ISO 27001 Management System
Why ISO 27001?
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive company information.
Benefits of Certification
| Benefit | Impact | |---------|--------| | Customer trust | Demonstrates security commitment | | Legal compliance | Meets GDPR, CCPA requirements | | Competitive advantage | Required for many enterprise contracts | | Risk reduction | Systematic risk management | | Process improvement | Clear policies and procedures |
ISMS Establishment Steps
| Step | Description | Key Activity | |------|-------------|--------------| | 1 | Define scope | Which systems, departments are included | | 2 | Security policy | Management establishes security direction | | 3 | Risk assessment | Identify threats, vulnerabilities, impacts | | 4 | Risk treatment | Choose mitigation strategies | | 5 | Select controls | Choose from Annex A (114 controls) | | 6 | Internal audit | Verify compliance with policies | | 7 | Management review | Executive review of ISMS performance | | 8 | External audit | Certification body assessment |
Annex A Controls (Selected)
| Control ID | Area | Description | |-----------|------|-------------| | A.5 | Security policy | Management commitment, policy review | | A.6 | Organization | Roles, responsibilities, segregation of duties | | A.7 | Human resources | Background checks, training, discipline | | A.8 | Asset management | Inventory, classification, media handling | | A.9 | Access control | User access, passwords, privilege management | | A.10 | Cryptography | Encryption policies, key management | | A.12 | Operations | Change management, capacity, malware protection | | A.14 | System acquisition | Security requirements, development lifecycle | | A.16 | Incident management | Reporting, response, lessons learned | | A.18 | Compliance | Legal, regulatory, contractual requirements |
Risk Assessment Template
## Risk Assessment: Database Server
**Asset:** Production PostgreSQL database
**Owner:** Data Engineering Team
### Threat Scenarios
| Threat | Likelihood | Impact | Risk Level |
|--------|-----------|--------|-----------|
| SQL injection | Medium | Critical | High |
| Unauthorized access | Low | Critical | Medium |
| Data corruption | Low | Critical | Medium |
| Hardware failure | Medium | High | High |
| Ransomware | Medium | Critical | High |
### Risk Treatment Plan
| Risk | Treatment | Control |
|------|-----------|---------|
| SQL injection | Mitigate | Parameterized queries, WAF |
| Unauthorized access | Mitigate | MFA, network segmentation |
| Data corruption | Mitigate | Regular backups, validation |
| Hardware failure | Transfer | RAID, replication, SLA |
| Ransomware | Mitigate | Backups, training, anti-malware |
Implementation Timeline
| Phase | Duration | Activities | |-------|----------|------------| | Planning | 1-2 months | Scope, policy, risk assessment | | Implementation | 3-6 months | Controls, training, documentation | | Internal audit | 1 month | Pre-assessment, corrective actions | | Certification | 1-2 months | External audit, certification | | Total | 6-12 months | Full ISMS establishment |
Summary
ISO 27001 provides a framework for managing information security. The 8-step ISMS process — scope, policy, risk assessment, treatment, controls, audit, review, certification — systematically protects organizational assets.
Key takeaways: | ISO 27001: international ISMS standard for information security | | 8 steps: scope → policy → risk assessment → treatment → controls → internal audit → review → certification | | Annex A: 114 controls across 14 domains (access control, cryptography, incident response, etc.) | | Risk assessment: identify threats, evaluate likelihood × impact, plan treatment | | Risk treatment: mitigate, transfer, accept, or avoid | | Certification timeline: 6-12 months from planning to certified | | Benefits: customer trust, compliance, competitive advantage | | Requires continuous improvement — annual audits maintain certification |
Next Chapter: SOC 2
The next chapter covers SOC 2 — trust service criteria for service organizations.
PDCA Cycle
ISO 27001 follows the Plan-Do-Check-Act (PDCA) continuous improvement cycle.
PLAN: Establish ISMS scope, policy, risk assessment, treatment plan
↓
DO: Implement controls, conduct training, operate ISMS
↓
CHECK: Monitor, measure, internal audit, management review
↓
ACT: Corrective actions, preventive actions, continuous improvement
↓
(cycle repeats)
Documentation Requirements
| Document | Required? | Example | |----------|-----------|---------| | ISMS scope | ✅ Yes | "This ISMS covers the production systems in AWS us-east-1" | | Security policy | ✅ Yes | "Data classification, access control, incident response policies" | | Risk assessment | ✅ Yes | Risk register with threats, impacts, likelihoods | | Risk treatment plan | ✅ Yes | Selected controls, responsible owners, deadlines | | Statement of Applicability | ✅ Yes | Justification for each Annex A control | | Internal audit plan | ✅ Yes | Audit schedule, criteria, checklist | | Management review minutes | ✅ Yes | Review findings, decisions, action items | | Evidence of competence | ✅ Yes | Training records, certifications |
Common Audit Findings
| Finding Type | Example | Severity | |-------------|---------|----------| | Major nonconformity | No risk assessment performed | Critical | | Minor nonconformity | Training records incomplete | Medium | | Observation | Password policy could be stronger | Low | | Opportunity for improvement | Automated compliance checking | Informational |
Summary
ISO 27001 uses the PDCA cycle for continuous ISMS improvement. Documentation — scope, policy, risk assessment, SoA, audit reports — is essential for certification.
Key takeaways: | PDCA: Plan (scope, policy, risk) → Do (implement controls) → Check (audit, review) → Act (correct) | | Key documents: ISMS scope, security policy, risk assessment, treatment plan, SoA | | Statement of Applicability: justifies inclusion/exclusion of each Annex A control | | Audit findings: major nonconformity (critical), minor (medium), observation (low) | | Certification lasts 3 years with annual surveillance audits | | Continuous improvement is mandatory, not optional |
Next Chapter: SOC 2
The next chapter covers SOC 2 trust service criteria.
ISO 27001 vs Other Frameworks
| Aspect | ISO 27001 | SOC 2 | PCI DSS | |--------|-----------|-------|---------| | Focus | ISMS process | Trust criteria | Payment security | | Certification | Accredited cert body | CPA firm | QSA (Qualified Security Assessor) | | Scope | Organization-wide | Service system | Cardholder data environment | | Controls | 114 (Annex A) | 5 criteria | 12 requirements | | Renewal | Annual + triennial | Annual | Annual |
Internal Audit Checklist
| Area | Check | Frequency | |------|-------|-----------| | Access control | Are terminated users removed? | Monthly | | Patch management | Are critical patches applied within SLA? | Weekly | | Incident response | Were incidents documented and resolved? | After each incident | | Security training | Did all employees complete training? | Annually | | Backup testing | Were backups restored and verified? | Quarterly | | Vendor reviews | Were vendor security assessments updated? | Annually | | Risk assessment | Was risk assessment reviewed and updated? | Annually |
Summary
ISO 27001 provides a complete ISMS framework. The PDCA cycle, Annex A controls, risk assessment, and internal audits ensure continuous improvement of information security.
Key takeaways: | PDCA: Plan → Do → Check → Act — continuous ISMS improvement cycle | | Annex A: 114 controls across 14 domains — select based on risk assessment | | Internal audit checklist: access, patching, incident response, training, backups, vendors, risk | | ISO 27001 vs SOC 2: ISO focuses on process, SOC 2 on controls evidence | | ISO 27001 vs PCI DSS: ISO covers all security, PCI covers only payment data |
Next Chapter: SOC 2
The next chapter covers SOC 2 trust service criteria.
You have completed the ISO 27001 chapter. Next: SOC 2 trust service criteria.