ISO 27001 Compliance Requirements & Checklist

The ISO 27001 framework, officially titled ISO/IEC 27001, is a standard for IT security procedures developed by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC). The ISO 27001 framework sets out requirements for the implementation, operation and continuous improvement of an information security management system (ISMS).

The purpose of an ISMS is to regulate and firmly establish processes and responsibilities for managing IT security within an organization. It is first and foremost a governance framework that determines who is responsible for implementing, reviewing and improving the specific safety measures included in the ISO 27001 standard.

ISO 27001 sets out the controls according to which companies can certify their ISMS. It is worth noting that ISO 27001 is part of a family of documents in the ISO 2700x framework series. While it represents the main standard and basis of ISO certification, other frameworks cover related topics and domains, as outlined below:

The ISO/IEC 27000 family includes over 20 frameworks that cover further topics, such as cloud services (27017), data privacy (27701) and information security management in the health industry (27799).

No, ISO 27001 is not mandatory. Similar to frameworks like NIST CSF or the CIS Controls, it is a voluntary standard that organizations can use to demonstrate to customers and other companies that they have implemented the best practices of cybersecurity in all business areas.

However, the concept of an information security management system, which is the core of ISO 27001, has been adopted by numerous other security frameworks (such as TISAX and TPISR), which either set out similar requirements or directly reference ISO 27001. Therefore, while the ISO 27001 standard is not mandatory per se, ISO/IEC-compliant governance of security risks may still be a requirement for your organization.

Furthermore, there are sensitive industries like the finance and healthcare sectors, where ISO 27001 certification is almost always expected, even though it is not legally required. Companies looking to purchase a cyber insurance policy may likewise be required to prove appropriate security measures.

ISO 27001 compliance is voluntary – but only kind of voluntary. Adobe Stock, (c) thodonal

To ensure the ISO family of standards are not lagging behind the ever-changing technological landscape, they are subjected to thorough reviews every 3-5 years. Depending on the outcome, a standard may be continued, modified, completely rewritten or withdrawn altogether.

To find out about the latest version and updates for each norm, visit the ISO homepage.

The ISO 27001 framework specifies requirements for the implementation, development and monitoring of an information security management system. The purpose of an ISMS is to safeguard control over the availability, confidentiality and integrity of information.

Many businesses make the mistake of treating information security purely as an IT issue, when in fact it affects all parts of an organization. Aside from technological topics, ISO/IEC 27001 also addresses organizational aspects, like the role of management. Among other things, management is in charge of appointing individuals who are responsible for controlling access to assets and for monitoring them.

Topics covered in ISO 27001 include:

ISO 27001 essentially consists of two parts: The main part, which follows the ISO High Level Structure in 10 chapters, lays out the requirements organizations must fulfill in order to be certified. The requirements are rather broad to allow for the universal application of ISO 27001 across companies of different sizes and from different industries.

Chapter 8.1: Operational Planning and Control, for example, lays out the following objective: “The organization shall ensure that outsourced processes are determined and controlled.” As you can see, it defines a goal, but offers no advice, let alone concrete steps, on how to achieve this goal.

“Annex A“ of ISO 27001 contains information on security risks and controls. Adobe Stock, (c) Gorodenkoff

Table A.1 in Annex A of ISO 27001, on the other hand, specifies “risk treatment options” for dealing with information security risks. Table A.1 directly references ISO 27002, where the steps for implementing these risk treatment measures are described in detail across more than 150 pages.

According to Control 6.1.3 of ISO 27001, organizations must compare their planned risk treatment measures with Table A.1 to verify that no necessary controls were omitted from their ISMS.

Organizations are not required to implement all of the controls as detailed in Annex A, but they are required to review every single control and to write down in a Statement of Applicability which of the controls are relevant and how they have been implemented. If a control is skipped, the organization must explain why.

ISO 27001 certification is a long-winded process that should be well planned in advance. There are guidance materials available to help organizations prepare for ISO 27001 compliance.

However, considering that understanding the controls of the ISO 27001 framework is in itself no easy task and, furthermore, many companies tend to be blind to the shortcomings of their own internal processes (to put it nicely), it is advisable to engage the services of an external compliance consultant to help prepare for the audit.

The steps that need to be taken to implement an ISO-compliant information security management system depend largely on the initial state of an organization as well as the context it operates in. Listed below are some of the central points that need to be covered when preparing for ISO certification:

ISO 27001 Checklist

Certification to ISO 27001 can only be achieved through an accredited certification body (CB). Make sure you have completed preparations prior to hiring an external auditor to ensure a swift and seamless audit process.

Getting your company certified to ISO 27001 can take several weeks or even months, depending on the availability of your auditor and how complex your organization’s internal structure is – not to mention the work required beforehand for implementing the required risk treatment measures.

In phase 1 of the audit, auditors will closely examine the ISMS documents. Adobe Stock, (c) AndreyPopov

The actual ISO 27001 compliance audit consists of two stages: Stage 1 is known as the Document Audit or high-level audit, in which the auditor(s) will review the documents associated with the ISMS, such as the definition of scope, security guidelines, risk assessment and internal control description. While these documents can be evaluated remotely, a walk-through of the company’s premises is also intended to assess site-specific factors and risks.

If you have successfully completed stage 1, you can move on to stage 2 of the ISO 27001 certification process, which consists of a detailed, on-site audit. Ideally, this takes place no later than 6 months after stage 1 or you may have to repeat the initial audit. During this stage, the audit team will determine whether your ISMS is efficient and effective, or whether it only exists on paper. To do this, they will interview managers and staff members and evaluate in person what your company is doing to implement the risk measures.

Even if you have prepared rigorously for the audit, auditors might still discover deficiencies or noncomformities in your ISMS. This does not automatically mean that your organization has failed the audit. How noncomformities or potential corrective actions might affect your ISO 27001 certification process really depend on their severity.

If the auditor discovers only minor nonconformities, your organization could still be recommended for certification, though you will have to address these issues to receive the certificate. The same applies if “opportunities for improvement” are found, where the auditor might request clarification regarding the current conditions and effectiveness of your management system. If, however, the findings fall into the category of “major noncomformities”, these will have to be rectified before your organization can be awarded the certificate. Certification bodies usually specify a certain time frame in which corrections have to be completed.

Remember that flaws, mistakes and corrective actions are a perfectly normal part of the certification journey. Information security is not a static goal, but an ongoing process that requires constant reviewing, adaptation and improvement. It is why ISO/IEC 27001 wants organizations to implement internal controls and to conduct self-audits.

As long as you demonstrate that you are committed to correcting any deficiencies, there should be nothing standing in the way of your organization and a successful certification. If an audit fails entirely or has to be aborted, it is usually a sign that there is more at work here than just some minor errors. In such cases, the issue is probably a combination of grave deficiencies as well as an unwillingness to address these problems.

Everything you need to know about ISO 27001 controls. Adobe Stock, (c) Looker_Studio

Companies and government agencies seeking to achieve ISO 27001 compliance have to tackle cybersecurity from all angles, including staff training, defining management responsibilities and generally ensuring the foundation and resources for a safe IT environment are provided for. While of course these general parameters are vital, the core of any IT security standard is the security controls it sets out, i.e. the specific actions an organization must undertake to guarantee that the company network and all its digital assets are sufficiently protected.

Organizations are free to determine the scope of their information security management systems themselves, which means it’s up to them to decide which controls need to be implemented to reach the three security objectives of integrity, availability and confidentiality. However, organizations are still required to fulfill a certain minimum standard, as outlined in Annex A of ISO 27001.

Since not every control is applicable to every organization, companies striving to achieve compliance are not required to implement all the controls listed in Annex A. For instance, it does not make sense for companies who do not develop their own applications to implement the controls related to secure software development.

However, even if not every control applies, an organization looking to certify to ISO 27001 is still required to go through every single control listed in Table A.1 (of ISO 27002) and describe in a Statement of Applicability (SOA) how each control was implemented or, if it was not implemented, give good reason as to why it was skipped.

There is a close link between Table A.1 and ISO 27002, as the first directly references the latter. While the previous version, ISO 27002:2013, was divided into 14 chapters, the 2022 update combines these chapters into just four main chapters: Organizational Controls, People Controls, Physical Controls and Technological Controls.

In the latest versions of ISO 27002 and 27001, many of the controls have been revised and merged, reducing the number of controls from 114 to 93.

With a total of 37 controls, the chapter on Organizational Controls constitutes the largest section of ISO 27002. It covers all aspects of information security that are controlled through policies, guidelines and managerial decisions. This includes setting up policies for information security, defining responsibilities (i.e. who is responsible for what assets, but also management responsibilities) as well as putting together an inventory of information and assets (including data and risk owners).

Organizational duties furthermore include making contact with authorities and special interest groups, compliance with other legal standards as well as appropriate handling of personal identifiable information (PII), proprietary information and important records. Organizations are further required to stay actively informed on the latest cybersecurity threats.

Another important section of the Organizational Controls chapter deals with access control, meaning access to digital resources. Organizations are required to define rules for who needs access to what data and how this access shall be granted. Furthermore, organizations must regulate how and when assets shall be returned and how and when access to any particular asset shall be revoked.

All users have to pull their weight to ensure the company network remains secure. However, it is the company’s duty to make sure users have the necessary knowledge to do so. ISO 27002 therefore emphasizes the importance of raising awareness on information security among employees. Companies must teach their staff about security policies and provide them with educational materials and training.

The chapter on People Controls of ISO 27001 further stipulates that companies must have disciplinary policies in place that shall apply in the event of a violation. This also means there must be a clearly defined process in place which employees can use to report incidents as well as potential security vulnerabilities.

Companies that allow remote work must have remote work policies that outline where and when remote work is permitted and they must provide appropriately secured devices and equipment through which the corporate network may be accessed by their employees when working from home.

ISO 27001 compliance requires you to protect the physical IT infrastructure of your company. Adobe Stock, (c) .shock

The ISO specifications for physical controls essentially state that areas where sensitive data is held must be monitored and protected against unauthorized entry. Computers and other devices like storage media must be protected from unauthorized use, e.g. through clean desk and clean screen policies.

As availability is one of the security objectives of ISO 27001, companies are required to secure their physical IT infrastructure against physical environment threats like fires, floods and storms.

With 34 controls, the chapter on technological controls makes for another enormous chunk of ISO 27002. Topics covered include securing user endpoint devices, data encryption and authentication. Each control defines a core objective and provides guidance on how to achieve it.

Chapter 8.7, for example, addresses the topic of malware protection. The objective that is set out here is that data and information assets must be protected against malware attacks. The text makes it clear, however, that the installation of antivirus software alone does not provide enough protection against malware.

Further controls include the blocking of suspicious websites and attachments, application whitelisting, blocking of unknown programs, isolation of critical systems, and maintaining active threat management, including research into new threats. Which of these measures are applicable in each case depends on the risk analysis and the scope of the ISMS.

Other relevant technical security aspects include multi-factor authentication, privileged access rights, monitoring of user activities, data backups, secure disposal of storage media, and many more.

ISO 27001 compliant access management – with tenfold! Adobe Stock, (c) jirsak

When implementing an ISO-compliant information security management system, the primary objective is to create a foundation for protecting IT systems and for handling data securely. To accomplish this, organizations have to answer some basic questions: What controls need to be implemented and who is responsible for implementing them? What resources are available and accessible in the corporate network and who needs to access them?

To secure company data and digital resources, you have to know exactly what information assets there are and which users need access to them to do their jobs. Achieving ISO 27001 compliance therefore goes hand in hand with having a good and solid identity and access management strategy in place. In the following, we will look more closely at the exact requirements ISO 27001 sets out in terms of access management and explore how tenfold has you covered.

The controls outlined above specifically address the sections of ISO 27002 that deal with identity & access management. However, considering that user accounts and access rights form the basis of most IT systems, having an adequate access management strategy is of course also relevant to many other controls, including compliance with regulatory standards (5.31), privacy and protection of personal information (5.34), and logging of events (8.15)

To get ISO 27001 certified, organizations must demonstrate that their IT foundation is good and solid. Besides implementing certain controls, this requires knowing what information assets there are and who has or needs access to them on a daily basis.

Without an identity and access management solution, it is impossible for companies that employ hundreds of users to manage access to IT systems and applications in a way that saves resources and is secure and effective at the same time. The IAM solution tenfold will significantly boost data security and admin productivity in your organization and also make it easier to achieve compliance with different security regulations.

tenfold is perfectly tailored to meet the needs of midmarket organizations, as it comes with a large range of features, flexible interfaces and yet is still quick and easy to deploy. Learn more about tenfold’s advantages, watch our product demo or sign up for a free trial.