ISO 27001:2013 is an international security standard that lays out best practices for how organizations should manage their data. It outlines how companies should manage information security risk by creating an information security management system (ISMS). This approach demands executive leadership while embedding data security at all organizational levels. The standard is voluntary, but organizations that follow its guidelines can seek ISO 27001 certification.
ISO 27001 was developed in tandem by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It was originally released in 2005 and revised in 2013, thus its full title: ISO/IEC 27001:2013.
For companies that earn ISO 27001 certification, it’s a sign of their commitment to data security. But even companies not seeking certification should pay attention to ISO 27001’s lessons.
What Is ISO 27001?
Essentially, all the guidelines in ISO 27001 add up to one thing: a guide for creating an ISMS. An ISMS describes the structures an organization has in place to manage data, including technology, physical security, personnel policies, and organizational hierarchy that delegates responsibility for these issues.
Why ISO/IEC 27001:2013 Matters
ISO 27001:2013 certification is an important thing to look for in any cybersecurity partner because it indicates an organization-wide commitment to security. Working with such a partner can benefit your own organization’s security. As Clause 6 states, sometimes the most effective way to deal with data security risk is to either eliminate it or outsource it to a third-party.
For example, by choosing an identity and access management (IAM) partner to manage your user passwords, you offload some risk by not storing sensitive data on your own servers. And using an ISO 27001-certified IAM provider (as Auth0 has done since 2018) sends a message to your own users and partners that your data is secure.
ISO 27001 is also the cornerstone of a growing international consensus about data security best practices. Australia based its federal Digital Security Policy on ISO 27001. Likewise, ISO 27001 can provide guidance on how to meet the standards of other data privacy laws, such as the GDPR, which often direct companies to it as an example of universal best practices. So if you abide by ISO 27001’s recommendations, you’re on the right track for legal compliance, not to mention improved data security.
ISO 27001 certification
The bar for ISO 27001 certification is high. It requires intensive documentation, including a detailed risk assessment, records of internal training, audits, managerial review, and documentation of the relevant controls from Annex A. In addition, organizations that want to be certified must have their ISMS audited by an accredited body, a process that must be repeated annually.
Because ISO 27001 certification is so demanding, few companies actually undertake the certification process. Despite that, businesses of all sizes and industries should be aware of ISO 27001. It’s valuable both as a source of guidance for their own data management policies and as a way to judge potential data security partners.
An Overview of ISO 27001:2013
ISO 27001 is divided into two sections: clauses and controls. The clauses largely serve as an introduction to the key terms and concepts, especially ISO 27001’s emphasis on information security leadership from the highest levels of an organization.
Anyone who wants to read the ISO 27001:2013 standard in full must purchase a copy, but here we’ll provide an overview of what the standard contains.
ISO 27001 Clause 6: Risk Assessment
Clause 6 is especially important because it outlines how organizations should conduct a risk assessment to identify and analyze potential threats to their data security.
The fundamental questions in a risk assessment are:
- What data does the organization maintain?
- What are the potential consequences if that data was compromised, breached, tampered with, or lost?
- What are the information security risks, and what is the likelihood of them materializing?
- Who in the organization is responsible for managing these risks?
ISO Consultant Kuwait emphasizes how important it is to be as specific as possible when identifying risk scenarios and to identify the potential event, its effects, and its cause. They give the example of a hacker gaining access to internal systems via a brute-force attack (event), which was possible because the company doesn’t require strong passwords or use brute-force protection (cause). The attacks lead to a governmental investigation and damage the company’s reputation (effect).
Once an organization has answered these questions, they can choose from several “risk treatment” options:
- Eliminate the risk (either by eliminating the data or the behavior that is putting data at risk).
- Share the risk by outsourcing to a third-party or through insurance
- Accept the risk after concluding that the threat is highly unlikely, the consequences would be minimal, or the costs of changes outweigh the potential benefits
- Control the risk to reduce the likelihood of bad outcomes
ISO 27001 Controls
Annex A forms the bulk of ISO 27001, and it deals with the risk controls organizations can implement, based on the results of their risk assessment. ISO 27001:2013 lists 114 controls, divided into 14 categories.
Annex A.5: Information Security Policies
This annex mandates the creation of a written set of information security policies, published with the approval of management. These policies will collect the controls established through the rest of the annex. They must be reviewed at regular intervals or in the event of an internal or external change that would impact information security.
Annex A.6 Organization of Information Security
The first part of Annex A.6 concerns assigning responsibility for information security to all relevant stakeholders. Part two specifically concerns maintaining data security on mobile devices and with remote workers.
Annex A.7: Human Resource Security
This section concerns ensuring that employees and contractors understand and are capable of fulfilling their obligations to data security, starting from before they are hired and ending with the off-boarding procedure.
Annex A.8: Asset Management
As the name indicates, this annex identifies information assets and classifies them according to the level of protection they require.
Annex A.9: Access Control
Annex 9 concerns a crucial element of any ISMS: controlling access to information. It’s divided into four sections, which outline the responsibilities of organizations to provision and deprovision users and implement secure login procedures, as well as the responsibility of individuals to respect IT security policies for authentication.
Annex A.10: Cryptography
This section concerns the proper use of encryption and how to protect cryptographic keys.
Annex A.11: Physical and Environmental Security
This is the longest section, with 15 individual controls, all of which deal with policies that protect an organization’s physical premises and the equipment in which it stores information.
Annex A.12: Operations Security
Annex A.12 includes best practices for ensuring data protection and integrity, from conducting data backups to malware prevention to maintaining internal logs.
Annex A.13: Communications Security
There are two sections to this annex. The first deals with maintaining internal network security, while the second addresses the security of information that leaves the organization.
Annex A.14: System Acquisition, Development, and Maintenance
This section mandates that information systems be analyzed with regard to their impact on security throughout their existence. It deals with the development, testing, implementation, and updates of information systems.
Annex A.15: Supplier Relationships
Unsurprisingly, this section concerns maintaining data security with third-party suppliers and maintaining an agreed-upon level of security.
Annex A.16: Information Security Incident Management
In this annex, organizations determine how they will deal with security incidents. This includes designating employees to take responsibilities for different types of events, including reporting them to authorities.
Annex A.17: Information Security Aspects of Business Management
Annex A.17 illustrates a bedrock principle of ISO 27001: that information security be directly tied to business outcomes at all levels. This section is devoted to minimizing business disruption by including information security in a business continuity management system.
Annex A.18: Compliance
Here, organizations must identify their legal and regulatory obligations to incorporate them into their ISMS.
ISO 27001:13 Creates Trust for Businesses and Their Partners
In a world in which data security is crucial, it can be hard to know where to begin getting your business’s house in order and equally hard to know whom to trust with your organization’s data. ISO 27001 simplifies this process by providing guidance anyone can follow, as well as a standard few can reach. For more information, please reach out to the team at Auth0.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Adam Nunn
Sr. Director of Governance, Risk, and Compliance