ISO 27001 Compliance Requirements & Checklist

ISO 27001 is among the most well-known and commonly used cybersecurity standards in the world. By implementing and maintaining an ISO-compliant information security management system (ISMS), organizations can demonstrate to customers, clients and business partners that they are maintaining an excellent level of cybersecurity. In this article, we are going to cover the ISO 27001 requirements and go over the key steps and documents in preparing for an ISO certification audit. Additionally, we are going to look in detail at the specific demands the ISO/IEC standard places on an organization’s access management.

What Is ISO 27001?

The ISO 27001 framework, officially titled ISO/IEC 27001, is a standard for IT security procedures developed by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC). The ISO 27001 framework sets out requirements for the implementation, operation and continuous improvement of an information security management system (ISMS).

The purpose of an ISMS is to regulate and firmly establish processes and responsibilities for managing IT security within an organization. It is first and foremost a governance framework that determines who is responsible for implementing, reviewing and improving the specific safety measures included in the ISO 27001 standard.

ISO 27001 sets out the controls according to which companies can certify their ISMS. It is worth noting that ISO 27001 is part of a family of documents in the ISO 2700x framework series. While it represents the main standard and basis of ISO certification, other frameworks cover related topics and domains, as outlined below:

  • ISO 27000: Information security management systems — Overview and vocabulary

  • ISO 27001: ISMS requirements, basis for ISO certification and audits

  • ISO 27002: Security controls reference and best practice

  • ISO 27003: ISMS implementation guidance

  • ISO 27004: ISMS monitoring, measurement, analysis and evaluation

  • ISO 27005: Guidelines for risk management

  • ISO 27006, 27007 & 27008: Requirements for bodies providing audit and certification of information security management systems

The ISO/IEC 27000 family includes over 20 frameworks that cover further topics, such as cloud services (27017), data privacy (27701) and information security management in the health industry (27799).

Is ISO 27001 Mandatory?

No: ISO 27001 is voluntary standard. Organizations can use ISO 27001 to demonstrate to customers and other companies that they are following best practices of cybersecurity in all areas of their business.

However, the concept of an information security management system, which is the core of ISO 27001, has been adopted by numerous other security frameworks (such as TISAX and TPISR), which either set out similar requirements or directly reference ISO 27001. Therefore, while the ISO 27001 standard is not mandatory per se, ISO/IEC-compliant governance of security risks may still be a requirement for your organization.

Furthermore, there are sensitive industries like the finance and healthcare sectors, where ISO 27001 certification is almost always expected, even though it is not legally required. Companies looking to purchase a cyber insurance policy may likewise be required to prove appropriate security measures.

A computer with lock on the keyboard, symbol of security
ISO 27001 compliance is voluntary – but only kind of voluntary. Adobe Stock, (c) thodonal

ISO 27001 Benefits

  • Trust is perhaps the largest benefit of completing ISO/IEC certification. Even if your company is already following recommended security practices such as Zero Trust and Least Privilege, an independent review provides you with an official seal of approval. As one of the most widely-used standards around the globe, ISO 27001 also carries the advantage of being one of the more recognizable certifications you can go for.

  • Compliance with other standards your organization may need to follow, such as industry specific regulations or regional laws, is also made easier when you can build on the foundation of a certified ISMS and established governance processes for implementing and revising new controls.

  • Security similarly benefits from an independent review, as the audit process may reveal holes in your strategy, ranging from specific vulnerabilities to leadership oversights in the reporting and managing stages.

ISO 27001: Updates & Life Cycle

To ensure the ISO family of standards are not lagging behind the ever-changing technological landscape, they are subjected to thorough reviews every 3-5 years. Depending on the outcome, a standard may be continued, modified, completely rewritten or withdrawn altogether.

To find out about the latest version and updates for each norm, visit the ISO homepage.

Important: The new and revised edition ISO 27001:2022 has been officially released in October of 2022, bringing the standard in line with the updated controls of ISO 27002:2022 that are included in Annex A.

ISO 27001 Scope

The ISO 27001 framework specifies requirements for the implementation, development and monitoring of an information security management system. The purpose of an ISMS is to safeguard the control over availability, confidentiality and integrity of information.

Many businesses make the mistake of treating information security purely as an IT issue, when in fact it affects all parts of an organization. Aside from technological topics, ISO/IEC 27001 also addresses organizational aspects, like the role of management. Among other things, management is in charge of appointing individuals who are responsible for controlling access to assets and for monitoring them.

Topics covered in ISO 27001 include:

  • Management responsibilities

  • Guideline on information security

  • Tasks and responsibilities

  • Risk assessment and risk management

  • Raising awareness

  • Documentation of information

  • Ongoing evaluation

  • Internal audits

ISO 27001 Compliance Requirements

ISO 27001 essentially consists of two parts: The main part, which follows the ISO High Level Structure in 10 chapters, lays out the requirements organizations must fulfill in order to be certified. The requirements are rather broad to allow for the universal application of ISO 27001 across companies of different sizes and from different industries.

Chapter 8.1, Operational Planning and Control, for example, lays out the following objective: “The organization shall ensure that outsourced processes are determined and controlled.” As you can see, it defines a goal, but offers no advice, let alone concrete steps, on how to achieve this goal.

“Annex A“ of ISO 27001 contains information on security risks and controls. Adobe Stock, (c) Gorodenkoff

Table A.1 in Annex A of ISO 27001, on the other hand, specifies “risk treatment options” for dealing with information security risks. Table A.1 directly references ISO 27002, where the steps for implementing these risk treatment measures are described in detail across more than 150 pages.

According to Control 6.1.3 of ISO 27001, organizations must compare their planned risk treatment measures with Table A.1 to verify that no necessary controls were omitted from their ISMS.

Organizations are not required to implement all of the controls as detailed in Annex A, but they are required to review every single control and to write down in a Statement of Applicability which of the controls are relevant and how they have been implemented. If a control is skipped, the organization must explain why.

Attention: Many of the security controls in version ISO 27002:2022 have been revised and consolidated. Please refer to the latest version of both standards for accurate information.

Preparing for ISO 27001 Compliance & Checklist

ISO 27001 certification is a long-winded process that should be well planned in advance. There are guidance materials available to help organizations prepare for ISO 27001 compliance.

However, considering that understanding the controls of the ISO 27001 framework is in itself no easy task and, furthermore, many companies tend to be blind to the shortcomings of their own internal processes (to put it nicely), it is advisable to engage the services of an external compliance consultant to help prepare for the audit.

The steps that need to be taken to implement an ISO-compliant information security management system depend largely on the initial state of an organization as well as the context it operates in. Listed below are some of the central points that need to be covered when preparing for ISO certification:

ISO 27001 Checklist

  • Define scope of information security management system (ISMS)

  • Summarize relevant safety standards and legal requirements

  • Perform and document a risk assessment

  • Establish information security policy

  • Compose statement on the applicability of risk treatment measures (Annex A).

  • Implement security controls

  • Regulate management responsibilities within departments

  • Plan for internal communication and training

  • Set targets for improving ISMS

  • Contact accredited certification body

ISO 27001 Audit

Certification to ISO 27001 can only be achieved through an accredited certification body (CB). Make sure you have completed preparations prior to hiring an external auditor to ensure a swift and seamless audit process.

Getting your company certified to ISO 27001 can take several weeks or even months, depending on the availability of your auditor and how complex your organization’s internal structure is – not to mention the work required beforehand for implementing the required risk treatment measures.

Auditor analyzing an ISMS scope definition.
In phase 1 of the audit, auditors will closely examine the ISMS documents. Adobe Stock, (c) AndreyPopov

The actual ISO 27001 compliance audit consists of two stages: Stage 1 is known as the Document Audit or high-level audit, in which the auditor(s) will review the documents associated with the ISMS, such as the definition of scope, security guidelines, risk assessment and internal control description. While these documents can be evaluated remotely, a walk-through of the company’s premises is also intended to assess site-specific factors and risks.

If you have successfully completed stage 1, you can move on to stage 2 of the ISO 27001 certification process, which consists of a detailed, on-site audit. Ideally, this takes place no later than 6 months after stage 1 or you may have to repeat the initial audit. During this stage, the audit team will determine whether your ISMS is efficient and effective, or whether it only exists on paper. To do this, they will interview managers and staff members and evaluate in person what your company is doing to implement the risk measures.

ISO 27001 Certification Process

ProcedureDetailsDuration
PreparationPlanning and implementation of necessary security measures and organizational processes3-9 months
Commission CBMeet with different certification bodies, schedule audit1-2 weeks
Audit Stage 1Auditors review submitted ISMS documents remotely and/or on site1-2 days
Audit Stage 2Auditors assess effectiveness of ISMS on site1-2 weeks
CertificationOrganization receives audit report with recommended improvements and ISO 27001 certificate (given the audit was successful)After successful completion of stage 2 audit
Surveillance auditInspection of development of ISMS and whether it is still working as it shouldOnce a year after certification
RecertificationSmall-scale audit to determine if new certificate should be issued3 years after certification

ISO 27001: Noncomformities and Corrective Actions

Even if you have prepared rigorously for the audit, auditors might still discover deficiencies or noncomformities in your ISMS. This does not automatically mean that your organization has failed the audit. How noncomformities or potential corrective actions might affect your ISO 27001 certification process really depend on their severity.

If the auditor discovers only minor nonconformities, your organization could still be recommended for certification, though you will have to address these issues to receive the certificate. The same applies if “opportunities for improvement” are found, where the auditor might request clarification regarding the current conditions and effectiveness of your management system. If, however, the findings fall into the category of “major noncomformities”, these will have to be rectified before your organization can be awarded the certificate. Certification bodies usually specify a certain time frame in which corrections have to be completed.

Remember that flaws, mistakes and corrective actions are a perfectly normal part of the certification journey. Information security is not a static goal, but an ongoing process that requires constant reviewing, adaptation and improvement. It is why ISO/IEC 27001 wants organizations to implement internal controls and to conduct self-audits.

As long as you demonstrate that you are committed to correcting any deficiencies, there should be nothing standing in the way of your organization and a successful certification. If an audit fails entirely or has to be aborted, it is usually a sign that there is more at work here than just some minor errors. In such cases, the issue is probably a combination of grave deficiencies as well as an unwillingness to address these problems.

Everything you need to know about ISO 27001 controls. Adobe Stock, (c) Looker_Studio

ISO 27001 Controls

Companies and government agencies seeking to achieve ISO 27001 compliance have to tackle cybersecurity from all angles, including staff training, defining management responsibilities and generally ensuring the foundation and resources for a safe IT environment are provided for. While of course these general parameters are vital, the core of any IT security standard is the security controls it sets out, i.e. the specific actions an organization must undertake to guarantee that the company network and all its digital assets are sufficiently protected.

Organizations are free to determine the scope of their information security management systems themselves, which means it’s up to them to decide which controls need to be implemented to reach the three security objectives of integrity, availability and confidentiality. However, organizations are still required to fulfill a certain minimum standard, as outlined in Annex A of ISO 27001.

Since not every control is applicable to every organization, companies striving to achieve compliance are not required to implement all the controls listed in Annex A. For instance, it does not make sense for companies who do not develop their own applications to implement the controls related to secure software development.

However, even if not every control applies, an organization looking to certify to ISO 27001 is still required to go through every single control listed in Table A.1 (of ISO 27002) and describe in a Statement of Applicability (SOA) how each control was implemented or, if it was not implemented, give good reason as to why it was skipped.

As organizations evolve, so do their IT infrastructures and so do the requirements associated with their ISMS. It is a constant, fluid process. The Statement of Applicability must therefore be reviewed and updated regularly. A control that was skipped the first time round because it was not applicable at the time might become relevant a year or two later.

ISO 27001:2022 Update

There is a close link between Table A.1 and ISO 27002, as the first directly references the latter. While the previous version, ISO 27002:2013, was divided into 14 chapters, the 2022 update combines these chapters into just four main chapters: Organizational Controls, People Controls, Physical Controls and Technological Controls.

In the latest versions of ISO 27002 and 27001, many of the controls have been revised and merged, reducing the number of controls from 114 to 93.

Organizational Controls

With a total of 37 controls, the chapter on Organizational Controls constitutes the largest section of ISO 27002. It covers all aspects of information security that are controlled through policies, guidelines and managerial decisions. This includes setting up policies for information security, defining responsibilities (i.e. who is responsible for what assets, but also management responsibilities) as well as putting together an inventory of information and assets (including data and risk owners).

Organizational duties furthermore include making contact with authorities and special interest groups, compliance with other legal standards as well as appropriate handling of personal identifiable information (PII), proprietary information and important records. Organizations are further required to stay actively informed on the latest cybersecurity threats.

Another important section of the Organizational Controls chapter deals with access control, meaning access to digital resources. Organizations are required to define rules for who needs access to what data and how this access shall be granted. Furthermore, organizations must regulate how and when assets shall be returned and how and when access to any particular asset shall be revoked.

People Controls

All users have to pull their weight to ensure the company network remains secure. However, it is the company’s duty to make sure users have the necessary knowledge to do so. ISO 27002 therefore emphasizes the importance of raising awareness on information security among employees. Companies must teach their staff about security policies and provide them with educational materials and training.

The chapter on People Controls of ISO 27001 further stipulates that companies must have disciplinary policies in place that shall apply in the event of a violation. This also means there must be a clearly defined process in place which employees can use to report incidents as well as potential security vulnerabilities.

Companies that allow remote work must have remote work policies that outline where and when remote work is permitted and they must provide appropriately secured devices and equipment through which the corporate network may be accessed by their employees when working from home.

Distressed admin looking at the unsecured server room of a company.
ISO 27001 compliance requires you to protect the physical IT infrastructure of your company. Adobe Stock, (c) .shock

Physical Controls

The ISO specifications for physical controls essentially state that areas where sensitive data is held must be monitored and protected against unauthorized entry. Computers and other devices like storage media must be protected from unauthorized use, e.g. through clean desk and clean screen policies.

As availability is one of the security objectives of ISO 27001, companies are required to secure their physical IT infrastructure against physical environment threats like fires, floods and storms.

Technological Controls

With 34 controls, the chapter on technological controls makes for another enormous chunk of ISO 27002. Topics covered include securing user endpoint devices, data encryption and authentication. Each control defines a core objective and provides guidance on how to achieve it.

Chapter 8.7, for example, addresses the topic of malware protection. The objective that is set out here is that data and information assets must be protected against malware attacks. The text makes it clear, however, that the installation of antivirus software alone does not provide enough protection against malware.

Further controls include the blocking of suspicious websites and attachments, application whitelisting, blocking of unknown programs, isolation of critical systems, and maintaining active threat management, including research into new threats. Which of these measures are applicable in each case depends on the risk analysis and the scope of the ISMS.

Other relevant technical security aspects include user authentication, privileged access rights, monitoring of user activities, data backups, secure disposal of storage media, and many more.

See privileges instantly.
ISO 27001 compliant access management – with tenfold! Adobe Stock, (c) jirsak

Achieving ISO 27001 Compliance with Access Management

When implementing an ISO-compliant information security management system, the primary objective is to create a foundation for protecting IT systems and for handling data securely. To accomplish this, organizations have to answer some basic questions: What controls need to be implemented and who is responsible for implementing them? What resources are available and accessible in the corporate network and who needs to access them?

To secure company data and digital resources, you have to know exactly what information assets there are and which users need access to them to do their jobs. Achieving ISO 27001 compliance therefore goes hand in hand with having a good and solid identity and access management strategy in place. In the following, we will look more closely at the exact requirements ISO 27001 sets out in terms of access management and explore how tenfold has you covered.

ISO 27001 Controls – Overview

5.15 Access Control

Objective: Define rules for access to IT assets that meet business and security requirements and incorporate best practices, such as segregation of duties, least privilege access and user access reviews.
Solution in tenfold: The use of role-based access control in tenfold ensures that privileges are assigned automatically on the basis of pre-defined default rights. The software is able to automatically derive permission profiles from existing access rights and organizational units (role mining).
tenfold regularly prompts data owners to review and recertify access to assets they are responsible for.

5.16 Identity Management

Objective: Manage life cycles of user accounts to ensure access rights are never outdated or incorrect.
Solution in tenfold: In tenfolduser life cycle processes are automated, so users always have the exact privileges they need to do their jobs.
User provisioning and removal of access rights as well as account deactivation are all centrally controlled processes in tenfold. Any changes are automatically communicated to the connected target systems.

5.17 Credentials

Objective: Secure storage and transmission of credentials to prevent unauthorized logins.
Solution in tenfold: tenfold uses secure one-time passwords for initial access. After logging in, users must replace one-time passwords with their own secure passwords.
Through its self-service interface, users can reset their own password in any service connected to tenfold, assuming they can verify their identity. This greatly reduces the number of helpdesk tickets admins receive.
For added security, we recommend using tenfold in combination with a password manager.

5.18 Access Rights

Objective: Make processes like assigning, adapting and deleting access rights comply with the requirements of the security policy and document these processes accordingly.
Solution in tenfold: You can appoint data owners who can then decide who should get access to the assets they are responsible for and who should not. Data owners are prompted regularly to review the access rights they have approved and to either reapprove or revoke them.
tenfold also allows you to grant temporary access rights, which are automatically revoked after a customizable time period. tenfold also tracks changes and logs all processes, from request to approval.

8.2 PAM

Objective: Restrict the use of privileged user accounts.
Solution in tenfoldtenfold’s main purpose is to restrict user privileges to a necessary minimum to ensure users only have the permissions and access to assets they really need to do their jobs.
tenfold does not, however, cover advanced security requirements for admin accounts. For this, you need a separate solution for privileged access management (PAM), which you can use in combination with tenfold.

8.3 Information Access

Objective: Restrict access to information and control which user groups have access to what data.
Solution in tenfold: tenfold uses roles to provide transparency on which user groups have access to what information. Individual rights (which are often forgotten) are highlighted in tenfold to make sure they are not overlooked.
tenfold further provides detailed reports that give you an instant overview of who (user, user group) had or has access to what data. It also keeps auditable records of any changes made to permissions.

8.4 Access to Source Code

Objective: Control read and write access to source code, development tools and software libraries.
Solution in tenfold: Controlling access to software development resources in tenfold is just as simple as controlling access to any other resource within the company network.
Users can request access to assets themselves using an integrated self-service platform. Alternatively, tenfold assigns rights automatically via permission groups. Thanks to these options, tenfold can tell you in an instant who has access to sensitive data like source code.

8.5 Secure Authentication

Objective: Implement secure authentication mechanisms to identify users.
Solution in tenfold: For its own login, tenfold provides secure, multi-factor authentication (MFA) on the basis of smartphone tokens.
tenfold also allows you to integrate any existing authentication methods used by connected services, such as MFA for Windows through the Microsoft Authenticator app. However, tenfold does not allow you to add MFA to any systems which do not already support it.

Objective: Define rules for access to IT assets that meet business and security requirements and incorporate best practices, such as segregation of duties, least privilege access and user access reviews.
Solution in tenfold: The use of role-based access control in tenfold ensures that privileges are assigned automatically on the basis of pre-defined default rights. The software is able to automatically derive permission profiles from existing access rights and organizational units (role mining).
tenfold regularly prompts data owners to review and recertify access to assets they are responsible for.

The controls outlined above specifically address the sections of ISO 27002 that deal with identity & access management. However, considering that user accounts and access rights form the basis of most IT systems, having an adequate access management strategy is of course also relevant to many other controls, including compliance with regulatory standards (5.31), privacy and protection of personal information (5.34), and logging of events (8.15)

tenfold: Information Security & Efficient Management

To get ISO 27001 certified, organizations must demonstrate that their IT foundation is good and solid. Besides implementing certain controls, this requires knowing what information assets there are and who has or needs access to them on a daily basis.

Without an identity and access management solution, it is impossible for companies that employ hundreds of users to manage access to IT systems and applications in a way that saves resources and is secure and effective at the same time. The IAM solution tenfold will significantly boost data security and admin productivity in your organization and also make it easier to achieve compliance with different security regulations.

tenfold is perfectly tailored to meet the needs of midmarket organizations, as it comes with a large range of features, flexible interfaces and yet is still quick and easy to deploy. Learn more about tenfold’s advantages, watch our product demo or sign up for a free trial.

Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

About the Author: Joe Köller

As a content manager at tenfold, Joe Köller dives deep into topics like compliance, IT security and access management. His interests also include digital media, American literature and gardening.