ISO 27001

And I underestimated how vast the information in this framework is (so far NIST is my favourite!). In addition, as it is a paid publication, before purchasing I am a believer in making the most of freely available online resources.

Thus, I am leaning on this YouTube series and ChatGPT for an overview

Key things to know

ISO/IEC 27001 is the standard that specifies the requirements for building an information security management system (ISMS).

• Its auditable requirements live in Clauses 4-10 and the detailed control catalogue is in Annex A.
• Annex A has 93 controls split into the following four groups: Organizational, People, Physical and Technological.
  • A.5 Organizational (37 controls): governance & policy, roles/segregation of duties, supplier & cloud service security, secure engineering, asset/data handling, monitoring & logging, incident management, business continuity integration.
  • A.6 People (8 controls): screening, onboarding/offboarding, awareness & training, disciplinary process, reporting responsibilities, remote/teleworking.
  • A.7 Physical (14 controls): secure areas, entry controls, equipment protection, clear desk/screen, utilities & cabling, physical security monitoring.
  • A.8 Technological (34 controls): access management & authentication, cryptography, network/app security, config & change, malware protection, backup/recovery, vulnerability management, logging/monitoring, SDLC incl. secure coding and web filtering.

ISO 27001 Certifications

There are two types of certifications:

1. Organizational - certification builds trust with Cybersecurity posture and as a vendor.
2. Individual - split into either auditor or implementor