Big guide to ISO 27001 clauses — How is this standard structured?

Overall structure of ISO 27001

In general, the standard has three types of clauses:

• Clauses 0 to 3 of the main part of the standard are clauses that describe the standard itself, so they are not mandatory for the implementation.
• Clauses 4 to 10 of the main part of the standard are mandatory, because they set the requirements for an Information Security Management System (ISMS).
• Annex A contains 93 safeguards, or “controls” as they are called in the standard, that should be considered when designing the ISMS. Controls are grouped into four sections.

Non-mandatory clauses of ISO 27001

The following are the clauses that do not need to be implemented by companies that want to become compliant with this standard:

• 0 Introduction — The introductory clause gives a general overview of the standard and its purpose, and explains its compatibility with other ISO standards.
• 1 Scope — It defines the scope of the standard, pointing out that this standard is applicable to all types of organizations.
• 2 Normative references — The second clause, Normative references, and the third clause, Terms and definitions, both refer to ISO 27000 as a standard where information security terms and definitions are given.
• 3 Terms and definitions — Explains the main terminology.

Mandatory clauses of ISO 27001 and their sub-clauses

The following clauses and sub-clauses must be implemented by companies that want to become fully compliant with ISO 27001.

Clause 4 – Context of the organization — It requires understanding external and internal issues, interested parties and their requirements, and also defining the ISMS scope:

• Clause 4.1 – Understanding the organization and its context
• Clause 4.2 – Understanding the needs and expectations of interested parties
• Clause 4.3 – Determining the scope of the information security management system
• Clause 4.4 – Information security management system

Clause 5 – Leadership — This section defines top management responsibilities, sets the general roles and responsibilities for the ISMS, and defines the contents of the top-level Information Security Policy:

• Clause 5.1 – Leadership and commitment
• Clause 5.2 – Policy
• Clause 5.3 – Organizational roles, responsibilities and authorities

Clause 6 – Planning — It defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives:

• Clause 6.1 – Actions to address risks and opportunities
• Clause 6.2 – Information security objectives and planning to achieve them
• Clause 6.3 – Planning of changes

Clause 7 – Support — This clause defines requirements for the availability of resources, competencies, awareness, communication, and control of documents and records:

• Clause 7.1 – Resources
• Clause 7.2 – Competence
• Clause 7.3 – Awareness
• Clause 7.4 – Communication
• Clause 7.5 – Documented information

Clause 8 – Operation — It defines the requirement for regular re-assessment and treatment of risks, as well as the implementation of controls and other processes needed to protect the information:

• Clause 8.1 – Operational planning and control
• Clause 8.2 – Information security risk assessment
• Clause 8.3 – Information security risk treatment

Clause 9 – Performance evaluation — This clause defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review:

• Clause 9.1 – Monitoring, measurement, analysis and evaluation
• Clause 9.2 – Internal audit
• Clause 9.3 – Management review

Clause 10 – Improvement — This clause defines requirements for nonconformities, corrections, corrective actions, and continual improvement:

• Clause 10.1 – Continual improvement
• Clause 10.2 – Nonconformity and corrective action

Annex A structure and controls

ISO 27001 Annex A is structured in four sections, and has a total of 93 controls from which companies can choose the controls that are applicable to them.

A.5 – Organizational controls — this section describes 37 controls that are mainly about information security governance:

• Control 5.1 – Policies for information security
• Control 5.2 – Information security roles and responsibilities
• Control 5.3 – Segregation of duties
• Control 5.4 – Management responsibilities
• Control 5.5 – Contact with authorities
• Control 5.6 – Contact with special interest groups
• Control 5.7 – Threat intelligence
• Control 5.8 – Information security in project management
• Control 5.9 – Inventory of information and other associated assets
• Control 5.10 – Acceptable use of information and other associated assets
• Control 5.11 – Return of assets
• Control 5.12 – Classification of information
• Control 5.13 – Labelling of information
• Control 5.14 – Information transfer
• Control 5.15 – Access control
• Control 5.16 – Identity management
• Control 5.17 – Authentication information
• Control 5.18 – Access rights
• Control 5.19 – Information security in supplier relationships
• Control 5.20 – Addressing information security within supplier agreements
• Control 5.21 – Managing information security in the ICT supply chain
• Control 5.22 – Monitoring, review and change management of supplier service
• Control 5.23 – Information security for use of cloud services
• Control 5.24 – Information security incident management planning and preparation
• Control 5.25 – Assessment and decision on information security events
• Control 5.26 – Response to information security incidents
• Control 5.27 – Learning from information security incidents
• Control 5.28 – Collection of evidence
• Control 5.29 – Information security during disruption
• Control 5.30 – ICT readiness for business continuity
• Control 5.31 – Legal, statutory, regulatory and contractual requirements
• Control 5.32 – Intellectual property rights
• Control 5.33 – Protection of records
• Control 5.34 – Privacy and protection of PII
• Control 5.35 – Independent review of information security
• Control 5.36 – Compliance with policies, rules and standards for information security
• Control 5.37 – Documented operating procedures

A.6 – People controls — this section describes eight controls related to secure management of human resources:

• Control 6.1 Screening
• Control 6.2 – Terms and conditions of employment
• Control 6.3 – Information security awareness, education and training
• Control 6.4 – Disciplinary process
• Control 6.5 – Responsibilities after termination or change of employment
• Control 6.6 – Confidentiality or non-disclosure agreements
• Control 6.7 – Remote working
• Control 6.8 – Information security event reporting

A.7 – Physical controls — this section describes 14 controls related to protection of the physical environment that can influence the security of information:

• Control 7.1 – Physical security perimeters
• Control 7.2 – Physical entry
• Control 7.3 – Securing offices, rooms and facilities
• Control 7.4 – Physical security monitoring
• Control 7.5 – Protecting against physical and environmental threats
• Control 7.6 – Working in secure areas
• Control 7.7 – Clear desk and clear screen
• Control 7.8 – Equipment siting and protection
• Control 7.9 – Security of assets off-premises
• Control 7.10 – Storage media
• Control 7.11 – Supporting utilities
• Control 7.12 – Cabling security
• Control 7.13 – Equipment maintenance
• Control 7.14 – Secure disposal or re-use of equipment

A.8 – Technological controls — this section describes 34 controls that are mainly related to the security of IT:

• Control 8.1 – User endpoint devices
• Control 8.2 – Privileged access rights
• Control 8.3 – Information access restriction
• Control 8.4 – Access to source code
• Control 8.5 – Secure authentication
• Control 8.6 – Capacity management
• Control 8.7 – Protection against malware
• Control 8.8 – Management of technical vulnerabilities
• Control 8.9 – Configuration management
• Control 8.10 – Information deletion
• Control 8.11 – Data masking
• Control 8.12 – Data leakage prevention
• Control 8.13 – Information backup
• Control 8.14 – Redundancy of information processing facilities
• Control 8.15 – Logging
• Control 8.16 – Monitoring activities
• Control 8.17 – Clock synchronization
• Control 8.18 – Use of privileged utility programs
• Control 8.19 – Installation of software on operational systems
• Control 8.20 – Networks security
• Control 8.21 – Security of network services
• Control 8.22 – Segregation of networks
• Control 8.23 – Web filtering
• Control 8.24 – Use of cryptography
• Control 8.25 – Secure development life cycle
• Control 8.26 – Application security requirements
• Control 8.27 – Secure system architecture and engineering principles
• Control 8.28 – Secure coding
• Control 8.29 – Security testing in development and acceptance
• Control 8.30 – Outsourced development
• Control 8.31 – Separation of development, test and production environments
• Control 8.32 – Change management
• Control 8.33 – Test information
• Control 8.34 – Protection of information systems during audit testing