Simply put, ISO 27001 is an international standard on how to manage information security for organizations. It includes requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The goal of an ISMS is to secure digital information that an organization may hold, such as financial information, intellectual property, employee details or information entrusted by third parties.
The full name of the standard is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.” It is the result of a partnership between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
Information security is a large component of cyber security for businesses and organizations. Data breaches and ransomware attacks are one of the most common and costly types of cyber attacks. ISO 27001 provides a set of standards to govern this aspect of cyber security within your own business and for your suppliers.
The standard consists of 114 controls structured into 14 groups or “domains”. “Controls,” or safeguards, are the practices to be implemented to reduce risks to acceptable levels. Controls can be technical, organizational, legal, physical, human, etc.
The 14 groups are listed below, and a further description of each can be found at the end of this article.
- A.5: Information security policies (2 controls)
- A.6: Organization of information security (7 controls)
- A.7: Human resource security – 6 controls that are applied before, during, or after employment
- A.8: Asset management (10 controls)
- A.9: Access control (14 controls)
- A.10: Cryptography (2 controls)
- A.11: Physical and environmental security (15 controls)
- A.12: Operations security (14 controls)
- A.13: Communications security (7 controls)
- A.14: System acquisition, development and maintenance (13 controls)
- A.15: Supplier relationships (5 controls)
- A.16: Information security incident management (7 controls)
- A.17: Information security aspects of business continuity management (4 controls)
- A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
ISO 27001 and Penetration Testing
In particular, section A.12.6 focuses on technical vulnerability management as it relates to operation security. An ISO auditor will expect to see that there is a regular and defined process for identifying, detecting and remediating these vulnerabilities. A great solution to achieve A12.6 requirements is to perform annual Vulnerability Assessments and Penetration Testing.
Penetration testing is the process of identifying security gaps and issues in your IT infrastructure by emulating the tactics, techniques and procedures of a real world attacker.
A penetration test, also referred to as a “pen test,” is a simulated cyber attack against your network, computers, systems or applications. A penetration test will emulate attacks from real-world threats and hackers. The benefit of a penetration test is to provide insights of any vulnerabilities that currently exist within your digital footprint.
A Nivee Penetration Test will come with a detailed report outlining everything that is within the scope of the penetration test. This will include all vulnerabilities found categorized by severity. Recommendations will be included in the report on remediation strategies to improve your vulnerability management. This report will provide you with a better understanding of your operational security and get you one step closer to ISO 27001 compliance.
Additional Description of the 14 Control Groups:
A.5. Information security policies: The controls in this section describe how to handle information security policies.
A.6. Organization of information security: The controls in this section provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of information security, like project management, use of mobile devices, and teleworking.
A.7. Human resource security: The controls in this section ensure that people who are under the organization’s control are hired, trained, and managed in a secure way; also, the principles of disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.
A.9. Access control: The controls in this section limit access to information and information assets according to real business needs. The controls are for both physical and logical access.
A.10. Cryptography: The controls in this section provide the basis for proper use of encryption solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security: The controls in this section prevent unauthorized access to physical areas, and protect equipment and facilities from being compromised by human or natural intervention.
A.12. Operations security: The controls in this section ensure that the IT systems, including operating systems and software, are secure and protected against data loss. Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and make precautions to prevent audit activities from affecting operations.
A.13. Communications security: The controls in this section protect the network infrastructure and services, as well as the information that travels through them.
A.14. System acquisition, development and maintenance: The controls in this section ensure that information security is taken into account when purchasing new information systems or upgrading the existing ones.
A.15. Supplier relationships: The controls in this section ensure that outsourced activities performed by suppliers and partners also use appropriate information security controls, and they describe how to monitor third-party security performance.
A.16. Information security incident management: The controls in this section provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner; they also define how to preserve evidence, as well as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this section ensure the continuity of information security management during disruptions, and the availability of information systems.
A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and audit whether information security is implemented and is effective according to the defined policies, procedures, and requirements of the ISO 27001 standard.