The main requirements are found in clauses 4 through 10. Below are a summary of each:
Clause 4 – Context of the organization
Implementing an Information Security Management System successfully requires an understanding the context of the organization. External, internal issues, and interested parties, need to be identified and addressed. Typical requirements include:
- regulatory issues
- strategic direction
- internal capabilities
Given the context, the organization must define the scope of ISMS.
Clause 5 – Leadership
The requirements of ISO 27001 for leadership are many and various. The commitment of upper management is mandatory and essential. The ISMS objectives must be developed in concert with the strategic direction and objectives of the organization. Management must provide the necessary resources, as well as support personnel in their responsibilities with the ISMS.
In addition, upper management must establish a top-level policy for information security. These policy statements need to be documented and communicated within the organization and to all interested parties.
Roles and responsibilities need to be assigned, to meet the requirements of the ISO 27001 standard and to report on the performance of the ISMS.
Clause 6 – Planning
Risks and opportunities should be accounted for during planning. A risk assessment for an ISMS provides a foundation on which to build. Objectives from the risk assessment must be aligned with the company`s overall objectives, and need to be adopted within the company. The objectives provide the security goals to work toward. From the risk assessment and the security objectives, a risk treatment plan is derived using the controls in Annex A.
Clause 7 – Support
The key areas for support include:
- competence of employees,
Information needs to be documented, created, and updated, as well as controlled. A series of documentation, including a communications plan, must be maintained in order to support the success of the ISMS.
Clause 8 – Operation
Processes used to implement information security are wheels to the ISMS. These processes must be planned, implemented, and controlled. The risk assessment and objectives have to be put into action.
Clause 9 – Performance evaluation
The requirements of the ISO 27001 standard necesitiate monitoring, measurement, analysis, and evaluation of the Information Security Management System. Key performance indicators must be created and monitored. Internal audits are conducted on a regular and scheduled basis to check the success of the implementation. Upper management needs to review the organization`s ISMS and ISO 27001 KPIs frequently at first, then on a scheduled basis.
Clause 10 – Improvement
After evaluation improvement follows. During an audit nonconformities are documented. They then need to be addressed through an action plan resulting their elimination. A process for continual improvement should be documented and implemented. The traditional PDCA (Plan-Do-Check-Act) cycle is recommended. It provides a solid structure and fulfills the requirements of ISO 27001.
Annex A Information security controls reference
This Annex provides a list of 93 controls that can be implemented to decrease risks and comply with security requirements from interested parties. The selected controls that are implemented must be designated in the Statement of Applicability.