013”.

So what is ISO27001?

ISO27001:2013 is divided into two parts:

The first part of the mandatory clause corresponds to the Plan-Do-Check-Act continuous improvement wheel.

**Plan –**define policies, controls and processes and perform risk management to support information security aligned with the organization’s business.**Do –**implement planned processes.**Verify –**monitor, evaluate and audit results to drive improvements.**React –**respond to non-conformances and implement plans to continue continuous improvement.

The second optional part, which corresponds to the controls –14 areas for 114 different controls. These 14 areas are defined in Appendix A.

  • Security policy
  • Safety organization
  • Human resources
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental safety
  • Operational safety
  • Communications
  • Acquisition, development and maintenance of information systems
  • Supplier relations
  • Incident management
  • Continuity of operations
  • Compliance

27001 versus 27002?

The 27001 standard describes the actions required to implement an information security management system (ISMS). It is possible to be ISO27001 certified.

Annex A of ISO27001 provides guidelines for information security management practices, including the selection, implementation and management of controls.

Become certified

A company can obtain ISO 27001 certification by asking an accredited certification body to carry out a certification audit and, if the audit is successful, to issue the ISO 27001 certificate to the company.

This certificate means that the company complies with ISO 27001 criteria.

Conflicting acronyms – ISMS – SMSI – SGSI.

The English version of the system is called ISMS for – Information security management system.

On the other hand, the version translated into French (from France) uses the acronym SMSI for Système de management de la sécurité de l’information.

For my part, I prefer the Quebec translation, which is SGSI – Système de gestion de la sécurité de l’information.

All three versions are equally valid and remain your choice!

Standards in the 2700(x) series

The 27000 series offers several guides and practices for implementing a safety program.

The basis for certification is ISO/IEC 27001:2013, but other standards offer additional definitions or controls that apply to our organization. For example, an organization offering cloud services to its customers should take ISO 27017 into account and add it to its security program (ISMS).

Here is a non-exhaustive list:

  • 27000 -Description and definitions relating to information security
  • 27001 – Formal specifications for implementing an ISMS
  • 27002 – Details of safety controls
  • 27003 – Implementation guide
  • 27004 – Measurement methods and performance indicators for ISMS
  • 27005 – Information security risk management standard
  • 27006 – Guide to SGSI registration entities
  • 27007 – Audit guide for SGSI
  • 27008 – Practice guide for auditors
  • 27009 – Application of the standard to specific sectors
  • 27010 – ISMS for inter-organizational communication
  • 27011 – ISMS for telecommunications organizations
  • 27017 – Use of customer or supplier cloud services
  • 27018 – Provides guidelines on how to protect privacy when using cloud environments.
  • 27031 – Provides organizations with guidelines for business continuity systems.
  • 27701 – Requirement for the implementation of a PIMS “Privacy information management system

Towards a new version 27002?

There’s every reason to believe that a new version of the ISO27002 standard will be published in 2022.

The main changes will be that the themes will be reduced from 14 to 4:

  • Organizational measures
  • Personal measurements
  • Physical measurements
  • Technological measures

The 114 measurements will be reduced to 93. On the other hand, a reading of the proposed standard (not yet finalized at the time of writing) provides additional details for understanding the measures: we discover the purpose, which allows us to better understand the objective of the measure, as well as attributes to place the measure in a more global context and framework.

Also, the concept of*** privacy*** is now implied in the standard, even in its title, which becomes:

ISO27002 “Information security, cybersecurity and privacy – Information security measures”.

How much does it cost?

That’s the question on everyone’s mind.

The costs are divided into several parts:

  • Buying the standard

How can you claim to be compliant with a standard if you don’t have a copy of it? It can be purchased on the “iso.org” website for around $300.

Links here: https://www.iso.org/standard/54534.html

  • Help from an external consultant

If you hire an outsourcer, you’ll need between 80 and 200 hours to draw up the necessary documents and coordinate your efforts.

  • Internal organizational time

These efforts are not without cost for the organization. It represents around 1.5x the time of an external consultant.

  • Technology costs

These amounts vary greatly depending on your technology debt.

  • Annual internal audit costs

Represents approximately 2 and 8 days of effort either by an internal person or an external consultant.

  • Annual external audit costs

The work carried out by the external auditor to obtain certification is calculated according to the number of employees, the number of sites and the level of complexity of the organization (telecommunications, electricity, nuclear, etc.). The level of effort is usually between 3 and 15 days.

ISO27001 is recognized worldwide and provides an excellent basis for a corporate security program.

Achieving compliance certification offers reassurance to partners that information security is understood, well in hand, and that those in charge have a plan for continuous improvement.

Having been involved in the implementation of several different standards, I believe that ISO27001 is the simplest, broadest and most flexible standard for managing a security program.

Follow me – A future article will ask how to choose the right standard?