ISO 27001 isn't a security benchmark.

Show Notes:

Sponsor: and

Contact Me:

Twitter: @justinfimlaid

ISO 27001 Background
ISO 27001 is increasing in popularity mostly stemming from the exposure created by assessing the security posture of vendors and vendors trying to prove they are good data custodians.  The problem, at least in the US, is most people confuse ISO 27001 as a compliance standard when in fact it's a mechanism to build your security program.

I met with a my buddy Todd last week whom is a security analyst at mid-size manufacturing company. While none of their information is considered “regulated” or “industry sensitive”, it would still suck if they lost it. So his organization choose ISO 27001 as their security framework.  We chatted about why he's struggling with ISO 27001 adoption within their organization.  Here's his deal – he was trying to use the ISO 27001 Annex A controls and trying to implement all the ISO 27002 controls and was getting frustrated with the process.

Here’s the deal ISO 27001 is not intended to be a compliance framework like PCI or HIPAA, rather it’s an information security management system – hence why ISO 27001 is commonly referred to as an ISMS.  In the simplistic terms ISO 27001 is a management framework that guides you through designing a custom built security program with custom security controls right sized for your organization.

So here’s how ISO 27001 breaks down, ISO 27001 has 10 clauses, plus an Annex — Annex A.  Annex A holds the core ISO 27001 security controls.  The 10 clauses include the body of ISO 27001 mechanics, mostly how to construct the ISMS.
ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives

Within those 10 Clauses – there is mandatory things that need to be completed:
From Advisera, Dejan Kosutic seems to do a nice job with ISO 27001. Here are the documents you need to produce if you want to be compliant with ISO 27001.  Annex A documents are only required if there's a risk that requires their implementation.

Scope of the ISMS (clause 4.3)
Information security policy and objectives (clauses 5.2 and 6.2)
Risk assessment and risk treatment methodology (clause 6.1.2)
Statement of Applicability (clause 6.1.3 d)
Risk treatment plan (clauses 6.1.3 e and 6.2)
Risk assessment report (clause 8.2)
Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
Inventory of assets (clause A.8.1.1)
Acceptable use of assets (clause A.8.1.3)
Access control policy (clause A.9.1.1)
Operating procedures for IT management (clause A.12.1.1)
Secure system engineering principles (clause A.14.2.5)
Supplier security policy (clause A.15.1.1)
Incident management procedure (clause A.16.1.5)
Business continuity procedures (clause A.17.1.2)
Statutory, regulatory, and contractual requirements (clause A.18.1.1)

And here are the mandatory records:

Records of training, skills, experience and qualifications (clause 7.2)
Monitoring and measurement results (clause 9.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)