Organisations that want a proven, structured approach to information security should look no further than ISO 27001.
The Standard describes best practice for implementing and maintaining an ISMS (information security management system), which is built around a system of controls that protects your information from a wide variety of threats.
The full list of controls is listed in Annex A of the Standard. There are 114 in total, divided into 14 sections.
If you think that’s a lot of work, relax. You don’t need to implement them all, only the ones that address issues identified in your ISO 27001 risk assessment.
In this blog, we identify three of the most important sets of controls for keeping information secure.
1. Asset management
It’s easy for security incidents to occur if no one in your organisation knows who’s responsible for information security.
Asset management is the process of identifying the owner of information at various stages of its lifecycle and the steps that must be taken to keep it secure.
The controls to ensure effective asset management are outlined in Annex A.8 of ISO 27001:
- A.8.1 Asset responsibility, which identifies the information assets in scope of your ISMS, as well as your acceptable use and return policies.
- A.8.2 Information classification, in which organisations determine the level of protection information should be given.
- A.8.3 Media handling, which prevents unauthorised disclosure, modification, removal or destruction of information stored on media.
Free download: ISMS Measurement – Metrics made easy
Find out more about ISO 27001 by downloading our free green paper: ISMS Measurement – Metrics made easy.
This paper discusses the key principles of effective information security management, and helps you understand the challenges you might face when developing and operating an ISMS.
- The controls you should prioritise for management;
- The difference between measuring performance and effectiveness;
- Methods for measuring the risk assessment process; and
- Common issues when analysing and presenting measurement results.
2. Access controls
Organisations often don’t account for the threat employees pose, which is big mistake when you realise how many breaches are caused by human error or malicious action.
Many of those threats can be mitigated with access controls. These are measures that organisations implement to ensure that employees only have access to information that’s relevant for their job.
ISO 27001’s access controls are outlined in Annex A.9:
- A.9.1 Access control policy, in which the controls are documented and shared with employees. The policy should account for the security requirements that you identified during information classification and the information and network access necessary for each job role.
- A.9.2 User access management, which covers the way you give and remove access to employees, including privileged access.
- A.9.3 User responsibilities, which holds users accountable for safeguarding their authentication information.
- A.9.4 System and application access control, which prevents unauthorised access to systems and applications. This includes secure log-on procedures and password management systems.
3. Physical and environmental security
Organisations often overlook the importance of protecting their premises when addressing information security. However, it’s essential that you understand the risks associated with physical vulnerabilities.
Two of the most common types of physical vulnerabilities are environmental threats (snowstorms knocking out power lines, for example) and crooks finding sensitive information in a public part of the building.
The controls to ensure effective physical and environment security are outlined in Annex A.11 of ISO 27001:
- A.11.1 Securing your premises, in which you identify any locations that contain sensitive and critical information, and implement measures to prevent unauthorised physical access, damage and interference to information. This includes physical entry controls in your main entrance, delivery and loading areas, and any rooms or offices within your premises that house sensitive information. You must also protect against external and environmental threats and document processes for working in secure areas.
- A.11.2 Equipment, which prevents the loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
ISO 27001 compliance with IT Governance
If you’re looking for help implementing ISO 27001, we are here to help. Our ISO 27001 Toolkit contains everything you need to meet your compliance requirements.
It contains more than 140 customisable ISO 27001 documentation templates, including policies, procedures, work instructions and records.
You’ll also receive tools to help you complete the gap assessment, Statement of Applicability and roles and responsibilities matrix, as well our Implementation Manager tool and two staff awareness e-learning licences.
A version of this blog was originally published on 19 February 2019.