Person completing audit checklist for ISO 27001.

ISO 27001 is among the most well-known and commonly used cybersecurity standards in the world. Organizations who implement and certify an ISO-compliant information security management system (ISMS) demonstrate that they are maintaining an excellent level of cybersecurity.

In this article, we are going to outline the ISO 27001 compliance requirements and discuss what organizations and government agencies should look out for when preparing for ISO certification audit. Further, we will explore the challenges that ISO 27001 presents in terms of access management.

Contents (show)

What Is ISO 27001?

The ISO 27001 framework, officially titled ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements, is a standard for IT security procedures developed by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC). The ISO 27001 framework sets out requirements for the implementation, operation and continuous improvement of information security management systems (ISMS).

The purpose of an ISMS is to regulate and firmly establish processes and responsibilities associated with IT security within an organization. It is a set of detailed guidelines that specify which security measures should be implemented and who is responsible for implementing and regulating them.

ISO 27001 sets out the controls according to which companies can certify their ISMS. It is worth noting that ISO 27001 is part of a family of standards in the ISO 2700x framework series. While it represents the main framework and the only one organizations can certify to, the other frameworks cover different topics and sub-topics, as outlined below:

  • ISO 27000: Information security management systems — Overview and vocabulary

  • ISO 27001: ISMS requirements, basis for ISO certification and audits

  • ISO 27002: Code of practice for information security controls

  • ISO 27003: ISMS implementation guidance

  • ISO 27004: ISMS monitoring, measurement, analysis and evaluation

  • ISO 27005: Guidelines for risk management

  • ISO 27006, 27007 & 27008: Requirements for bodies providing audit and certification of information security management systems

The ISO/IEC 27000 family includes over 20 frameworks that cover further topics, such as cloud services (27017), data privacy (27701) and information security management in the health industry (27799).

Is ISO 27001 Mandatory?

The short answer is no, it is not. ISO 27001 compliance is voluntary. Organizations can use ISO 27001 to demonstrate to customers and partners that they are applying good IT security measures and that they are monitoring and continuously working to improve these measures through internal audits.

However, the concept of an information security management system, which is the core of ISO 27001, has been adopted by numerous other security frameworks, either by setting out similar requirements or by directly referencing ISO 27001. Therefore, while ISO 27001 compliance is not mandatory per se, the installation of an ISO-compliant ISMS might be mandatory for organizations who are required to comply with other frameworks that demand the implementation of an ISMS.

Furthermore, there are sensitive industries like the finance and healthcare sectors where ISO 27001 certification is almost always expected, even though not legally required. As mentioned earlier, it goes a long way to demonstrate to potential and existing customers that your organization is committed to maintaining a high level of cybersecurity.

A computer with lock on the keyboard, symbol of security

ISO 27001: Updates & Life Cycle

To ensure the ISO family of standards are not lagging behind the ever-changing technological landscape, they are subjected to thorough reviews every 3-5 years. Depending on the outcome, a standard may be continued, modified, completely rewritten or withdrawn altogether.

To find out about the latest version and updates for each norm, visit the ISO homepage.

Note: Version ISO 27001:2013 is currently being revised. While the renewed version of ISO 27002 for 2022 is already available, ISO 27001:2022 is scheduled to be released in the second half of this year.

ISO 27001 Scope

The ISO 27001 framework specifies requirements for the implementation, development and monitoring of an information security management system. The purpose of an ISMS is to safeguard the control over availability, confidentiality and integrity of information.

Many businesses make the mistake of treating information security purely as an IT issue, when in fact it affects all parts of an organization. Aside from technological topics, ISO/IEC 27001 also addresses organizational aspects, like the role of management. Among other things, management is in charge of appointing individuals who are responsible for controlling access to assets and for monitoring them.

Topics covered in ISO 27001 include:

  • Management responsibilities

  • Guideline on information security

  • Tasks and responsibilities

  • Risk assessment and risk management

  • Raising awareness

  • Documentation of information

  • Ongoing evaluation

  • Internal audits

ISO 27001 Compliance Requirements

ISO 27001 essentially consists of two parts: The main part, which follows the ISO High Level Structure in 10 chapters, lays out the requirements organizations must fulfill in order to be certified. The requirements are rather broad to allow for the universal application of ISO 27001 across companies of different sizes and from different industries.

Chapter 8.1, Operational Planning and Control, for example, lays out the following objective: “The organization shall ensure that outsourced processes are determined and controlled.” As you can see, it defines a goal, but offers no advice, let alone concrete steps, on how to achieve this goal.

Table A.1 in Annex A of ISO 27001, on the other hand, specifies “risk treatment options” for dealing with information security risks. Table A.1 directly references ISO 27002, where the steps for implementing these risk treatment measures are described in detail across more than 150 pages.

According to Control 6.1.3 of ISO 27001, organizations must compare their planned risk treatment measures with Table A.1 to verify that no necessary controls were omitted from their ISMS.

Organizations are not required to implement all of the controls as detailed in Annex A, but they are required to review every single control and to write down in a Statement of Applicability which of the controls are relevant and how they have been implemented. If a control is skipped, the organization must explain why.

Attention: Many of the security controls in version ISO 27002:2022 have been revised and consolidated. The table contained in ISO 27001:2013 thus no longer applies. 27002:2022 contains new tables with the latest information.

Preparing for ISO 27001 Compliance & Checklist

ISO 27001 certification is a long-winded process that should be well planned in advance. There are guidance materials available to help organizations prepare for ISO 27001 compliance.

However, considering that understanding the controls of the ISO 27001 framework is in itself no easy task and, furthermore, many companies tend to be blind to the shortcomings of their own internal processes (to put it nicely), it is advisable to engage the services of an external compliance consultant to help prepare for the audit.

The steps that need to be taken to implement an ISO-compliant information security management system depend largely on the initial state of an organization as well as the context it operates in. Listed below are some of the central points that need to be covered when preparing for ISO certification:

ISO 27001 Checklist

  • Define scope of information security management system (ISMS)

  • Summarize relevant safety standards and legal requirements

  • Perform and document a risk assessment

  • Establish information security policy

  • Compose statement on the applicability of risk treatment measures (Annex A).

  • Implement security controls

  • Regulate management responsibilities within departments

  • Plan for internal communication and training

  • Set targets for improving ISMS

  • Contact accredited certification body

ISO 27001 Audit

Certification to ISO 27001 can only be achieved through an accredited certification body (CB). Make sure you have completed preparations prior to hiring an external auditor to ensure a swift and seamless audit process.

Getting your company certified to ISO 27001 can take several weeks or even months, depending on the availability of your auditor and how complex your organization’s internal structure is – not to mention the work required beforehand for implementing the required risk treatment measures.

Auditor analyzing an ISMS scope definition.

The actual ISO 27001 compliance audit consists of two stages: Stage 1 is known as the Document Audit or high-level audit, in which the auditor(s) will review the documents associated with the ISMS, such as the definition of scope, security guidelines, risk assessment and internal control description. While these documents can be evaluated remotely, a walk-through of the company’s premises is also intended to assess site-specific factors and risks.

If you have successfully completed stage 1, you can move on to stage 2 of the ISO 27001 certification process, which consists of a detailed, on-site audit. Ideally, this takes place no later than 6 months after stage 1 or you may have to repeat the initial audit. During this stage, the audit team will determine whether your ISMS is efficient and effective, or whether it only exists on paper. To do this, they will interview managers and staff members and evaluate in person what your company is doing to implement the risk measures.

ISO 27001 Certification Process

Procedure Details Duration
Preparation Planning and implementation of necessary security measures and organizational processes 3-9 months
Commission CB Meet with different certification bodies, schedule audit 1-2 weeks
Audit Stage 1 Auditors review submitted ISMS documents remotely and/or on site 1-2 days
Audit Stage 2 Auditors assess effectiveness of ISMS on site 1-2 weeks
Certification Organization receives audit report with recommended improvements and ISO 27001 certificate (given the audit was successful) After successful completion of stage 2 audit
Surveillance audit Inspection of development of ISMS and whether it is still working as it should Once a year after certification
Recertification Small-scale audit to determine if new certificate should be issued 3 years after certification

ISO 27001: Noncomformities and Corrective Actions

Even if you have prepared rigorously for the audit, auditors might still discover deficiencies or noncomformities in your ISMS. This does not automatically mean that your organization has failed the audit. How noncomformities or potential corrective actions might affect your ISO 27001 certification process really depend on their severity.

If the auditor discovers only minor nonconformities, your organization could still be recommended for certification, though you will have to address these issues to receive the certificate. The same applies if “opportunities for improvement” are found, where the auditor might request clarification regarding the current conditions and effectiveness of your management system. If, however, the findings fall into the category of “major noncomformities”, these will have to be rectified before your organization can be awarded the certificate. Certification bodies usually specify a certain time frame in which corrections have to be completed.

Remember that flaws, mistakes and corrective actions are a perfectly normal part of the certification journey. Information security is not a static goal, but an ongoing process that requires constant reviewing, adaptation and improvement. It is why ISO/IEC 27001 wants organizations to implement internal controls and to conduct self-audits.

As long as you demonstrate that you are committed to correcting any deficiencies, there should be nothing standing in the way of your organization and a successful certification. If an audit fails entirely or has to be aborted, it is usually a sign that there is more at work here than just some minor errors. In such cases, the issue is probably a combination of grave deficiencies as well as an unwillingness to address these problems.

ISO 27001 Controls

Companies and government agencies seeking to achieve ISO 27001 compliance have to tackle cybersecurity from all angles, including staff training, defining management responsibilities and generally ensuring the foundation and resources for a safe IT environment are provided for. While of course these general parameters are vital, the core of any IT security standard is the security controls it sets out, i.e. the specific actions an organization must undertake to guarantee that the company network and all its digital assets are sufficiently protected.

Organizations are free to determine the scope of their information security management systems themselves, which means it’s up to them to decide which controls need to be implemented to reach the three security objectives of integrity, availability and confidentiality. However, organizations are still required to fulfill a certain minimum standard, as outlined in Annex A of ISO 27001.

Since not every control is applicable to every organization, companies striving to achieve compliance are not required to implement all the controls listed in Annex A. For instance, it does not make sense for companies who do not develop their own applications to implement the controls related to secure software development.

However, even if not every control applies, an organization looking to certify to ISO 27001 is still required to go through every single control listed in Table A.1 (of ISO 27002) and describe in a Statement of Applicability (SOA) how each control was implemented or, if it was not implemented, give good reason as to why it was skipped.

As organizations evolve, so do their IT infrastructures and so do the requirements associated with their ISMS. It is a constant, fluid process. The Statement of Applicability must therefore be reviewed and updated regularly. A control that was skipped the first time round because it was not applicable at the time might become relevant a year or two later.

ISO 27002:2022 Update

There is a close link between Table A.1 and ISO 27002, as the first directly references the latter. While the previous version, ISO 27002:2013, was divided into 14 chapters, the 2022 update combines these chapters into just four main chapters: Organizational Controls, People Controls, Physical Controls and Technological Controls.

In the latest version of ISO 27002, many of the controls have been revised and merged, reducing the number of controls from 114 to 93.

Organizational Controls

With a total of 37 controls, the chapter on Organizational Controls constitutes the largest section of ISO 27002. It covers all aspects of information security that are controlled through policies, guidelines and managerial decisions. This includes setting up policies for information security, defining responsibilities (i.e. who is responsible for what assets, but also management responsibilities) as well as putting together an inventory of information and assets (including data and risk owners).

Organizational duties furthermore include making contact with authorities and special interest groups, compliance with other legal standards as well as appropriate handling of personal identifiable information (PII), proprietary information and important records. Organizations are further required to stay actively informed on the latest cybersecurity threats.

Another important section of the Organizational Controls chapter deals with access control, meaning access to digital resources. Organizations are required to define rules for who needs access to what data and how this access shall be granted. Furthermore, organizations must regulate how and when assets shall be returned and how and when access to any particular asset shall be revoked.

People Controls

All users have to pull their weight to ensure the company network remains secure. However, it is the company’s duty to make sure users have the necessary knowledge to do so. ISO 27002 therefore emphasizes the importance of raising awareness on information security among employees. Companies must teach their staff about security policies and provide them with educational materials and training.

The chapter on People Controls of ISO 27001 further stipulates that companies must have disciplinary policies in place that shall apply in the event of a violation. This also means there must be a clearly defined process in place which employees can use to report incidents as well as potential security vulnerabilities.

Companies that allow remote work must have remote work policies that outline where and when remote work is permitted and they must provide appropriately secured devices and equipment through which the corporate network may be accessed by their employees when working from home.

Distressed admin looking at the unsecured server room of a company.

Physical Controls

The ISO specifications for physical controls essentially state that areas where sensitive data is held must be monitored and protected against unauthorized entry. Computers and other devices like storage media must be protected from unauthorized use, e.g. through clean desk and clean screen policies.

As availability is one of the security objectives of ISO 27001, companies are required to secure their physical IT infrastructure against physical environment threats like fires, floods and storms.

Technological Controls

With 34 controls, the chapter on technological controls makes for another enormous chunk of ISO 27002. Topics covered include securing user endpoint devices, data encryption and authentication. Each control defines a core objective and provides guidance on how to achieve it.

Chapter 8.7, for example, addresses the topic of malware protection. The objective that is set out here is that data and information assets must be protected against malware attacks. The text makes it clear, however, that the installation of antivirus software alone does not provide enough protection against malware.

Further controls include the blocking of suspicious websites and attachments, application whitelisting, blocking of unknown programs, isolation of critical systems, and maintaining active threat management, including research into new threats. Which of these measures are applicable in each case depends on the risk analysis and the scope of the ISMS.

Other relevant technical security aspects include user authentication, privileged access rights, monitoring of user activities, data backups, secure disposal of storage media, and many more.

See privileges instantly.

Achieving ISO 27001 Compliance with Access Management

When implementing an ISO-compliant information security management system, the primary objective is to create a foundation for protecting IT systems and for handling data securely. To accomplish this, organizations have to answer some basic questions: What controls need to be implemented and who is responsible for implementing them? What resources are available and accessible in the corporate network and who needs to access them?

To secure company data and digital resources, you have to know exactly what information assets there are and which users need access to them to do their jobs. Achieving ISO 27001 compliance therefore goes hand in hand with having a good and solid identity and access management strategy in place. In the following, we will look more closely at the exact requirements ISO 27001 sets out in terms of access management and explore how tenfold has you covered.

ISO 27001 Controls – Overview

Objective: Define rules for access to IT assets that meet business and security requirements and incorporate best practices, such as segregation of duties, least privilege access and user access reviews.

Solution in tenfold: The use of role-based access control in tenfold ensures that privileges are assigned automatically on the basis of pre-defined default rights. The software is able to automatically derive permission profiles from existing access rights and organizational units (role mining).

tenfold regularly prompts data owners to review and recertify access to assets they are responsible for.

Objective: Manage life cycles of user accounts to ensure access rights are never outdated or incorrect.

Solution in tenfold: In tenfold, user life cycle processes are automated, so users always have the exact privileges they need to do their jobs.

User provisioning and removal of access rights as well as account deactivation are all centrally controlled processes in tenfold. Any changes are automatically communicated to the connected target systems.

Objective: Secure storage and transmission of credentials to prevent unauthorized logins.

Solution in tenfold: tenfold uses secure one-time passwords for initial access. After logging in, users must replace one-time passwords with their own secure passwords.

Through its self-service interface, users can reset their own password in any service connected to tenfold, assuming they can verify their identity. This greatly reduces the number of helpdesk tickets admins receive.

For added security, we recommend using tenfold in combination with a password manager.

Objective: Make processes like assigning, adapting and deleting access rights comply with the requirements of the security policy and document these processes accordingly.

Solution in tenfold: You can appoint data owners who can then decide who should get access to the assets they are responsible for and who should not. Data owners are prompted regularly to review the access rights they have approved and to either reapprove or revoke them.

tenfold also allows you to grant temporary access rights, which are automatically revoked after a customizable time period. tenfold also tracks changes and logs all processes, from request to approval.

Objective: Restrict the use of privileged user accounts.

Solution in tenfold: tenfold’s main purpose is to restrict user privileges to a necessary minimum to ensure users only have the permissions and access to assets they really need to do their jobs.

tenfold does not, however, cover advanced security requirements for admin accounts. For this, you need a separate solution for privileged access management (PAM), which you can use in combination with tenfold.

Objective: Restrict access to information and control which user groups have access to what data.

Solution in tenfold: tenfold uses roles to provide transparency on which user groups have access to what information. Individual rights (which are often forgotten) are highlighted in tenfold to make sure they are not overlooked.

tenfold further provides detailed reports that give you an instant overview of who (user, user group) had or has access to what data. It also keeps auditable records of any changes made to permissions.

Objective: Control read and write access to source code, development tools and software libraries.

Solution in tenfold: Controlling access to software development resources in tenfold is just as simple as controlling access to any other resource within the company network.

Users can request access to assets themselves using an integrated self-service platform. Alternatively, tenfold assigns rights automatically via permission groups. Thanks to these options, tenfold can tell you in an instant who has access to sensitive data like source code.

Objective: Implement secure authentication mechanisms to identify users.

Solution in tenfold: For its own login, tenfold provides secure, multi-factor authentication (MFA) on the basis of smartphone tokens.

tenfold also allows you to integrate any existing authentication methods used by connected services, such as MFA for Windows through the Microsoft Authenticator app. However, tenfold does not allow you to add MFA to any systems which do not already support it.

The controls outlined above specifically address the sections of ISO 27002 that deal with identity & access management. However, considering that user accounts and access rights form the basis of most IT systems, having an adequate access management strategy is of course also relevant to many other controls, including compliance with regulatory standards (5.31), privacy and protection of personal information (5.34), and logging of events (8.15)

tenfold: Information Security & Efficient Management

To get ISO 27001 certified, organizations must demonstrate that their IT foundation is good and solid. Besides implementing certain controls, this requires knowing what information assets there are and who has or needs access to them on a daily basis.

Without an identity and access management solution, it is impossible for companies that employ hundreds of users to manage access to IT systems and applications in a way that saves resources and is secure and effective at the same time. The IAM solution tenfold will significantly boost data security and admin productivity in your organization and also make it easier to achieve compliance with different security regulations.

tenfold is perfectly tailored to meet the needs of midmarket organizations, as it comes with a large range of features, flexible interfaces and yet is still quick and easy to deploy. Learn more about tenfold’s advantages, watch our product demo or sign up for a free trial.