ISO 27001 and ISO 27002 are cybersecurity framework standards that businesses use to improve their cyber strategy and better manage and minimize business risk. (ISO 27001 and ISO 27002 are also referred to as ISO/IEC 27001 and ISO/IEC 27002.) The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are essential standards organizations. ISO covers standards guidance in most fields except electrical and electronic engineering standards. Electrical and electronic engineering standards are instead the domain of the IEC. Work within information technology is carried out by a joint ISO/IEC technical committee.
ISO is an international standard-setting body that consists of representatives from 164 global, national standards organizations. In addition, ISO includes subject matter experts (SMEs) that develop standards that support global product development and safety initiatives. As a result, ISO standards promote quality, safety, efficiency and facilitate international trade.
Both ISO and IEC sponsor the ISO/IEC joint technical committee JTC 1. The goal of this committee is to specify, maintain and promote standards in the field of information technology. The JTC 1 committee developed both the ISO 27001 and ISO 27002 standards.
The ISO 27001 framework includes processes and policies that enable an enterprise to manage information and cybersecurity to lower risk and reduce vulnerability. ISO 27001 defines and specifies best practices to implement an Information Security Management System (ISMS). An ISMS is the set of processes that an organization can use to manage its information security risks more successfully. The ISMS is a comprehensive and complete framework for cybersecurity. The ISMS allows an enterprise to adapt to the changing cyber threat environment by identifying and mitigating new vulnerabilities and minimizing the potential adverse impact.
ISO 27001 Organization
The ISO 27001 consists of 14 security control clauses. Each of these clauses contains 35 main security categories and 114 controls. A security control defines the goals and the specific rules used to achieve the control objective.
The specification includes sections which are as follows:
- Section 1 – 3 defines introductory terms and references.
- Section 4 describes the need to define the scope of an ISMS and implementation and ongoing development.
- Section 5 refers to the requirement for leadership to be committed, support policies and relationships, and more.
- Section 6 brings in planning to address issues such as risk management. The enterprise must create processes to identify information security risks and then prioritize them for risk mitigation.
- Section 7 defines the personnel requirements necessary to implement an ISMS.
- Section 8 overviews critical operational issues, including the key actions and the planning necessary to reach objectives defined earlier in Section 6.
- Section 9 overview the requirements to track, measure, analyze, and assess the overall performance of the ISMS. The requirements should include audit and management level review and oversight.
- Section 10 defines the need for a continuous cycle of improvement. Problems should be analyzed, and the ISMS and applicable security controls improved.
Annex A is generally structured by clauses, then the categories inside of those clauses, and subsequently lists the controls listed within each clause. This structure includes 114 ISO 27001 Annex A Controls distributed across 14 categories.
- Annex A.5 – Information security policies (2 controls)
- A.5 is designed to make sure that policies are written and reviewed in line with the overall direction of the organization’s general security policies.
- Annex A.6 – Organization of information security (7 controls)
- This annex covers the assignment of responsibilities for specific tasks.
- Annex A.6.2 addresses mobile devices and remote working.
- Annex A.7 – Human resource security (6 controls)
- Annex A.7 helps ensure that employees and contractors understand their responsibilities.
- Annex A.8 – Asset management (10 controls)
- This annex covers the way organizations identify information assets and define responsibility for protection.
- Annex A.8.1 is primarily about identifying information assets within the scope of the ISMS.
- Annex A.8.2 is about the classification of information.
- Annex A.8.3 covers media handling and helping to ensure that sensitive data isn’t disclosed, modified, removed, or destroyed without authorization.
- Annex A.9 – Access control (14 controls)
- Annex A.9 helps ensure that employees can only view the information required for their position.
- Annex A.10 – Cryptography (2 controls)
- This annex is about data encryption and the management of sensitive information
- Annex A.11 – Physical and environmental security (15 controls)
- This annex overviews the organization’s physical and environmental security.
- Annex A.12 – Operations security (14 controls)
- This annex helps ensure that information processing facilities are secure.
- Annex A.13 – Communications security (7 controls)
- This annex focuses on the process which organizations use to protect the information in networks.
- Annex A.14 – System acquisition, development, and maintenance (13 controls)
- Annex A.14 helps to ensure that information security remains an integral part of an organization’s processes and management.
- Annex A.15 – Supplier relationships (5 controls)
- This annex covers contractual agreements with third parties.
- Annex A.16 – Information security incident management (7 controls)
- This annex covers the management and reporting of security incidents.
- Annex A.17 – Information security aspects of business continuity management (4 controls)
- Annex A.17 promotes the development of an effective system to manage business disruptions.
- Annex A.18 – Compliance (8 controls)
- Annex A.18 helps ensure that organizations are aware of and identify relevant laws, regulations, compliance, and governance requirements.
ISO/IEC 27002 goes deeper into best practices and overviews planning and implementation of information security. Specific security controls are optional. ISO 27002 consists of 19 sections which are numbered 0 through 18.
Other Complementary Cybersecurity and Information Technology Frameworks
There are other cybersecurity and information technology management frameworks and standards. These include:
- MITRE ATT&CK.
- Payment Card Industry Data Security Standard (PCI DSS).
- Center for Internet Security (CIS) Critical Security Controls.
- NIST Framework for Cybersecurity.
- Control Objectives for Information and Related Technologies (ISACA COBIT).
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.