ISO 27001

For various reasons, 越来越多的美国组织正在考虑ISO认证,以向客户和商业伙伴展示他们的信息安全敏锐度. In most cases, 这些组织已经获得了一个或多个认证和/或认证,只是希望进一步提高他们的组织资格,并满足任何询问的第三方. While commendable, 如果认为ISO只是现有策略所针对的另一个安全框架,则可能会阻碍这种努力, procedures, and controls can be applied. 简单的事实是,如果您认为其他合规努力的成功提供了ISO认证的一些保证, then you need to think again.

For any organization considering ISO certification, LBMC is here answer common questions, dispelling common myths, and, most importantly, equip readers with valuable information for initiating a successful ISO certification journey.

What is ISO 27001?

国际标准组织是一个独立的机构,其目标是为任何组织发布标准, irrespective of industry, to follow. 正如他们在网站上定义的那样,标准是“描述做某事的最佳方式的公式.” These include quality and environmental management standards, health and safety standards, food safety standards and, of course, information security standards. 标准以编号的系列发布,每个系列包含与主题的某些方面相关的多个单独的文档. In most cases, the “01” document in each series, e.g. 9001, 14001, 27001, is the standard against which organizations can be certified. All other documents in the series are supporting documents for the certification standards.

The ISO 27000 series is the established series for Information Security Management Systems.  Management systems are the policies, procedures, and resources implemented to preserve confidentiality, integrity, and availability of information. ISO/IEC 27001:2022 is the standard against which organizations can be certified. 该ISO认证向相关方展示了组织对有效管理风险和关键信息系统安全的奉献精神.

Incidentally, IEC in the document title refers to the International Electrotechnical Commission一个类似的标准组织,为涉及技术活动的ISO标准做出贡献.

Why is ISO 27001 important?

而总部位于美国的组织则受到许多行业和监管框架的约束,这些框架指导着网络安全和合规工作, ISO 27001 is the de facto information security standard outside the US. For organizations engaging customers and other business relationships outside the US, 通常期望ISO认证证明组织对有效风险管理和信息安全的承诺. ISO标准的核心是围绕ISMS建立正式的管理结构,以确保其持续有效. This effectiveness must be demonstrated to earn and maintain certification. ISO is not a “checkbox security” framework.

组织经常利用为ISO认证建立的信息安全管理系统来管理其他合规性计划,例如SOC, PCI, and HITRUST. For example, while they are conducting their annual ISO internal audit, 他们利用这个机会验证控制是否仍然满足其他遵从性标准的要求. Then, as part of the management review program for ISO certification, they take the opportunity to review their other compliance programs to identify changes in scope, changes in the risk or threat landscape, and any associated internal audit findings. For security managers seeking approval from upper management to pursue ISO certification, 这是一个有效的工具,证明建立和维护ISO合规计划所需的资源是合理的.

What are the ISO 27001 requirements?

ISO standard documents follow a common format whereby content is divided into numbered clauses. Clauses define the scope of a given standard, provide references to other supporting or dependent standards, define terms and definitions used in the standard, and establish requirements or expectations of the standard. 标准通常包括附件或附录,为上述条款中包含的要求和期望提供支持指南.

The ISO 27001 standard is comprised of 7 clauses and 93 control requirements. 这些条款建立了信息安全管理体系(ISMS)的基本要素,组织必须具备这些要素来管理风险和保护信息. These requirements are unique to the ISO 27001 standard. Unlike other information security compliance frameworks, the clauses establish requirements for ongoing direction and oversight of the ISMS. These include activities such as organizational risk assessment and treatment analyses, regular executive management review of the ISMS, annual internal 对ISMS进行审核,并对安全控制的有效性进行持续的监视和度量.

The second half of the standard, titled Annex A, is comprised of the ISO 27001 control requirements. 控制需求对于信息安全从业者来说更为熟悉,因为它们是组织用来处理安全风险和威胁的战术需求. These include access and authentication, logging, encryption, incident response, 以及组织作为其各种安全性和遵从性计划的一部分实现的其他控制类别. Unlike some cybersecurity frameworks, ISO control requirements are not prescriptive. In other words, ISO 27001 does not establish minimum password settings, log retention periods, or cryptographic key lengths.  Instead, ISO establishes the controls that must be considered by the organization. 然后,组织确定哪些控制措施适用于环境,并充分处理已识别的风险. The auditor’s role, therefore, 是确定控制措施是否按照定义实施,是否充分处理了实施控制措施的风险.

Is ISO 27001 a legal requirement? ISO 27001 is not a legal requirement per se. Organizations may, however, 建立获得和/或维护ISO 27001认证的合同义务,作为其业务关系的一部分. ISO 27001认证可以被组织利用和/或接受,作为证明遵守行业和法规信息安全要求的一种手段.

What three aspects of information does ISO 27001 focus on?

而组织的ISMS解决了组织硬件的多个方面的安全性, software, and data assets, the ISO 27001 standard is focused on the confidentiality, integrity, and availability of information.

  1. Confidentiality is the protection of information from unauthorized access.
  2. Integrity is the protection of information from unauthorized modification.
  3. Availability is the assurance that information is accessible as needed.

The end result of achieving ISO 27001 certification is that an organization assures its customers, business partners, 和其他利益相关方确保组织负责的信息被泄露的风险最小.

What are the current ISO 27001 standards?

ISO/IEC 27001:2022是信息安全管理系统27000系列中的众多标准和支持文件之一. 该系列包括27001和27701等认证标准,以及27002和27003等指南和支持文件.

 

How do you get ISO 27001 certified?

Organizations must be audited by an independent third party. Any auditor can issue a certification, but it is recommended to engage an accredited ISO 27001 Certifying Body to conduct the audit. 认可核证机构本身须定期接受独立审核,以证实其信誉良好, competent, and trustworthy. This provides assurance to the organization, and any interested parties, that the audit was conducted, and certificate issued in accordance with all associated ISO standards.

To successfully pass an initial ISO 27001 certification audit, an organization must demonstrate that their ISMS is fully implemented and effective. To do this, 组织将需要实施ISO 27001条款和附件A控制中建立的所有要求. To demonstrate this effectiveness, ISO auditors will commonly look for a full iteration of the PDCA (Plan-Do-Check-Act) Cycle. For mature organizations with ISMS components and controls already well-established, this may take as little as four to six months to prepare for initial certification. For others, 至少需要一年的时间来建立ISMS和相关的控制,为他们的初始认证审核做好准备.

Due to the significant effort needed to prepare for initial audit, many organizations engage a third party to assist with establishing their ISMS. Third parties may simply oversee and provide guidance while the organization implements their ISMS, or they may become fully or partially involved in the effort. Regardless of how involved they are in the effort, a third party who provides implementation assistance should not and, in accordance with some accreditors, cannot also conduct the organizations’ certification audits. This helps avoid conflict of interest between implementation and auditing entities.

Contact Us

Brian Willis, CISSP, CCSK, PCI QSA, ISO 27001 Senior Lead Auditor, is a Senior Manager in the Cybersecurity department at LBMC, PC. He can be reached at brian.willis@LBMC.com or (615) 309-2607.