Blog

ISO 27001 – 10 key requirements

Information security and its management has been a trending topic these days – and for a reason, information security is a big part of the quality of organisation’s operations.

Download our printable ISO 27001 Р10 key requirements -infograph, where you can see the key requirements of the standard for creating, implementing, maintaining and continually improving the information security management system.

Ensuring information security means ensuring the confidentiality, integrity and availability of information. It is important that all parts of the organisation, both technical and physical, work together in an information secure way. People’s share of cyber security must not be forgotten, as the operation culture plays a key role in successful information security. In order to ensure information security, the cyber business environment, ie electronic information systems and services (which also includes the protection of physical structures), needs to be protected. 1

The key requirements of the standard

Organisation that implements ISO 27001-standard has to implement information security management system, as well as maintain and constantly improve it as required.2

For this purpose, it is required to create a management structure for the organisation in which information security is implemented and managed. In practice, this means organisation’s internal information security team, who takes care of the information security issues. Top management task is to ensure that the important role responsibilities and authorities related to information security are defined and communicated. Persons responsible must ensure the conformity of the information security and report on the performance of the information security management system. Information security work must be approached on a risk-based basis.

In addition, to ensure information security it is necessary to define protected property, for example those information systems, which are in use in the organisationthat and where the information security risk can occur. In the case of information systems, the user groups and persons responsible for the systems are also defined. Information security implementation plan illustrates the steps and follow-up of the practical implementation of the information security work, in order to ensure the achievement of the desired results. According to ISO 27001-standard, it is necessary to develop measures for the maintenance of information security as part of the continuous operation of the organisation. This is assisted by e.g. annual clock, to ensure that the information security is up-to-date at all times. For example, the future information security measures and their dates can be defined here.

Standard requirements also include preparing an information security policy . Preparing and documenting information security- and risk management policy take place separately, and ISO 27001 does not have requirements for them. Prepared information security policy will be available to stakeholders whenever needed, and it defines different practices to ensure information security. Instead, information security is done internally in two different ways. Information security instructions are prepared so that employees can behave securely. Employees may often be the “weakest link” in implementing information security, and even a good information security plan fails if employees can’t implement it. Information security guidelines have to be documented and available to everyone. Guidelines for information security management are prepared only for the information security team for more precise guiding in potential information security vulnerabilities.

You can notice changes and abnormalities in operations, to which you should prepare. In contingency plan organisation defines how it ensures information security in all situations, for example, in abnormalities. At a practical level, information security is done by describing information security processes, which ensure that information security is secured in the organisation’s operations.¬†Processes can be illustrated, for example, visually with swim-lane process diagram, and ensure that they work correctly in each information security situation.
Essential part of ensuring information security is also information security risk management, where organisation’s information security risks, their significance and probabilities are illustrated. It is possible to count an effectiveness figure for risks, that show the unbearable risks for the operation. Potentially identified vulnerabilities and cyber attacks are recorded in information security abnormalities, that work as a “log” to inform what happened and when.

Lastly – auditing

In the final stage, when the ISO 27001 standard requirements for information security management systems are met, an audit is carried out to determine the compliance and successful maintenance of the management system. You can already congratulate yourself in this stage, if the information security requirements are met and measures for auditing have been made. Internal audits should also be made in the organisation at the scheduled time intervals.

1: Tietoturvallisuus, VM
2. SFS-EN ISO/IEC 27001:2017, SFS ry.