ISO 27001
๐ฅ Vibe Prompt
"Implement ISO 27001 ISMS: scope definition, risk assessment, SoA, internal audit."
ISO 27001 Clauses
| Clause | Title | Description |
|--------|-------|-------------|
| 4 | Context | Internal/external issues, interested parties, scope |
| 5 | Leadership | Top management commitment, policy, roles |
| 6 | Planning | Risk assessment, risk treatment, SoA, objectives |
| 7 | Support | Resources, competence, awareness, communication |
| 8 | Operation | Risk treatment plan, change management |
| 9 | Evaluation | Monitoring, internal audit, management review |
| 10 | Improvement | Nonconformity, corrective action, continual improvement |
ISMS Scope Example
# ISMS Scope
## Organization:
MyApp Inc. - SaaS platform for project management
## In-Scope:
- Cloud infrastructure (AWS us-west-2)
- Web application (app.myapp.com)
- Mobile apps (iOS, Android)
- Engineering team (25 people)
## Out-of-Scope:
- Corporate finance system (QuickBooks)
- HR system (BambooHR) - partially (SSO only)
- Physical office (leased, landlord managed)
## Justification:
Our main service is SaaS. Customer data security is our top priority.
Corporate systems are out of scope as they don't process customer data.
Risk Assessment Template
| ID | Risk | Likelihood | Impact | Score | Owner | Treatment |
|----|------|-----------|--------|-------|-------|-----------|
| R01 | Data breach | 2 (Low) | 4 (Critical) | 8 | CISO | Encryption, WAF, IDS |
| R02 | Service outage | 3 (Med) | 3 (High) | 9 | VP Eng | HA, multi-AZ, backup |
| R03 | Insider threat | 2 (Low) | 3 (High) | 6 | HR | Access review, logging |
| R04 | Compliance fail | 2 (Low) | 4 (Critical) | 8 | Legal | Automated compliance |
| R05 | Vendor lock-in | 3 (Med) | 2 (Med) | 6 | CTO | Multi-cloud strategy |
Statement of Applicability (SoA)
| Annex A Control | Applicable | Rationale |
|----------------|------------|-----------|
| A.5 - Security Policy | Yes | Required for governance |
| A.6 - Organization | Yes | Clear roles and responsibilities |
| A.7 - HR Security | Yes | Background checks, training |
| A.8 - Asset Management | Yes | Inventory, classification |
| A.9 - Access Control | Yes | RBAC, MFA, review |
| A.10 - Cryptography | Yes | Encryption at rest + transit |
| A.11 - Physical Security | No | Cloud infra (AWS responsible) |
| A.12 - Operations Security | Yes | Change mgmt, backup, monitoring |
| A.13 - Communications | Yes | Network security, firewall |
| A.14 - System Acquisition | Yes | SDLC, security requirements |
| A.15 - Supplier Relations | Yes | Vendor assessment, DPA |
| A.16 - Incident Management | Yes | Response plan, testing |
| A.17 - Business Continuity | Yes | DR plan, backup |
| A.18 - Compliance | Yes | Legal, regulatory requirements |
Internal Audit Checklist
# Internal Audit - Access Control (A.9)
## Checklist
- [ ] 9.1.1 - Access control policy documented and approved?
- [ ] 9.1.2 - Network access restricted per policy?
- [ ] 9.2.1 - User registration and de-registration process?
- [ ] 9.2.2 - Privilege allocation approved by manager?
- [ ] 9.2.3 - Privilege review every 90 days?
- [ ] 9.2.4 - Removal of access upon termination?
- [ ] 9.3.1 - Password policy enforced?
- [ ] 9.3.1 - MFA implemented for privileged users?
- [ ] 9.4.1 - Session timeout after 15 minutes idle?
- [ ] 9.4.2 - Information access restriction per classification?
## Sample Evidence
- Screenshot of IAM user list (active vs disabled)
- Password policy config (min 12 chars, special chars)
- MFA enforcement config
- Session timeout config (15 min)
- Last access review date and findings
ISO 27001 Certification Process
Month 1-2: Gap analysis & scope definition
Month 3-4: Risk assessment & SoA
Month 5-6: Policy & control implementation
Month 7-8: Awareness training & documentation
Month 9: Internal audit & management review
Month 10: Corrective actions
Month 11: Stage 1 audit (documentation review)
Month 12: Stage 2 audit (implementation audit)
โ Certificate valid for 3 years (surveillance audits annually)
PDCA Cycle
Plan: Establish ISMS (scope, policy, risk assessment)
Do: Implement controls (policies, training, technology)
Check: Monitor, measure, audit (internal audit, metrics)
Act: Corrective actions, continual improvement
Best Practices
- Start with a clear scope (don't try to cover everything)
- Use a risk assessment tool (vs manual spreadsheets)
- Get buy-in from top management (Clause 5)
- Write policies that are actually followed
- Internal audit before certification audit
- Use PDCA: Plan โ Do โ Check โ Act
- Automate evidence collection where possible
ISO 27001:2022 Changes
The 2022 update of ISO 27001 introduced several changes from the 2013 version.
What Changed
| Area | 2013 Version | 2022 Version | |------|-------------|-------------| | Controls | 114 controls | 93 controls (merged, split, added) | | Control groups | 14 domains | 4 themes (Organizational, People, Physical, Technological) | | New controls | โ | 11 new controls (threat intelligence, cloud security, data leakage, etc.) | | Structure | Annex A | Annex A reorganized |
11 New Controls in 2022
| Control | Theme | Description | |---------|-------|-------------| | 5.7 | Organizational | Threat intelligence | | 5.23 | Organizational | Cloud services security | | 5.30 | Organizational | ICT readiness for business continuity | | 7.4 | People | Physical security monitoring | | 8.9 | Technological | Configuration management | | 8.10 | Technological | Information deletion | | 8.11 | Technological | Data masking | | 8.12 | Technological | Data leakage prevention | | 8.16 | Technological | Monitoring activities | | 8.22 | Technological | Web filtering | | 8.28 | Technological | Secure coding |
Certification Process
graph TD
A[Gap Analysis] --> B[Scope Definition]
B --> C[Risk Assessment]
C --> D[Risk Treatment Plan]
D --> E[Control Implementation]
E --> F[Internal Audit]
F --> G[Management Review]
G --> H{Certification Audit}
H -->|Pass| I[Certificate Issued]
H -->|Fail| J[Corrective Actions]
J --> H
I --> K[Surveillance Audit - Year 1]
I --> L[Surveillance Audit - Year 2]
I --> M[Recertification - Year 3]
Summary
ISO 27001:2022 streamlines the standard with 93 controls organized into 4 themes. The certification process involves gap analysis, risk assessment, implementation, internal audit, and external certification.
Key takeaways: | ISO 27001:2022: 93 controls (down from 114), 4 themes (Organizational, People, Physical, Technological) | | 11 new controls: threat intelligence, cloud security, data masking, secure coding, etc. | | Certification process: gap analysis โ scope โ risk assessment โ implement โ internal audit โ external audit | | Surveillance audits: annually in years 1 and 2 | | Recertification: required every 3 years | | New controls emphasize cloud security, threat intelligence, and data leakage prevention | | Transition from 2013 to 2022: organizations had 2 years to migrate |
You've completed this course! You now understand key compliance frameworks.
Quick Reference
| Term | Meaning | |------|---------| | ISMS | Information Security Management System | | SoA | Statement of Applicability (which controls apply) | | PDCA | Plan-Do-Check-Act (continuous improvement cycle) | | RTP | Risk Treatment Plan (how to address each risk) | | DPIA | Data Protection Impact Assessment |
You have completed the security compliance course. You now understand GDPR, ISO 27001, SOC 2, PCI DSS, and compliance automation.