ISO 27001

๐Ÿ”ฅ Vibe Prompt

"Implement ISO 27001 ISMS: scope definition, risk assessment, SoA, internal audit."

ISO 27001 Clauses

| Clause | Title | Description |
|--------|-------|-------------|
| 4      | Context | Internal/external issues, interested parties, scope |
| 5      | Leadership | Top management commitment, policy, roles |
| 6      | Planning | Risk assessment, risk treatment, SoA, objectives |
| 7      | Support | Resources, competence, awareness, communication |
| 8      | Operation | Risk treatment plan, change management |
| 9      | Evaluation | Monitoring, internal audit, management review |
| 10     | Improvement | Nonconformity, corrective action, continual improvement |

ISMS Scope Example

# ISMS Scope

## Organization:
MyApp Inc. - SaaS platform for project management

## In-Scope:
- Cloud infrastructure (AWS us-west-2)
- Web application (app.myapp.com)
- Mobile apps (iOS, Android)
- Engineering team (25 people)

## Out-of-Scope:
- Corporate finance system (QuickBooks)
- HR system (BambooHR) - partially (SSO only)
- Physical office (leased, landlord managed)

## Justification:
Our main service is SaaS. Customer data security is our top priority.
Corporate systems are out of scope as they don't process customer data.

Risk Assessment Template

| ID | Risk | Likelihood | Impact | Score | Owner | Treatment |
|----|------|-----------|--------|-------|-------|-----------|
| R01 | Data breach | 2 (Low) | 4 (Critical) | 8 | CISO | Encryption, WAF, IDS |
| R02 | Service outage | 3 (Med) | 3 (High) | 9 | VP Eng | HA, multi-AZ, backup |
| R03 | Insider threat | 2 (Low) | 3 (High) | 6 | HR | Access review, logging |
| R04 | Compliance fail | 2 (Low) | 4 (Critical) | 8 | Legal | Automated compliance |
| R05 | Vendor lock-in | 3 (Med) | 2 (Med) | 6 | CTO | Multi-cloud strategy |

Statement of Applicability (SoA)

| Annex A Control | Applicable | Rationale |
|----------------|------------|-----------|
| A.5 - Security Policy | Yes | Required for governance |
| A.6 - Organization | Yes | Clear roles and responsibilities |
| A.7 - HR Security | Yes | Background checks, training |
| A.8 - Asset Management | Yes | Inventory, classification |
| A.9 - Access Control | Yes | RBAC, MFA, review |
| A.10 - Cryptography | Yes | Encryption at rest + transit |
| A.11 - Physical Security | No | Cloud infra (AWS responsible) |
| A.12 - Operations Security | Yes | Change mgmt, backup, monitoring |
| A.13 - Communications | Yes | Network security, firewall |
| A.14 - System Acquisition | Yes | SDLC, security requirements |
| A.15 - Supplier Relations | Yes | Vendor assessment, DPA |
| A.16 - Incident Management | Yes | Response plan, testing |
| A.17 - Business Continuity | Yes | DR plan, backup |
| A.18 - Compliance | Yes | Legal, regulatory requirements |

Internal Audit Checklist

# Internal Audit - Access Control (A.9)

## Checklist
- [ ] 9.1.1 - Access control policy documented and approved?
- [ ] 9.1.2 - Network access restricted per policy?
- [ ] 9.2.1 - User registration and de-registration process?
- [ ] 9.2.2 - Privilege allocation approved by manager?
- [ ] 9.2.3 - Privilege review every 90 days?
- [ ] 9.2.4 - Removal of access upon termination?
- [ ] 9.3.1 - Password policy enforced?
- [ ] 9.3.1 - MFA implemented for privileged users?
- [ ] 9.4.1 - Session timeout after 15 minutes idle?
- [ ] 9.4.2 - Information access restriction per classification?

## Sample Evidence
- Screenshot of IAM user list (active vs disabled)
- Password policy config (min 12 chars, special chars)
- MFA enforcement config
- Session timeout config (15 min)
- Last access review date and findings

ISO 27001 Certification Process

Month 1-2: Gap analysis & scope definition
Month 3-4: Risk assessment & SoA
Month 5-6: Policy & control implementation
Month 7-8: Awareness training & documentation
Month 9: Internal audit & management review
Month 10: Corrective actions
Month 11: Stage 1 audit (documentation review)
Month 12: Stage 2 audit (implementation audit)
โ†’ Certificate valid for 3 years (surveillance audits annually)

PDCA Cycle

Plan:   Establish ISMS (scope, policy, risk assessment)
Do:     Implement controls (policies, training, technology)
Check:  Monitor, measure, audit (internal audit, metrics)
Act:    Corrective actions, continual improvement

Best Practices

  • Start with a clear scope (don't try to cover everything)
  • Use a risk assessment tool (vs manual spreadsheets)
  • Get buy-in from top management (Clause 5)
  • Write policies that are actually followed
  • Internal audit before certification audit
  • Use PDCA: Plan โ†’ Do โ†’ Check โ†’ Act
  • Automate evidence collection where possible

ISO 27001:2022 Changes

The 2022 update of ISO 27001 introduced several changes from the 2013 version.

What Changed

| Area | 2013 Version | 2022 Version | |------|-------------|-------------| | Controls | 114 controls | 93 controls (merged, split, added) | | Control groups | 14 domains | 4 themes (Organizational, People, Physical, Technological) | | New controls | โ€” | 11 new controls (threat intelligence, cloud security, data leakage, etc.) | | Structure | Annex A | Annex A reorganized |

11 New Controls in 2022

| Control | Theme | Description | |---------|-------|-------------| | 5.7 | Organizational | Threat intelligence | | 5.23 | Organizational | Cloud services security | | 5.30 | Organizational | ICT readiness for business continuity | | 7.4 | People | Physical security monitoring | | 8.9 | Technological | Configuration management | | 8.10 | Technological | Information deletion | | 8.11 | Technological | Data masking | | 8.12 | Technological | Data leakage prevention | | 8.16 | Technological | Monitoring activities | | 8.22 | Technological | Web filtering | | 8.28 | Technological | Secure coding |

Certification Process

graph TD
    A[Gap Analysis] --> B[Scope Definition]
    B --> C[Risk Assessment]
    C --> D[Risk Treatment Plan]
    D --> E[Control Implementation]
    E --> F[Internal Audit]
    F --> G[Management Review]
    G --> H{Certification Audit}
    H -->|Pass| I[Certificate Issued]
    H -->|Fail| J[Corrective Actions]
    J --> H
    I --> K[Surveillance Audit - Year 1]
    I --> L[Surveillance Audit - Year 2]
    I --> M[Recertification - Year 3]

Summary

ISO 27001:2022 streamlines the standard with 93 controls organized into 4 themes. The certification process involves gap analysis, risk assessment, implementation, internal audit, and external certification.

Key takeaways: | ISO 27001:2022: 93 controls (down from 114), 4 themes (Organizational, People, Physical, Technological) | | 11 new controls: threat intelligence, cloud security, data masking, secure coding, etc. | | Certification process: gap analysis โ†’ scope โ†’ risk assessment โ†’ implement โ†’ internal audit โ†’ external audit | | Surveillance audits: annually in years 1 and 2 | | Recertification: required every 3 years | | New controls emphasize cloud security, threat intelligence, and data leakage prevention | | Transition from 2013 to 2022: organizations had 2 years to migrate |

You've completed this course! You now understand key compliance frameworks.

Quick Reference

| Term | Meaning | |------|---------| | ISMS | Information Security Management System | | SoA | Statement of Applicability (which controls apply) | | PDCA | Plan-Do-Check-Act (continuous improvement cycle) | | RTP | Risk Treatment Plan (how to address each risk) | | DPIA | Data Protection Impact Assessment |

You have completed the security compliance course. You now understand GDPR, ISO 27001, SOC 2, PCI DSS, and compliance automation.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!