Clause-By-Clause Explanation of ISO 27001: White Paper
Clause-By-Clause Explanation of ISO 27001: White Paper
Clause-By-Clause Explanation of ISO 27001: White Paper
WHITE PAPER
In this document, you will find an explanation of each clause of ISO 27001, from sections 4 to 10, and the
control objectives and security controls from Annex A, to facilitate understanding of the standard. The
clauses’ presentation is in the same order and number of the clauses as the ISO 27001:2013 standard
itself. Furthermore, you’ll find links to additional learning materials like articles and other white papers.
Please note: This white paper is not a replacement for ISO 27001 – to get the standard, visit the ISO
website: http://www.iso.org
Fortunately, there are many frameworks on the market that can help organizations to handle this
situation, among them being ISO 27001:2013.
Whether standing alone or integrated with another management system, such as ISO 9001 (Quality), ISO
22301 (Information Security), ISO 14001 (Environment), or OHSAS 18001 (Operational Health and Safety),
the ISO 27001:2013 standard provides guidance and direction for how an organization, regardless of its
size and industry, should manage information security and address information security risks, which can
bring many benefits not only to the organization itself, but also to clients, suppliers, and other interested
parties.
But, for those unfamiliar with ISO standards or information security concepts, ISO 27001 may be
confusing, so we developed this white paper to help you get inside this world.
Sections 1 to 3 will cover the concepts of process, process approach, and PDCA cycle applicable to ISO
management standards, as well as the most important definitions a beginner in information security
should know.
The main content of this white paper will follow the same order and numbering of the following clauses
required to certify an ISMS against ISO 27001:2013:
Additionally, the white paper also covers the content of Annex A, control objectives and security controls
(safeguards), numbered from A.5 to A.18.
Besides all this explanatory information, you will find throughout this white paper references to other
learning materials.
Process approach: management of a group of processes together as a system, where the interrelations
between processes are identified and the outputs of a previous process are treated as the inputs of the
following one. This approach helps ensure the results of each individual process will add business value
and contribute to achieve the final desired results.
Information security: processes, methodologies, and technologies with the objective to preserve the
confidentiality, integrity, and availability of information.
Confidentiality: property of the information that can be accessed or disclosed only to authorized persons,
entities, or processes.
Availability: property of something that is accessible and usable only by an authorized person, entity, or
process when demanded.
Information security management: management of processes that cover the identification of situations
that may put information at risk, and the implementation of controls to address those risks and protect
the interest of the business and other relevant interested parties (e.g., customers, employees, etc.).
Risk assessment (RA): a process that helps identify, analyze, and evaluate risks.
Risk treatment plan: a set of procedures, methodologies, and technologies applied to modify risks.
The following diagram presents some examples of inputs, outputs, and activities involved in the risk
management process, a cornerstone of an ISO 27001 Information Security Management System,
demonstrating how a process approach is a good way to organize and manage information security
processes to create value for an organization and other interested parties.
So, by adopting a process approach for information security, an organization can have a better view of
how each step contributes to the main objectives of protecting information, allowing it to quickly identify
problematic points in performing the process.
Plan: the definition of policies, objectives, targets, controls, processes, and procedures, as well as
performing the risk management, which support the delivery of information security aligned with the
organization’s core business.
Check: the monitoring, measuring, evaluation, and review of results against the information security
policy and objectives, so corrective and/or improvement actions can be determined and authorized.
Act: the performing of authorized actions to ensure the information security delivers its results and can
be improved.
It should be noted that the PDCA cycle is a globally recognized management system methodology that is
used across various business management systems, but its use is both compulsory and highly beneficial
within ISO 27001:2013.
Tip: For more information on this topic, see the article: How to identify interested parties according to
ISO 27001 and ISO 22301.
Tip: For more information on this topic, see the article: How to define the ISMS scope.
For more information on this topic, please see the article: Roles and responsibilities of top management
in ISO 27001 and ISO 22301.
This clause provides many items of top management commitment with enhanced levels of leadership,
involvement, and cooperation in the operation of the ISMS, by ensuring aspects like:
information security policy and objectives’ alignment with each other, and with the strategic
policies and overall direction of the business;
information security activities’ integration with other business systems where applicable;
provision for resources so the ISMS can be operated efficiently;
understanding of the importance of information security management and compliance with ISMS
requirements;
achievement of ISMS objectives;
definition of information security responsibilities to people within the ISMS, and their correct
support, training, and guidance to complete their tasks effectively;
support of the ISMS during all its life cycle, considering a PCDA approach and continual
improvement.
5.2 Policy
Top management has the responsibility to establish an information security policy, which is aligned with
the organization’s purposes and provides a framework for setting information security objectives,
including a commitment to fulfill applicable requirements and the continual improvement of the ISMS.
The information security policy must be maintained as documented information, be communicated
within the organization, and be available to all interested parties.
For more information on this topic, please see the article: What should you write in your Information
Security Policy according to ISO 27001?
For more information on this topic, please see the article: What is the job of Chief Information Security
Officer (CISO) in ISO 27001?
6.1.1 General
This clause seeks to cover the “preventive action” stated in the old ISO 27001:2005. The organization
must plan actions to handle risks and opportunities relevant to the context of the organization (section
4.1) and the needs and expectations of interested parties (section 4.2), as a way to ensure that the ISMS
can achieve its intended outcomes and results, prevent or mitigate undesired consequences, and
continually improve. These actions must consider their integration with ISMS activities, as well as how
effectiveness should be evaluated.
For more information on this topic, please see the article: Infographic: New ISO 27001 2013 revision –
What has changed?
The organization must define and apply an information security risk assessment process with defined
information security risk and acceptance criteria, as well as criteria to perform such assessments, so
repeated assessments produce consistent, valid, and comparable results.
The risk assessment process must include risk identification, analyses, and evaluation, and the process
must be kept as documented information.
For more information on this topic, please see the article: How to write ISO 27001 risk assessment
methodology.
The organization must define and apply an information security risk treatment process to select proper
risk treatment options and controls. The selected controls must consider, but not be limited to, controls
described in Annex A. The main results of the risk treatment process are the statement of applicability,
and the risk treatment plan, which must be approved by the risk owners. The information security risk
treatment process must be kept as documented information.
For more information on this topic, please see these articles: ISO 27001 risk assessment & treatment – 6
basic steps, 4 mitigation options in risk treatment according to ISO 27001, and The importance of
Statement of Applicability for ISO 27001.
Information security objectives should be established and communicated at appropriate levels and
functions, having considered the alignment with the information security policy, the possibility of
measurement, and the applicable information security requirements, and results from risk assessment
and risk treatment. The objectives must be updated when deemed necessary.
They must be thought of in terms of what needs to be done, when it needs to be done by, what resources
are required to achieve them, who is responsible for the objectives, and how results are to be evaluated,
to ensure that objectives are being achieved and can be updated when circumstances require.
Again, it is mandatory that documented information is kept outlining the information security objectives.
For more help with information security objectives and how to plan and achieve them, please see the
article: ISO 27001 control objectives – Why are they important?
7.1 Resources
No mystery here, the standard states that resources required by the ISMS to achieve the stated objectives
and show continual improvement must be defined and made available by the organization.
7.2 Competence
The competence of people given responsibility for the ISMS who work under the organization’s control
must meet the terms of the ISO 27001:2013 standard, to ensure that their performance does not
negatively affect the ISMS. Competence can be demonstrated by experience, training, and/or education
regarding the assumed tasks. When the competence is not enough, training must be identified and
delivered, as well as measured to ensure that the required level of competence was achieved. This is also
another aspect of the standard that must be kept as documented information for the ISMS.
For more help with information security training, please see the article: How to perform training &
awareness for ISO 27001 and ISO 22301.
7.3 Awareness
Awareness is closely related to competence in the standard. People who work under the organization’s
control must be made aware of the information security policy and its contents, what their personal
performance means to the ISMS and its objectives, and what the implications of nonconformities may be
to the ISMS.
7.4 Communication
Internal and external communication deemed relevant to the ISMS must be determined, as well as the
processes by which they must be effected, considering what needs to be communicated, by whom, when
it should be done, and who needs to receive the communication. See also: How to create a
Communication Plan according to ISO 27001.
7.5.1 General
“Documented information,” which you will see mentioned several times during this white paper, now
covers both the “documents” and “records” concepts seen in the previous revision of the ISO 27001
standard.
This change was designed to facilitate the management of documents and records required by the
standard, as well as those viewed as critical by the organization to the ISMS and its operation. It should
also be noted that the amount and coverage of documented information that an organization requires
will differ, according to its size, activities, products, services, complexity of processes and their
interrelations, and people’s competence.
To learn more about this topic, please see the article: List of mandatory documents required by ISO 27001
(2013 revision).
The standard requires that documented information created or updated in the scope of the ISMS must
be properly identified and described, also considering its content presentation, and media used. All
documented information must go under proper review and approval procedures to ensure they are fit for
purpose.
The standard states that documented information required by the ISMS, and the standard itself, either
from internal or external origin, must be available and fit for use where and when needed, and reasonably
protected against damage or loss of integrity and identity.
For the proper control of documented information, the organization must consider the provision of
processes regarding the distribution, retention, access, usage, retrieval, preservation and storage,
control, and disposition.
See also: Document management in ISO 27001 & BS 25999-2 and Records management in ISO 27001 and
ISO 22301.
You can use this free ISO online tool for handling your documentation, i.e., using it as a document
management system (DMS).
Being focused on keeping the information secure, the ISMS also should consider in its planning and control
the monitoring of planned changes, and impact analysis of unexpected changes, to be able to take actions
to mitigate adverse effects if necessary.
For more information on this topic, please see the article: ISO 27001 risk assessment: How to match
assets, threats and vulnerabilities.
For more information on this topic, please see the article: Risk Treatment Plan and risk treatment process
– What’s the difference?
The methods established should take into consideration what needs to be monitored and measured, how
to ensure the accuracy of results, and at what frequency to perform the monitoring, measurement,
analysis, and evaluation of ISMS data and results. It should also be noted that performance results should
be properly retained as evidence of compliance and as a source to facilitate subsequent corrective
actions.
Auditors should be independent and have no conflict of interest over the audit subject. Auditors also must
report the audit results to relevant management, and ensure that non-conformities are subject to the
responsible managers, who in turn must ensure that any corrective measures needed are implemented
in a timely manner. Finally, the auditor must also verify the effectiveness of corrective actions taken.
To learn more about this topic, please see the article: How to make an Internal Audit checklist for ISO
27001 / ISO 22301.
This short handbook will give you expert guidance: ISO Internal Audit: A Plain English Guide.
Lastly, for more information about internal audit, see this free online training: ISO 27001:2013 Internal
Auditor Course.
It must be performed at planned intervals, in a strategic manner and at the top management level,
covering the required aspects all at once or by parts, in a way that is best suitable to business needs.
The status of actions defined in previous reviews, significant internal and external factors that may impact
the ISMS, information security performance, and opportunities for improvement should be reviewed by
top management, so relevant adjustments and improvement opportunities can be implemented.
The management review is the most relevant function to the continuity of an ISMS, because of the top
management’s direct involvement, and all details and data from the management review must be
documented and recorded to ensure that the ISMS can follow the specific requirements and general
strategic direction for the organization detailed there.
Tip: For more details on this topic, please see the article: Why is management review important for ISO
27001 and ISO 22301?
The effectiveness of actions taken must be evaluated and documented, along with the originally reported
information about the nonconformity / corrective action and the results achieved.
For more detail on this subject, please take a look at the article: Practical use of corrective actions for ISO
27001 and ISO 22301.
For more detail on this subject, please take a look at the article: Achieving continual improvement through
the use of maturity models.
A.10. Cryptography
The controls in this section aim to provide the basis for proper use of cryptographic solutions to
protect the confidentiality, authenticity, and/or integrity of information.
For more detail on this subject, please take a look at the article: How to use the cryptography according
to ISO 27001 control A.10.
How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1
How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2
Physical security in ISO 27001: How to protect the secure areas
How to protect against external and environmental threats according to ISO 27001 A.11.1.4
Secure equipment and media disposal according to ISO 27001
Clear desk and clear screen policy – What does ISO 27001 require?
How to use ISO 22301 for the implementation of business continuity in ISO 27001
How to implement business impact analysis (BIA) according to ISO 22301
Business continuity plan: How to structure it according to ISO 22301
How to perform business continuity exercising and testing according to ISO 22301
Understanding IT disaster recovery according to ISO 27031
If you need expert guidance on the ISO 27001 security controls, please take a look at the short
handbook ISO 27001 Annex A Controls in Plain English.
Certification and compliance can bring reputational, motivational, and financial benefits to your
organization through customers that have greater confidence that you can protect their information at
agreed security levels, along with improvements in your supply chain security. All of these elements are
closely related to your organization’s ability to deliver satisfaction to your customers, and fulfill the
expectations and wishes of your stakeholders, while protecting the organization’s capacity for doing
business in the long run. Bearing all this in mind, can your organization afford not to have ISO 27001:2013?
References
27001 Academy