In 2005, the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO) published a series of standards designed to help organizations and companies improve their quality management practices. One of these information security standards is ISO/IEC 27

By achieving ISO 27001 certification, a company demonstrates that it is fully compliant in implementing and following cybersecurity best practices. When you fully comply with these standards, your organization will be able to more effectively protect against cyber threats such as malware and ransomware.

improve reputation

Obtaining ISO 27001 certification enhances an organization's reputation. When your organization is ISO 27001 certified, you can show your partners and customers that you can properly protect their data. You are more likely to increase your business opportunities due to the international reputation advantages associated with ISO 27001.

increase organization

When you implement the ISO 27001 standard in your company, you can grow your organization. With the successful implementation of these standards, you will avoid bad organizations because you must document your major security processes and determine who is responsible for them. Each worker can review documentation to find their responsibilities and information on how to perform key processes.

lower expenses

Because ISO 27001 is designed to prevent security incidents from happening in the first place, you can reduce the costs associated with security incidents. While you will have to invest some capital to achieve ISO 27001 compliance, the cost you will save from preventing security incidents will exceed the initial investment.

What are the requirements of ISO 27001?

ISO 27001 contains 12 sections that organizations must review to comply with the ISO 27001 standard. Sections 5 through 11 describe specific requirements that organizations must meet to achieve compliance. Learn more about the main ISO 27001 standards below:

• Organizational context: To meet this requirement, you need to identify which stakeholders will be responsible for the creation and maintenance of your ISMS

• Leadership: This part of the ISO 27001 standard explains how leaders of an organization should be involved in ISMS procedures and policies

• Planning: The planning requirements outline how an organization should plan its risk management strategy

• Support: In the Support section, ISO 27001 details how to increase information security awareness and assign responsibilities in your organization

• Operational: Operational requirements cover how your organization should use documentation and manage risk to meet ISO 27001 audit policy requirements

• Performance Evaluation: To meet the performance evaluation criteria, your organization will need to follow guidelines for properly measuring and monitoring ISMS performance

• Improvements: The Improvements section lists how your organization should regularly improve and update your ISMS

What is ISO 27001 control?

ISO 27001 controls are practices that organizations must implement to reduce their risk to an appropriate level. These controls can be physical, technical, human, legal and organizational. ISO 27001 has 114 controls divided into 35 control categories and 14 domains. ISO has designed these controls to provide organizations with a framework for managing, addressing and identifying information security risks.

What are the 14 areas of ISO 27001?

ISO 27001 lists 14 areas covered by its controls. The 14 areas cover key parts of an organization such as information security organization, human resource security, supplier relations, asset management and information security incident management. By following the policies and standards set by controls in these 14 areas, companies can ensure they are ISO 27001 compliant and certified.

Learn more about the 14 areas of ISO 27001:

1. Information Security Policy

The first domain of ISO 27001 covers information security policy. This domain determines how an organization should write its ISMS policies and review them for compliance. When auditors review your organization's policies, they will examine how you document and review your procedures and how often you do so.

2. Information Security Organization

In the information security organization section, ISO 27001 provides organizations with the necessary framework for the implementation and operation of information security. This section defines the responsibilities of different parts of the organization. It also helps organizations define organizational aspects of their information security, such as telecommuting, project management, and mobile device usage. Here, auditors will look for an easy-to-understand organizational chart with information about each role's responsibilities.

3. Human resources guarantee

The Human Resource Security area focuses on how organizations should inform employees about cybersecurity when onboarding, leaving, and moving positions. It also covers how organizations can hire, train and manage their employees in a safe manner. During the audit, the auditor will check that you have clear information security practices during employee onboarding and offboarding.

4. Asset Management

In the asset management section, ISO 27001 provides controls that provide organizations with information on identifying information security assets such as storage and processing equipment. Controls in this domain also cover how an organization should specify security responsibilities for its data assets. They ensure that people know the proper handling of these assets according to predefined classification levels. In an audit, the auditor examines how an organization tracks its databases, software and hardware, and the methods or tools it uses to maintain data integrity.

5. Access Control

When an organization reviews access control domains, it learns more about how it should restrict employee access to various types of data. In this case, the auditor will ask the organization to provide details on how it sets up access rights and responsibilities for maintaining those controls.

6. Cryptography

The encryption domain covers controls designed to determine how an organization should properly use encryption solutions. Proper use of these solutions includes the organization's ability to protect the integrity, confidentiality and authenticity of information. When auditors audit an organization, they examine the systems that handle sensitive data and the type of encryption the organization uses.

7. Physical and Environmental Security

In addition to protecting a company's cybersecurity operations, ISO 27001 also covers physical and environmental security. This field details the appropriate processes to protect internal equipment and buildings, protecting them from natural and human intervention. During an audit, auditors will search for vulnerabilities in physical locations, paying particular attention to accessibility standards in data centers and offices.

8. Operational Security

The operational security domain details the various controls designed to keep an organization secure and protect its IT systems from data loss. To meet standards in this area, companies must follow ISO 27001 guidelines for securely collecting and storing data. When auditors examine an organization's compliance with operational security standards, they want to see evidence of data flow and information about where the organization stores data.

9. Communication Security

Controls in the communications security domain cover the security of all transmissions that occur within an organization's network. By securing transmission, organizations can better protect their network services and infrastructure, as well as the data in transit within the network. In an audit, the auditor wants to know what communication systems the organization is using and how the organization ensures that its data is protected.

10. System acquisition, development and maintenance

The System Acquisition, Development, and Maintenance section includes controls to maintain information security best practices when upgrading existing systems or purchasing new systems. During the audit, the auditor will check whether the organization maintains strict security standards when introducing new systems.

11. Supplier Relations

If the organization outsources various activities to partners or suppliers, the Supplier Relations section should be reviewed. This section provides information on the proper information security controls that any suppliers and partners should follow when an organization outsources activities to them. 

Controls in this area also include how an organization should properly monitor third-party security performance. To verify that the organization has properly outsourced various activities, auditors will review the organization's contracts with third parties that may have access to sensitive data.

12. Information security incident management

The Information Security Incident Management domain provides organizations with best practices for effectively responding to security threats. These best practices include information on proper handling and communication procedures related to security incidents and incidents.

The domain's controls also include how to quickly resolve incidents, preserve evidence, and learn from past incidents to prevent recurrence of security issues. Auditors may conduct drills to understand how the organization handles incidents to verify that they can effectively deal with various threats.

13. Information Security Aspects of Business Continuity Management

The information security aspect of the business continuity management domain has controls designed to help organizations maintain their information security management operations in the face of disruptions. These controls also provide information on how to handle breaking changes. Auditors can check the organization's capability by having the organization's ISMS respond to various theoretical interruptions and verify that the responses are effective.

14. Compliance

The final area of ISO 27001 is compliance, and this section covers industry or government regulations that an organization must meet. By following the controls in this section, companies can better prevent breaches of contract, statutory, regulatory, and legal practices. Organizations can also use these controls to see if their information security complies with ISO 27001 requirements, policies and procedures. During the audit, the auditor will look for evidence of full compliance with any relevant regulations governing the organization.

How do you implement ISO 27001 controls?

When you try to implement ISO 27001 controls, you will take a variety of approaches depending on the type of control you want to implement. Check out the following main ways to implement these controls:

• Organizational Control: Add organizational control by defining the expected behavior of devices, systems, software, and users and establishing rules. Examples of these controls include access controls and policies for working with personal devices.

• Human Resource Control: Provide employees and other relevant personnel with the experience, knowledge, skills and education needed to safely perform their duties. Some examples of these controls include ISO 27001 internal auditor training and security awareness training.

• Technical Controls: Implement technical controls by adding firmware, hardware and software components to your information systems. Primary examples include antivirus software and cloud backups.

• Physical Control: Install devices and equipment that can physically interact with objects and people to increase the physical security of an organization. Some examples of such controls include locks, CCTV cameras and alarm systems.

• Legal controls: Add legal controls by ensuring that your organization's actions and rules follow the contracts, regulations, and laws your organization must comply with. Examples of legal controls include service level agreements and nondisclosure agreements.

How to use ISO 27001 for risk assessment

If you wish to comply with ISO 27001 when conducting risk assessments, there are several steps you should follow. Some of the first steps in conducting a compliance risk assessment include:

Create a risk management framework

A risk management framework will provide you with rules on how to identify risks; how risks affect the availability, confidentiality and integrity of your information; and who gets ownership of risks. A good framework will also use a computational approach to estimate the likelihood and potential impact of risk. The framework will need to include risk scale, asset- or scenario-based risk assessment, risk appetite and baseline security standards. 

Identify potential risks and threats

After establishing a risk management framework, identify key risks that may affect the integrity, availability, and confidentiality of information. Listing all potential threats to your information assets can help you organize them and track the top threats to your organization.

Analyze risk

Once you have identified potential risks, identify the major vulnerabilities of your information assets. Based on your analysis, you can assign likelihood and impact values determined by risk criteria.

Determine the current acceptable risk

After analyzing the risks, you need to compare them with previously determined acceptable risk criteria. The extent to which certain risks exceed your acceptable standards will often determine the risks you need to take action on.

Implement risk handling solutions

Finally, you need to decide what to do with the identified risks. For example, you can choose to eliminate processes that cause risk, or you can apply security controls to various processes to reduce risk. If the risk is within your acceptable risk criteria, you may decide to keep the risk.

What is the ISO 27000 standard?

ISO 27001 establishes the main requirements for an organization's ISMS, but organizations should also be aware of other requirements in the ISO 27000 series of standards . Some of the main ISO 27000 standards that complement ISO 27001 can be found below:

• ISO/IEC 27000: ISO 27000 provides organizations with definitions for key terms in the following ISO 27000 series of standards

• ISO/IEC 27002: ISO 27002 is an essential standard when you want to implement the controls in Annex A of ISO 27001; this standard provides organizations with information and guidance on implementing controls

• ISO/IEC 27004: ISO 27004 provides organizations with guidance on measuring their information security; it complements ISO 27001 as it helps organizations determine whether their ISMS is meeting key objectives

• ISO/IEC 27005: Information security risk management is essential for risk reduction, ISO 27005 establishes guidelines for implementation; this standard complies with ISO 27001 as it describes how an organization can conduct effective risk assessment and risk treatment activities

• ISO/IEC 27017: When you look at ISO 27017, you'll find guidance on information security in cloud environments

• ISO/IEC 27018: ISO 27018 provides guidance for organizations on how to protect privacy when using cloud environments

• ISO/IEC 27031: ISO 27031 provides guidance for organizations on the main elements to consider when creating business continuity for information and communication technologies

What is the difference between SOC 2 and ISO 27001?

ISO 27001 is a set of standards for an organization's ISMS, while Service Organization Controls (SOC) 2 is a set of audit reports that an organization uses to show evidence of compliance with a defined set of standards. In a SOC 2 audit, an organization examines the design and operation of its information security controls against a defined set of criteria. 

Although SOC 2 and ISO 27001 are different, they can complement each other. After implementing the ISO 27001 standard, organizations often find that they can create SOC 2 reports more easily.

ISO 27001 Checklist

Checklists can help you focus when you are trying to achieve ISO 27001 compliance. Check out these eight steps for a valid ISO 27001 checklist:

1. Obtain management support and organize the implementation team

2. Develop an implementation plan

3. Develop an ISMS policy and define its scope

4. Find your organization's security baseline

5. Develop a risk management process

6. Execute your risk treatment plan

7. Monitor, measure and review the performance and compliance of your ISMS

8. Prepare to audit and certify your ISMS

How Box Helps Maintain Trust and Compliance

Content Cloud makes ISO 27001 compliance easy. Our Box Trust Center shows how we help our clients achieve compliance with global government and private standards. For example, we encrypt our customers' data in motion and at rest to ensure our customers comply with ISO 270001 requirements. Our collaboration platform is even ISO 27001:2013 certified , a testament to our excellence in achieving compliance. 

In addition to Box Trust Center, we offer security and compliance solutions designed to help you meet various privacy and compliance requirements. Because these solutions integrate seamlessly with top security and information governance partners , you can ensure your entire technology stack has the security and compliance you need. 

With Box Governance , you can improve your governance strategy with cloud content management. This solution simplifies your content lifecycle, reduces risk without compromising productivity, and gives you the tools to manage document retention and disposal policies.