Try now
GET A QUOTE
Cart
Try now

What is ISO 27001?

Protect your mobile devices with top-notch cybersecurity measures
22 June 2024

22 June 2024

What is ISO 27001?

ISO 27001 is a standard that encompasses the rules and principles necessary for identifying and managing risks related to information security. It provides a structure for organizations to establish, implement, maintain, and improve their information security management systems (ISMS). The latest version of the “ISO/IEC 27001 Information Security, Cybersecurity, and Privacy Protection – Information Security Management Systems – Requirements” standard was published in 2022. Given that ISO 27001 outlines the fundamental needs of an information security management system, it is a holistic system that organizations of all sizes and sectors can implement.

ISO 27001: 2022 Standard Clauses

  • Clause 4: Context of the organization
  • Clause 5: Leadership
  • Clause 6: Planning
  • Clause 7: Support
  • Clause 8: Operation
  • Clause 9: Performance evaluation
  • Clause 10: Improvement

Revisions in the ISO 27001 Management System

The core part of the standard consists of 11 clauses, and the changes within this part are minor. Some of these changes can be summarized as follows:

  • Restructuring of the numbering
  • Requirement to define processes and their interactions necessary for implementing the ISMS
  • Clear requirement for communicating information security-related roles within the organization
  • New clause 6.3 – Planning of changes
  • A new requirement as part of clause 7.4 for determining how the organization will communicate
  • New requirements for establishing criteria for operational processes and controlling these processes

At first glance, the changes in Annex A seem substantial; the number of controls has been reduced from 114 to 93, and they have been organized into just four sections compared to the 14 sections in the 2013 revision. However, upon closer inspection, the changes in Annex A are moderate. There are sections with modified content as well as some sections that have been renamed or newly added.

Changes in the Main Clauses of ISO 27001:2022

  • A new sub-clause (c) has been added to clause 4.2, requiring the analysis of which needs and expectations of interested parties must be addressed through the ISMS.
  • An expression has been added to clause 4.4, requiring the planning of processes and their interactions within the scope of the ISMS.
  • A statement has been added to clause 5.3 to clarify that the roles must be communicated internally within the organization.
  • Sub-clause (d) has been added to clause 6.2, requiring the monitoring of information security objectives.
  • Clause 6.3 has been added, stating that any changes to the ISMS must be planned.
  • Sub-clause (e) in clause 7.4, which required the setting of processes for communication, has been removed.
  • New requirements have been added to clause 8.1 for establishing criteria for security processes and implementing these processes according to the criteria. The requirement for implementing plans to achieve objectives has also been removed from the same clause.
  • New sub-clause 9.3.2 c) has been added to clause 9.3, explaining that inputs from interested parties should relate to their needs and expectations and to the ISMS.
  • The sub-clauses in clause 10 have been restructured, with the first sub-clause now being Continual improvement (10.1) and the second being Nonconformity and corrective action (10.2), with the text remaining unchanged.

Revisions in Annex A Security Controls of ISO 27001

Several controls have been deleted, 24 controls have been merged, and 58 controls have been revised. Additionally, 11 security controls have been newly added to address the evolving information security and cybersecurity environment. These new controls are:

  • A.5.7 Threat intelligence
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities
  • A.8.23 Web filtering
  • A.8.28 Secure coding

The Meaning and Expansion of TS EN ISO 27001

  • ISO: Represents the International Organization for Standardization, which publishes globally accepted standards.
  • 27001: The name given to the Quality Management Standard by the International Organization for Standardization (ISO).
  • TS: The Turkish Standards abbreviation.
  • EN: The abbreviation for European Norm.

This standard, defined and published by ISO, sets the framework that all organizations worldwide must follow to establish an information security management system (ISMS). In Turkey, audits are conducted by TSE.

Every 8 years, the system is revised, and the date is updated, with necessary revisions being approved by ISO for a duration of 5 years.

Scope of ISO 27001 Information Security Management System

The information security management system aims to manage information/data security, ensure uninterrupted workflow, and develop a security risk analysis approach based on the employee profiles within the company.

Organizations can obtain the ISO 27001 Certificate, structured in line with ISO’s parallel management systems, by applying to accredited certification bodies. The procedures encompass various processes beyond just the application.

The Importance of the ISO 27001 Certificate

The Information Security Management System provides methods and ensures auditing for protecting and securely storing information. ISO audits are crucial for identifying and managing vulnerabilities against any type of cyber threat or attack for both service providers and receivers, ensuring the safest and most continuous outcomes. ISO 27001, with its universal approach, is a globally valid value, and organizations certified by this standard are evaluated at this level.

What is ISO 27001 SOA?

SOA, or Statement of Applicability, includes information on which security measures from Annex A of ISO 27001 (and hence ISO 27002) are applied, why they were chosen, and what topics are excluded. Although the ISO 27001 Standard does not explicitly define this process, the SOA provides detailed explanations on establishing meaningful connections between existing controls and their control documents/descriptions and identifying the sources of requirements for selected controls.

SOA/Statement of Applicability is a central and mandatory part of the ISO 27001 Information Security Management System (ISMS) Standard. It is the result of numerous activities defined during the planning phase of ISO 27001.

Who Should Obtain the ISO 27001 Certificate and What Are Its Benefits?

Organizations operating in the IT and defense industries are subject to ISO 27001 audits. Those providing services/producing in these fields must obtain the necessary documents and establish a secure system. Ensuring and maintaining information security in the long term is of paramount importance for ISO 27001 auditing and certification. Having the ISO 27001 Certificate is a significant requirement for managing a system, ensuring its reliability, and being a preferred choice for service/product recipients.

How to Obtain the ISO 27001 Certificate?

Organizations must assess their information systems and establish a system, with identifying risk factors being the most critical step. In this context, closing gaps, reporting, auditing, performing risk scoring, and developing new instructions/procedures based on the scoring are necessary. Authority/responsibilities must be clearly defined and implemented within the system, the systems specified in the standard must be applied, and once no deficiencies are found, an application can be made.

Certification bodies, along with auditors, conduct the process for applicants who have completed the necessary requirements and issue the certificate for successful applications. However, the certificate is not perpetual, and certified systems are re-audited annually.

How Long is the ISO 27001 Certificate Valid?

The ISO 27001 Certificate is valid for 3 years, and reapplication is necessary for renewal. Certified organizations are subject to annual audits. These audits check for compliance with the standard and ensure information security is maintained. Claims that audits compromise information security or violate confidentiality principles are contrary to the essence of the audit and are unfounded. On the contrary, this process ensures the secure storage of data, its existence, and the reliability of the current system through regular audits.

What is ISO 27001?

Atalay Keleştemur

Atalay Keleştemur, siber güvenlik profesyoneli ve lideridir. CASP+, Pentest+, CPTE, CSWAE, CPEH ve ISO/IEC 27001 LA gibi sertifikalara sahiptir. Uzmanlık alanları arasında Linux güvenliği, sızma testi, güvenli yazılım geliştirme, zararlı yazılım temizleme ve bilgisayar adli bilişimi bulunmaktadır. Topluluk tarafından yönetilen açık kaynaklı bir Linux işletim sistemi olan AlmaLinux OS'un Program Yöneticisi olarak görev yapmıştır. Siber güvenlik alanındaki çalışmalarına ek olarak, BT ve siber güvenlik dergilerine katkıda bulunmuştur. En son Cloud7 ve T3 dergilerinin Genel Yayın Yönetmeni olarak görev almış, daha önce BYTE dergisinin Genel Yayın Yönetmeni olarak çalışmıştır. Ayrıca PC World'de yazılım editörü olarak görev yapmıştır. 1996 yılından bu yana teknoloji sektörüne aktif olarak içerik üretmektedir. PC Net, IT Pro, Computer World, PC Life, CyberMag, h4cktimes ve CIO gibi saygın yayınlarda makaleler yazmıştır. Ayrıca Pardus 2011, Ubuntu, Windows 8 ve Siber İstihbarat gibi kitapların yazarıdır.