ISO/IEC 27001 is globally recognised for its excellent information security management system (ISMS). In addition, data protection and cyber resilience are covered by more than a dozen standards in the ISO/IEC 27000 family.
Organisations from every sector and of all sizes use these standards to protect assets such as financial information, intellectual property, employee data and confidential third-party information.
Lawyers, law firms and other legal advocates can benefit from implementing an ISMS based on the ISO27001 standard, as it will help mitigate many common information security risks. In addition, complying with the ISO 27001 framework can demonstrate to clients that their data is being properly protected.
In this blog post, we will discuss what ISO 27001 is, how law firms can benefit from the qualification of ISO and some common requirements of an ISMS based on ISO27001.
History of ISO 27001
The BSI Group originally published the BS 7799 standard in 1995. Made up of several parts, it was written by the UK government’s Department of Trade and Industry (DTI).
After a lengthy discussion in the worldwide standards bodies, ISO/IEC 17799 was revised in 1998 and eventually adopted by ISO as “Information Technology – Code of practice for information security management” in 2000. In June 2005, ISO/IEC 17799 was again revised and finally incorporated into the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.
BS 7799 Part 2, titled “Information Security Management Systems – Specification with guidance for use,” was first published by BSI in 1999. BS 7799-2 focused on implementing an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-1. This later became ISO/IEC 27001:2005. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005. BS 7799 Part 3, published in 2005, covers risk analysis and management. It is aligned with ISO/IEC 27001:2005.
There is very little reference or use of any BS standards in connection with ISO/IEC 27001.
About The ISO And IEC
The ISO/IEC 27000-series, or ‘ISMS Family of Standards,’ is a set of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series focuses on how to manage information risks and security controls through an overall Information Security Management System (ISMS)–a system similar in design to the management systems for quality assurance (ISO 9000 series), environmental protection (ISO 14000 series), etc.
The series covers various topics, including privacy, confidentiality and IT/technical/cybersecurity issues. All organisations are encouraged to assess their information risks and treat them (typically using information security controls) according to their needs, using relevant guidance and suggestions.
The ISMS concept adapts to changes in threats, vulnerabilities and impacts of incidents by incorporating continuous feedback and improvement activities.
The standards come from ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Subcommittee 27), an international body that meets twice yearly.
What is the purpose of ISO 27001?
The ISO framework encompasses a set of policies and processes that organisations can adopt to protect their information. This is done by implementing an Information Security Management System (ISMS).
ISO 27001 is a standard for ISMS that guides organisations on how best to defend their information assets against intentional threats or accidental events, which can be divided into three phases:
There are three stages to ISO27001: design, implementation and operation, and assurance.
The first stage, design, is about creating the policies and procedures to help you meet your objectives. The second stage, the implementation and operation, ensures those security policies are carried out daily.
In the third stage -assurance- you take the objectives from ISO 27001and put them into action to ensure they work as expected.
This way, you can be confident that your data is safe no matter what stage of its life cycle – from creation through destruction.
Why is ISO 27001 standard important?
ISO 27001 is important because it helps organisations protect their sensitive information, maintain the confidentiality and integrity of data, and protect against unauthorised access
By implementing an ISMS based on ISO 27001, organisations can also demonstrate to customers, suppliers and regulators that they take information security seriously. Additionally, it can give them a competitive edge in global markets.
ISO 27001 helps organisations protect their reputation and bottom line by preventing potentially costly security breaches.
Does ISO 27001 cover cyber security?
ISO 27001 does cover cyber security, as it is a component of overall information security. However, it is not specific to cyber security and covers physical security measures.
Organisations can use ISO 27001 and other specific standards, such as ISO 27032, for guidelines on cyber security incident management to create a robust ISMS that addresses all aspects of information security.
ISO/IEC 27002 replaces BS 7799 part 1 as the new good security management practice standard. BS 7799-3 is the latest version of BS 7799. Sometimes ISO/IEC 27002 refers to just ISO 17799 or only BS 7799 part 1, and sometimes it includes both parts in its reference.
BS7799 part1 outlines general good practices for cybersecurity management, whereas BS7798 parts 2 and 7 are more specific and offer a framework for certification.
ISO/IEC 27002 cybersecurity is a guide that’s best used to help a company obtain certification for ISO/IEC 27001. This certification lasts 3 years, though some auditing organisations do additional audits during this period.
Does ISO 27001 cover data privacy?
ISO 27001 addresses data privacy, as protecting personal information is key to information security. The standard includes controls for ensuring compliance with relevant laws and regulations, such as those relating to the handling of personal data.
However, organisations may also consider additional measures related to specific privacy regulations, such as the General Data Protection Regulation (GDPR) in Europe. ISO/IEC 27701:2019 can provide guidelines for implementing privacy information management within an ISMS framework.
What does it mean to be ISO Certified?
Being ISO certified means that a third-party auditor has verified that an organisation’s ISMS meets the requirements of the ISO 27001 standard. This certification can give organisations credibility and demonstrate their commitment to information security.
To become certified, organisations must first document their policies and processes for managing information security risks and then undergo a rigorous audit process by a certificating body. They must also regularly review and update their ISMS to maintain certification.
Certification is not mandatory, but it can benefit businesses looking to attract customers or comply with regulatory requirements. It also helps ensure that they are consistently implementing effective information security measures.
How does ISO 27001 work?
Information security controls are present in the majority of enterprises.
However, without an information security management system (ISMS), controls generally lack organisation and cohesion because they were frequently created as band-aid fixes for particular problems or just out of habit.
Management is required by ISO/IEC 27001 to:
- Analyse the organisation’s information security risks methodically, taking into account the implications, threats, and vulnerabilities;
- Adopt an overarching management process to ensure that the information security controls meet the organisation’s ongoing information security needs.
- Design and implement a comprehensive and cogent set of information security controls and other risk treatment methods (such as risk avoidance or risk transfer) to address unacceptable risks.
The certification auditor determines which controls will be examined as part of ISO/IEC 27001 certification.
Additional assistance is provided by other standards in the ISO/IEC 27000 family of standards, such as ISO/IEC 27005, on information security risk management, for creating, implementing, and running an ISMS.
What are ISO 27001 requirements?
To be ISO 27001 certified, an organisation must have a documented information security management system (ISMS) in place and consistently follow it. This ISMS should cover risk assessments, control selection and implementation, and continual review and improvement processes. The organisation must also undergo a successful audit by a certificating body to become certified.
Additionally, the ISMS must meet all of the requirements outlined in Annex A of ISO 27001, including specific controls for physical and environmental security, asset management, access control, cryptography, and supplier relationships.
Achieving ISO 27001 certification requires continuously managing information security risks and implementing effective organisational controls.
What is ISO 27001 compliance?
ISO 27001 compliance verifies that an organisation follows the ISO 27001 guidelines, which document security measures. This includes having a plan for information security (ISMS), managing risks regularly, and implementing proper security precautions.
While certification is not required to be compliant, it can show commitment to the standard and that an independent third-party auditor has verified an organisation’s compliance.
Organizations must constantly review and update their ISMS to address new or changing information security risks to remain compliant.
What are the three principles of ISO 27001?
1) Confidentiality: ensuring that information is accessible only to those authorised to have access
2) Integrity: protecting the accuracy and completeness of information and processing methods
3) Availability: ensuring that authorised users have access to information and systems when needed
These principles guide the implementation of an ISMS by ISO 27001.
What are the 14 domains of ISO 27001?
According to clause 6.1.3, an organisation can develop a risk treatment plan to address risks; an important element is selecting the proper controls. A major revision in ISO/IEC 27001:2013 is that it no longer requires (“shall”) the use of Annex A controls to manage information security risks, as was required in the previous edition. The prior version stipulated that any controls chosen to mitigate identified risks must be selected from those listed in Annex A.
The old version of ISO IEC 27001 used Annex A controls for risk assessment, but the new version enables a simpler and more effective evaluation tailored to the organisation. This helps create a sense of ownership over risks and controls.
There are 14 domains with other controls under them:
A.5: Information security policies (2 controls)
A.6: Organization of information security (7 controls)
A.7: Human resource security – 6 controls that are applied before, during, or after employment
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
What are the ISO 27001 controls?
ISO 27001 controls are specific measures to mitigate identified risks to information security within an organisation. These can range from physical security measures, such as video surveillance and security guards, to technical standards, like encryption and strong passwords.
The precise controls chosen will vary based on an organisation’s needs, but they should align with confidentiality, integrity, and availability principles.
ISO 27001 standards also recommend regularly reviewing and updating these controls to address new or changing risks.
How many controls does ISO 27001 have?
There are 114 controls in 14 groups and 35 control categories. The controls reflect changes to technology that have affected many organisations, such as cloud computing. However, it is still possible to be certified for ISO/IEC 27001:2013 without using any of these new controls.
What is the difference between ISO 27001 and ISMS?
ISO 27001 is a standard that defines the requirements for an Information Security Management System (ISMS). The ISMS is the framework and set of policies an organisation puts in place to manage information security risks and ensure compliance with ISO 27001
In other words, ISO 27001 sets the guidelines for an ISMS, while the ISMS is the actual system established by an organisation to meet those guidelines.
What are the 3 ISMS security objectives?
The three security objectives are:
- Confidentiality – ensuring information is accessible only to authorised individuals
- Integrity – protecting the accuracy and completeness of information and processing methods
- Availability – ensuring that authorised users have access to information and systems when needed
Who needs ISO 27001 certification?
Any organisation that handles sensitive information, regardless of size or industry, can benefit from ISO 27001 certification. This could include companies in the financial or healthcare industries or any organisation with a customer database. Additionally, some government contracts may require ISO 27001 certification.
Certification demonstrates to customers and partners that an organisation takes information security seriously and has taken steps to protect its data. Ultimately, it helps build trust and credibility.
Importance of ISO 27001 for Law Firms
Law firms handle sensitive information daily, from client details and financial records to confidential legal documents. Therefore, law firms must maintain a high level of security for this sensitive information.
ISO 27001 certification helps protect the firm and its clients and assures them that their information is secure. In addition, some clients may require proof of ISO 27001 certification before engaging with the firm.
Overall, achieving ISO 27001 certification helps law firms ensure compliance with data privacy laws and regulations and maintain trust in their services.
How can Matrix Solutions help?
At Matrix Solutions, we offer a range of services to assist organisations in implementing and maintaining an ISMS that meets the ISO 27001 checklist. This includes gap analysis, risk assessments, internal audits, and training.
Our team of experienced consultants can guide your organisation through the certification process and ensure ongoing compliance. Contact us today to learn more about how we can help you achieve ISO 27001 certification.
Conclusion
ISO 27001 is a globally recognised standard for information security management that helps organisations protect sensitive data and build trust with clients. While it may seem daunting, certification can benefit companies in any industry.
At Matrix Solutions, we have the expertise and experience to assist your organisation in implementing an effective ISMS and achieving ISO 27001 certification. Contact us today to learn more about how we can help.
ISO 27001 FAQs
Is ISO 27001 mandatory?
No, ISO compliance 27001 certification is not mandatory. However, it is a best practice for organisations handling sensitive information and can be required by clients or government contracts.
Can small businesses get certified for ISO 27001?
Any organisation can benefit from and achieve ISO 27001 certification regardless of size.
Are there any ongoing requirements after achieving ISO 27001 certification?
Yes, maintaining an ISMS and complying with ISO 27001 is ongoing. This includes regularly reviewing and updating policies and conducting internal audits. At Matrix Solutions, we offer services to assist with this ongoing maintenance.
What is the latest ISO 27001 standard?
The latest version of the ISO 27001 standard was released in 2013. However, organisations may still be certified under the previous 2005 version until September 2021
Can multiple sites or divisions within an organisation be certified under one ISO 27001 certification?
Yes, as long as all sites and divisions are included in the ISMS scope and meet all certification requirements. It is important to note that each site or division may have different risks and controls, which should be addressed in the ISMS.
Is ISO 27001 better than Cyber Essentials?
This ultimately depends on the specific needs and risks of the organisation. Cyber Essentials focuses on specific technical controls for internet-based threats, while ISO 27001 is a more comprehensive approach to information security management. Ultimately, it may be beneficial for an organisation to pursue both certifications.
Can ISO 27001 certification be used as evidence for GDPR compliance?
While ISO 27001 can help with GDPR compliance, it is insufficient and should be combined with other measures, such as appropriate data protection policies and procedures. It is important to note that ISO 27001 does not address allGDPR requirements. Organisations should consult a legal expert for guidance on GDPR compliance.
What’s the difference between ISO 27001 and 27002?
ISO 27002 is a practice code that guides the selection and implementation of specific information security controls. It can be used as a complement to ISO 27001, which outlines the overall framework for an ISMS. Both standards are related and can be used to implement an effective information security management system.
Are ISO 27001 and PCI DSS compatible?
Yes, an ISMS based on ISO 27001 can assist with compliance with the Payment Card Industry Data Security Standard (PCI DSS) and other regulatory requirements. However, it is important to note that a separate assessment may still be required for specific compliance needs.
Can ISO 27001 certification be used for government contracts?
It depends on the specific requirements of ISO 27001 of the contract. It is important to consult the contracting agency and review applicable regulations or standards. In some cases, ISO 27001 certification may fulfil information security requirements and make an organisation eligible for certain contracts. However, additional measures may also be required.
At Matrix Solutions, we have experience assisting organisations in compliance with government contracts.
What is the difference between ISO 27000 and 27001?
ISO 27000 is a series of standards related to information security management, including ISO 27001, which establishes the requirements for an ISMS. Other relevant standards within the ISO 27000 series, such as ISO 27002, for selecting and implementing information security controls. It is important to be familiar with the various measures in this series and how they can be applied within an organisation’s overall information security program.
Can a company achieve ISO 27001 certification without hiring a consultant?
While it may be possible for a company to achieve certification without external assistance, working with a consultant can provide valuable expertise and resources. In addition to assisting with the initial certification process, a consultant can help with ongoing maintenance and addressing non-conformities.
At Matrix Solutions, our team of experts can support your organisation in achieving and maintaining ISO 27001 certification.
Is ISO 27001 a legal requirement?
ISO 27001 is not a legal requirement in itself, but it can assist with compliance with various laws and regulations related to information security. Organisations need to be aware of applicable legal requirements and how they can align their ISMS with them. Additionally, ISO 27001 certification can demonstrate due diligence to customers and other stakeholders.