ISO 27001 the international standard for Information Security is a simple and straight forward management system that is often over complicated by consultants and solution providers.
Here we take a look at mapping the standard to the simple, easy, pre written templates that satisfy it.
These templates are all part of the ISO 27001 Toolkit.
DO IT YOURSELF
ISO 27001
So lets take a look at how to map ISO 27001 to simple ISO 27001 templates.
| CLAUSE | CONTROL | TEMPLATES |
|---|---|---|
| ISO:2022 27001Clause 4.1 | Understanding the organisation and its context | Context of Organisation |
| ISO 27001:2022 Clause 4.2 | Understanding the needs and expectations of interested parties | Context of Organisation |
| ISO 27001:2022 Clause 4.3 | Determining the scope of the information security management system | Documented ISMS Scope |
| ISO 27001:2022 Clause 4.4 | Information security management system | The Information Security Management System |
| ISO 27001:2022 Clause 5.1 | Leadership and commitment | Organisation Overview describes the business and its objectives and mission and values. The Information Security Management System sets out the information security objectives. These are managed and reviewed at the Management Review Team meeting which is documented in Information Security Roles Assigned and Responsibilities. Information security policies are in place in line with the standard. Information Security Policy sets out the objectives and the senior leadership commitment statement. Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource. ISMS Annex A Controls – Accountability Matrix assigns responsibility for each ISO 27002 / Annex A Control Information Security Awareness and Training Policy sets out training and awareness Communication Plan sets out the communications for the year across media and approaches The Management Review Team meeting agenda covers the requirements of the standard. A program of internal audit is conducted and document: Audit Plan sets out the audit plan for the year. Continual Improvement Policy sets out the continual improvement approach. Incident and Corrective Action Log captures and manages the corrective actions. Competency Matrix captures the core competencies and training requirements of staff in relation to information security. |
| ISO 27001:2022 Clause 5.2 | Policy | Information Security Policy is the main information security policy and is part of a framework of policies. It includes the Information Security Objectives. It includes the requirements to meet legal and regulatory obligations. It includes a commitment to continual improvement. Legal and Contractual Requirements Register sets out the legal, regulatory and contractual obligations Continual Improvement Policy sets out the continual improvement policy. The information security management system and associated documents are available electronically to the organisation based on the persons role and business need. Communication Plan sets out the communications for the year across media and approaches Documents are available to interested parties based on Non Disclosure Agreements and Contracts being place. Policies provided: Data protection Policy Data Retention Policy Information Security Policy Access Control Policy Asset Management Policy Risk Management Policy Information Classification and Handling Policy Information Security Awareness and Training Policy Acceptable Use Policy Clear Desk and Clear Screen Policy Mobile and Teleworking Policy Business Continuity Policy Backup Policy Malware and Antivirus Policy Change Management Policy Third Party Supplier Security Policy Continual Improvement Policy Logging and Monitoring Policy Network Security Management Policy Information Transfer Policy Secure Development Policy Physical and Environmental Security Policy Cryptographic Key Management Policy Cryptographic Control and Encryption Policy Document and Record Policy Significant Incident Policy and Collection of Evidence Policy Patch Management Policy |
| ISO 27001:2022 Clause 5.3 | Organisational roles, responsibilities and authorities | Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource. The Management Review Team meeting agenda covers the requirements of the standard. Competency Matrix captures the core competencies and training requirements of staff in relation to information security. Management Review Team is documented in the document: Information Security Roles Assigned and Responsibilities and has responsibility for overseeing the Information Security Management System. This group reports to the board and has board representation and certain board designated authority for decision making. The Management Review Team meeting at least quarterly and follow the agenda as defined in the standard. |
| ISO 27001:2022 Clause 6.1.1 | Planning General | Risk Management Policy and Risk Management Procedure describe the risk management process. Risk Register captures, manages and reports risks. These are reported to and overseen by the Management Review Team meeting. Risk Management is part of the Continual Improvement Policy and process Continual improvement is managed, tracked and reported using Incident and Corrective Action Log |
| ISO 27001:2022 Clause 6.1.2 | Information security risk assessment | There is a risk management process in place and documented. Risk Management Policy and Risk Management Procedure describe the risk management process. Risk Register captures, manages and reports risks. |
| ISO 27001:2022 Clause 6.1.3 | Information security risk treatment | There is a risk management process in place and documented. Risk Management Policy and Risk Management Procedure describe the risk management process. Risk Register captures, manages and reports risks. All controls required are assessed and document in the Statement of Applicability Statement of Applicability describes the applicability of controls and why they are / are not applicable. A Risk Treatment Plan guidance is documented in the Risk Register Residual risk acceptance is recorded in the risk register and via Management Review Team meeting and standing agenda with minutes. Risk Owners and Treatment Owners are identified in the Risk Register |
| ISO 27001:2022 Clause 6.2.1 | Information security objectives and planning to achieve them | The Information Security Management System describes the information security objectives and the process and roles and responsibilities. The Information Security Policy sets out the information security objectives in policy form. Communication Plan sets out the communications for the year across media and approaches Documents are updated as part of the Continual Improvement Policy and process and evidence as signed of by the Management Review Team |
| ISO 27001:2022 Clause 7.1 | Resources | Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource. ISMS Annex A Controls – Accountability Matrix assigns responsibility for each ISO 27002 / Annex A Control |
| ISO 27001 Clause 7.2 | Competence | Competency Matrix captures the core competencies and training requirements of staff in relation to information security. Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource. ISMS Annex A Controls – Accountability Matrix assigns responsibility for each ISO 27002 / Annex A Control |
| ISO 27001:2022 Clause 7.3 | Awareness | Competency Matrix captures the core competencies and training requirements of staff in relation to information security. Communication Plan sets out the communications for the year across media and approaches Information Security Awareness and Training Policy sets out the training and awareness requirements All policies include a statement on non conformance. Grievance and disciplinary policy and processes are needed to be in place. Employment contracts and third party contracts need to include coverage of information security requirements. |
| ISO 27001:2022 Clause 7.4 | Communication | Communication Plan sets out the communications for the year across media and approaches. It lays out what, when, who and how and records evidence. |
| ISO 27001:2022 Clause 7.5.1 | Documented information General | The information security system is in place and evidenced and is high level described in document: The Information Security Management System. Documents as described per each control. |
| ISO 27001:2022 Clause 7.5.2 | Creating and updating | Document and Record Policy Documents appropriate to the organisation and evidenced as having the mark up included Documents are reviewed and signed of by the Management Review Team and evidenced as such. Documents are updated in line with Continual Improvement Policy and the continual improvement process |
| ISO 27001 Clause 7.5.3 | Control of documented information | Documents stored and accessible appropriate to the organisation. Version control and document history in place. Documents retained and disposed in line with the Data Retention Policy. |
| ISO 27001:2022 Clause 8.1 | Operational planning and control | The information security management system and associated processes are evidenced as being in place. Documents and version control are in place. Audit Plan kept for a minimum of 1 year in line with the Data Retention Policy Change Management Policy Third Party Supplier Security Policy Third Party Supplier Register is in place with periodic reviews needed based on criticality, risk and business need. Current in date contracts are needed to be in place for all key suppliers. |
| ISO 27001:2022 Clause 8.2 | Information security risk assessment | There is a risk management process in place and documented. Risk Management Policy Risk Register All controls required are assessed and document in the Statement of Applicability Risk assessment is performed at points of significant change on introduction of new technology and at least annually. Risk Meeting Minutes in place. |
| ISO 27001:2022 Clause 8.3 | Information security risk treatment | There is a risk management process in place and documented. Risk Management Policy Risk Register All controls required are assessed and document in the Statement of Applicability Risk assessment is performed at points of significant change on introduction of new technology and at least annually. Risk Meeting Minutes in place. Risk assessment is needed to be performed at points of significant change on introduction of new technology and at least annually. |
| ISO 27001:2022 Clause 9.1 | Monitoring, measurement, analysis and evaluation | The Information Security Management System sets out the objectives. These are managed and reviewed at the Management Review Team meeting which is documented in the document: Information Security Roles Assigned and Responsibilities. The agenda template covers the requirements of the standard and is seen to be in operation in the meeting minutes. A program of internal audit is conducted and document: Audit Plan sets out the audit plan for the year. Continual Improvement Policy sets out the continual improvement policy. Incident and Corrective Action Log captures and manages the corrective actions. |
| ISO 27001:2022 Clause 9.2 | Internal audit | The ISO 27001 Audit Toolkit provides everything that is needed. Easy to follow step by step guide – How to Conduct an Internal Audit The ISO 27001 ISMS 114 Controls – audit work sheet The ISO 27002:2013 Annex A – audit work sheet The ISO 27002:2022 Annex A – audit work sheet Management Audit Report Audit Meeting Template Audit 12 Month Planner |
| ISO 27001:2022 Clause 9.3 | Management review | The Management Review Team which is documented in the document: Information Security Roles Assigned and Responsibilities meets at least quarterly. Document: Management Review Team Meeting Agenda, the agenda template covers the requirements of the standard |
| ISO 27001:2022 Clause 10.1 | Nonconformity and corrective action | A non conformity occurs as a result of audit, incident or observation. A program of internal audit is conducted and document: Audit Plan sets out the audit plan for the year. Continual Improvement Policy sets out the continual improvement policy. Incident and Corrective Action Log captures and manages the corrective actions. Management Review Team oversees non conformity and corrective action as part of standing agenda |
| ISO 27001:2022 Clause 10.2 | Continual improvement | Continual Improvement Policy sets out the continual improvement policy. A process of continual improvement is in place. |