What is ISO 27001 Compliance?

ISO 27000 is a collection of standards designed to provide guidance to organizations looking to implement strong cybersecurity. ISO/IEC 27001:2013 is the most well-known of these, providing companies with guidance on developing an information security management system (ISMS).

Why Does ISO 27001 Compliance Matter?

Achieving ISO 27001 compliance is important as a differentiator in the marketplace and as a foundation for complying with other mandatory requirements and standards. An organization with ISO 27001 compliance is likely more secure than one without it, and the standard provides a solid framework for building many of the security controls required by other regulations. 

What are the ISO 27001 Audit Controls?

1. Information Security Policies: This control describes how security policies should be documented and reviewed as part of the ISMS.
2. Organization of Information Security: Role responsibilities are an important part of an ISMS. This control breaks down security responsibilities across the organization, ensuring that there is clear responsibility for each task.
3. Human Resource Security: This control addresses how employees are trained on cybersecurity when starting and ending roles within an organization, including onboarding, offboarding, and changes in positions.
4. Asset Management: Data security is a primary concern of ISO 27001. This control focuses on managing access to and security of assets that impact data security, including hardware, software, and databases.
5. Access Control: This control discusses how an organization manages access to data to protect against unauthorized access to sensitive or valuable data.
6. Cryptography: Encryption is one of the most powerful tools for data protection. Companies should implement data encryption whenever possible using strong cryptographic algorithms.
7. Physical and Environmental Security: Physical access to systems can undermine digital security controls. This control focuses on securing buildings and equipment within an organization.
8. Operations Security: Operations security focuses on how the organization processes and manages data. The organization should have visibility into and control over data flows within its IT environment.
9. Communications Security: Communication systems used by an organization (email, videoconferencing, etc.) should encrypt data in transit and have strong access controls in place.
10. System Acquisition, Development and Maintenance: This control focuses on ensuring that new systems introduced into an organization’s environment do not endanger enterprise security and that existing systems are maintained in a secure state.
11. Supplier Relationships: Third-party relationships create the potential for supply chain attacks. An ISMS should include controls for tracking relationships and managing third-party risk.
12. Information Security Incident Management: The company should have processes in place to detect and manage security incidents.
13. Information Security Aspects of Business Continuity Management: In addition to security incidents, the company should be prepared to manage other events (such as fires, power outages, etc.) that could negatively impact security.
14. Compliance: As part of ISO 27001 compliance, the organization should be able to demonstrate full compliance with other mandatory regulations that the organization is subject to.