This blog post was authored by:
Ragini Gurumurthy, Junior CTI Analyst. Roy Liebermann, Head Of Customer Success
There is no doubt that in the world of cybersecurity, compliance with security frameworks and standards plays an ever-increasing role. Amongst the frameworks introduced, ISO standards, particularly those for information security, are among the most prominent in the cybersecurity landscape. There are training courses available to get certified or knowledgeable about them. Among the various ISO frameworks, a prominent one is the ISO 27001 standard.
The ISO 27001 standard is the world’s best-known standard for Information Security Management Systems (ISMS). Given that new cyber threats emerge, bringing with them a plethora of new cyber-crime, this framework helps ensure organisations with an ISMS become risk-aware and proactively identify and address weaknesses.
While trying to understand the standard, it soon became apparent that there were various sections to understand and see the flow.
As a CTI analyst, I decided to write a small, summarised blog about ISO 27001’s structure and its components.
ISO 27001 Controls’ Structure (2022 Version)
Within this framework, there are three main components. They are:
ISO 27001
Annex A of ISO 27001
ISO 27002
ISO 27001 outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. It explains how companies with an ISMS are expected to build a compliant one. Typically, companies aim to get certified in ISO 27001. Certification is considered industrial proof to their clients that their data will be safe. Given that it is also an internationally respected standard, it’s how an organisation can expand its reach.
The contents of ISO 27001 detail the responsibilities of the organisation and are divided into 10 clauses (for this 2022 version). Given that clauses 0-3 are formalities, the more critical clauses required for getting certified are 4 through 10.
Under its purview is Annex A. Annex A, while technically meant to be under ISO 27001, is worth discussing separately. Annex A provides a comprehensive list of controls and security measures. From the annex, the company can choose to implement any relevant controls to address any risk they might’ve identified in their ISMS. This selection of controls is called the Statement of Applicability (SoA).
To be considered certified for ISO 27001, an organisation must meet requirements from clauses 4-10 and have an SoA.
Here is a rough diagram below detailing the breakdown of ISO 27001.
Fig 1: A rough representation of ISO 27001 and Annex A components. Credits to this source
Lastly, the final part is ISO 27002. When first encountering this (as a CTI analyst), it was easy to mistake it as a whole other framework serving some other standard for another cybersecurity functionality. However, for those new or unfamiliar with ISO frameworks, it can be interpreted as a component under ISO 27001.
ISO 27002 is a more focused section of the controls from Annex A. It expands on the controls, detailing each with an objective, how it is meant to work, and what companies should do to implement the control successfully. It’s not a standard but a set of guidelines and techniques. Therefore, an organisation cannot get certified in ISO 27002. ISO 27002 should be looked at when an organisation is ready to implement specific security controls to safeguard an ISMS from certain risks.
However, there’s a small catch. As controls in Annex A are meant to be fulfilled for becoming certified, an organisation need not implement the control the same way it’s been detailed in ISO 27002. If the organisation’s method of implementing the control ultimately mitigates the risk, then it is considered to be enough.
Fig 2: A rough representation of ISO27002 components. Credits to this source
And that is the rough summary of the differences in these various components of the ISO 27001 standards. In a sentence for each, it could summarised as:
ISO27001 outlines the requirements to build an ISMS.
ISO27001’s Annex A as the controls to protect their ISMS.
ISO27002 provides suggested ways of implementing the controls from Annex A.
And that’s roughly a summarised version of understanding the ISO27001 standard’s framework, from a CTI analyst’s POV.
To our audience, writing about the ISO 27001 standard might be unusual coming from Elemendar as we’ve leaned more towards cybersecurity, specifically cyber threats and their intelligence. However, we notice and acknowledge another pillar in the cyber realm that aims to reduce exposure of their organisation to cyber threats: the cyber risk pillar. In case these two pillars were to collaborate, they would be in a delicate relationship, and connect together cyber threats, the risk they could bring to an organisation, and mapping that risk into a control that could help mitigate it. With this goal to map threats to risk, understanding what a control framework is and what it’s comprised of would help a threat analyst see how controls are in place to handle risks introduced by cyber threats. Perhaps one closing thought from an analyst is that while there exists a standard, its recommended controls are discretionary.
In that case, while standards help an organisation become compliant, does that equate to becoming secure?
For more information about us and how we can help your organisation please contact us by clicking the button below.
Super !! thank you