ISO 27001 Structure (ISMS)
ISO 27001 got updated in 2013 and the updated version of the ISO 27001 framework adopted a two-part structure.
Part 1 Of ISO 27001 ⮯
The first section of ISO 27001 describes 11 clauses (numbered 0-10) that cover the general standards as well as the mandatory requirements and documents that an organization has in order to be compliant with ISO 27001. The first four clauses provide context to help your organization understand what ISO 27001 is for and how to prepare for an ISO 27001 audit, elaborating on the details.
ISO 27001 provides a framework and guidelines to implement ISMS that gives organizations a fundamental structure to manage their information security and has all the relevant and required policies and procedures in place to secure the data in their premises.
1. An Introduction To ISO 27001 Standard
2. The Scope of ISO 27001
4. Relevant Terms and Definitions
This section explains how to make the ISMS Scope document. This document defines the scope of your organization’s ISMS, as well as the elements of your ISMS.
ISMS are audited for certification and to determine which controls are applicable to the scope of your project.
This section assists organisations in developing a Policy Statement, which explains the stakeholders involved in ISMS implementation and demonstrates
The leadership team’s commitment to achieving ISO 27001 compliance is outlined, as is who will complete ISMS maintenance tasks.
This section assists organisations in developing goals based on risks and opportunities. This information is used by organisations to develop a plan for maintaining a risk-based approach to ISMS management and determining how they will monitor and measure their objectives.
This section guides organisations through the process of determining how they will manage resources to maintain and improve their ISMS in accordance with five essential activities: competence, awareness, communication, documentation, and records management.
This section guides organizations through the process of defining procedures for measuring, monitoring, and maintaining ISMS records. It also contains information on creating an internal audit schedule and conducting management reviews to address corrective actions for issues discovered during audits.
This section assists organizations in risk mitigation by generating the required risk assessment report and risk treatment plan.
Aids organizations in developing a process for recording and managing improvement recommendations and non-conformities discovered during audits.
The initial ISO 27001 certificate eligibility certification process consists of two stages: a documentation review audit and an evidential audit. Part 1 of the ISO 27001 structure’s clauses assists organizations in preparing written documentation, processes, procedures, and guidelines that explain your ISMS implementation and the business processes that support it.
During the Stage 1 Documentation Review, these documents are reviewed by an approved, objective auditor. The auditor ensures that a company’s documentation complies with ISO 27001 standards during this first stage and may recommend certification.
Part 2 of ISO 27001 ⮯
An approved auditor from an accredited certifying body reviews your organization’s ISMS processes and controls in action during Stage 2 of the initial certification process. Finding evidence that controls in place work effectively, efficiently, and in accordance with the documented processes reviewed in Stage 1 is part of this audit.
The second section of ISO 27001 is known as Annex A. Depending on the scope of their ISMS certification, this section details 114 controls across 14 domains that organizations should implement or follow.
Not all controls will be applicable to every company’s implementation. Instead, in a Statement of Applicability, the company defines which controls are relevant based on their scope (SoA).
In the SoA, the organization justifies whether or not to implement any of the 114 ISO 27001 controls based on the assessment, business need, or legal/contractual obligation.
After defining the relevant controls, an auditor gathers evidence to demonstrate that the controls identified in the SoA align with the standards outlined in Annex A. If these controls and appropriate business processes are implemented correctly, an organization is eligible for ISO 27001 certification.