Skip to main content

WORLD CLASS ISMS SECURITY DOCUMENTS

Get Access to dozens of ISMS templates to accelerate your ISO/IEC 27001 journey.

1. Who is ISO?

ISO (International Organization for Standardization) is an independent, non-governmental international organization based in Geneva, Switzerland, with a membership of 168 national standards bodies.

Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges. 

ISO has a General Assembly, which is the overarching organ and ultimate authority of the organization. It is an annual meeting attended by our members and our Principal Officers. And there is the ISO Council, which is "...the core governance body of the organization and reports to the General Assembly. It meets three times a year and is made up of 20 member bodies, the ISO Officers and the Chairs of the Policy Development Committees CASCO, COPOLCO and DEVCO. The Council has direct responsibility over a number of bodies reporting to Council...".

ISO is a network of national standards bodies that represent ISO in their country.  There are three member categories, each enjoying different levels of access and influence over the ISO system.

Source: https://www.iso.org/structure.html

2. Who is ANSI?

The American National Standards Institute (ANSI) is the U.S. member body to ISO and, via its U.S. National Committee, the International Electrotechnical Commission (IEC). ANSI is also a member of the International Accreditation Forum (IAF). 

More specifically, ANSI is the sole U.S. representative and dues-paying full member of ISO, and, as a founding member, plays an active role in ISO’s governance and technical work. Through ANSI, the U.S. has immediate access to the ISO standards development processes.

Note that ANSI does not write standards; rather, the Institute accredits standards developers that will establish consensus among qualified groups.  ANSI also coordinates U.S. standards with international standards so that American products can be used worldwide. 

ANSI accredits standards that are developed by representatives of other standards organizations, government agencies, consumer groups, companies, and others. These standards ensure that the characteristics and performance of products are consistent, that people use the same definitions and terms, and that products are tested the same way. ANSI also accredits organizations that carry out product or personnel certification in accordance with requirements defined in international standards

Though all ANS are developed as voluntary documents, U.S. federal, state, or local bodies are increasingly referring to ANS for regulatory or procurement purposes. Many ANS are also national adoptions of globally relevant international standards.

Source: ISO Introduction (ansi.org)  

3. Who is the ANAB?

The ANSI National Accreditation Board (ANAB) is the largest multidisciplinary accreditation body in North America, with more than 2,500 organizations accredited in approximately 80 countries. ANAB is a non-governmental organization that provides accreditation services to public and private sector organizations and is owned by the American National Standards Institute (ANSI).

ANAB assesses and accredits certification bodies (CBs) that demonstrate competence to audit and certify organizations conforming to management systems standards, such as for ISO 27001. Thus, if you want to become an ISO 27001 certification body and issue certificates to organizations seeking actual ‘certification’ against the ISO 27001 standard, you must go through the process to become an ANAB-accredited Certification Body (CB).

Source: About ANAB | Multi-disciplinary Accreditation (ansi.org)

4. Who is BSI?

The British Standards Institution (BSI) was established in 1901 as the Engineering Standards Committee - the world's first National Standards Body. A Royal Charter was granted in 1929, with the organization's aims and objectives including: 

The British Standards Institution was adopted as the organization name in 1931. BSI has a Memorandum of Understanding with the UK Government, which establishes the position of BSI as the recognized UK National Standards Body. BSI’s ESSAC (Electrotechnical Standardization Strategic Advisory Council) is the national committee of the IEC for the UK.  BSI is a non-profit distributing organization and offers global services in the linked fields of standardization, systems assessment, product certification, training and advisory services.

Source: ISO - BSI - British Standards Institution

5. Who is UKAS?

The national accreditation organization for the UK is called the United Kingdom Accreditation Service (UKAS). Its goal is to promote trust and confidence in the frequently used goods and services.

Obtaining UKAS accreditation has advantages for CBs because it shows the evaluators are capable, competent, and impartial. UKAS basically presents itself as "checking the checkers," allowing certified firms to give their clients a higher level of confidence in the security of their data.

Despite the fact that there are other certification organizations spread over the globe, the top three barely differ from one another. This is so that CBs may be identified across all accreditation bodies based on alignment with the different checks and balances provided by groups like the IAF. 

Source: https://www.ukas.com

6. Who is the RvA?

 The accreditation body in the Netherlands is the Dutch Accreditation Council (RvA) (it should be noted that every member state of the European Union has its own accreditation organization). Creating a foundation for justified confidence in the caliber of goods and services is the RvA's main goal. This is accomplished through "accrediting and renewing the accreditations of conformity-assessment bodies."

Greater trust and more prospects for international trade are two advantages of a RvA accreditation for CBs given that the accreditation mark is acknowledged and recognized globally.

Source: https://www.rva.nl/en

 

7. Who is the IAF?

National accreditation organizations like ANAB, RvA, and UKAS are governed by the International Accreditation Forum (IAF). Its main goal is to "develop a single, global conformity assessment program that reduces risk for businesses and their customers by ensuring that they can rely on accredited certificates and validation and verification statements."

In essence, the IAF monitors the certification bodies' operations to make sure they uphold the necessary criteria while accrediting CBs.

The majority of accrediting organizations are represented in the IAF and are dedicated to maintaining the reliability and legitimacy of accreditation organizations in their efforts to provide certificates to CBs.

Source: https://iaf.nu/en/home

 

8. What is ISO/IEC 27001?

ISO/IEC 27001 is without question the most widely used and recognized standard for information security management systems (ISMS) in the world.  ISO 27001, first published in October, 2005, and revised in October, 2013 was the first standard in the ISO 27000-series of standards for information security or cybersecurity. The current version is called ISO 27001:2022 - Information security, cybersecurity  and privacy protection — Information  security management systems —  Requirements. Within ISO 27001:2022 are “...requirements for establishing, implementing, maintaining  and continually improving an information security management system.” 

Companies of every size and from all industries can and do use the ISO/IEC 27001 standard as a guide for creating, implementing, maintaining, and continuously improving an information security management system (ISMS).

A firm or organization that complies with ISO/IEC 27001 is one that has successfully implemented a system to manage risks relating to the security of data that it owns or handles, and that system adheres to all the best practices and guiding principles outlined in the International Standard itself.  

In short, there’s no other standard that comes close to the respect, recognition, and acceptance of ISO 27001 regarding an ISMS.

Source: https://www.iso.org/standard/27001

9. What is ISO/IEC 27002:2022?

 ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls, provides a reference set of generic information security controls including implementation guidance to be used by organizations"

 a) within the context of an information security management system (ISMS) based on ISO/IEC27001; b) for implementing information security controls based on internationally recognized best practices; c) for developing organization-specific information security management guidelines. 

Source: https://www.iso.org/standard/75652.html

 

10. Who develops the ISO/IEC 27000 family of standards?

ISO/IEC joint technical committee (JTC) 1/ subcommittee (SC) 27 develops standards, technical specifications and reports, best practices and related documents for ISO/IEC 27001.  SC 27 standards consider the rapid advances in technology and the ever-changing digital world, and challenges of cyber risks.  Therefore, such standards are designed to meet the expectations and requirements for organizations of all sizes, and across all types of business sectors.

Sources: Home - JTC 1 (jtc1info.org), About (iso.org)

11. What specific ISO/IEC 27001 services do you offer?

We offer the following services and solutions for ISO 27001/27002/27701/22301:

  • Micro-Assessments
  • Scoping & Gap Assessments
  • Risk Assessments
  • Remediation & Implementation
  • Continuous Monitoring Programs
  • Internal Audit Programs
  • Statement of Applicability (SoA)
  • Third-Party Risk Management
  • RFP for ISO CB
  • ISO/IEC 27701
  • ISO/IEC 22301
  • Training
  • Data Privacy
  • Outsourced DPO
  • Penetration Testing

Additionally, we also offer industry leading ISMS templates for helping organizations develop all required security and privacy policies, procedures, programs, and plans as necessary for ISO/IEC 27001.

12. What is the most time-consuming and demanding aspect of obtaining ISO/IEC 27001 certification?

In our opinion, developing all required security policies and procedures, along with implementing many programs (i.e., developing an internal audit program, continuous monitoring initiatives, etc.) and other initiatives, are often the most time-consuming aspect when it comes to an organization’s ISO/IEC 27001 journey.  With MorganHill, we offer industry leading ISMS templates for helping organizations develop all required security and privacy policies, procedures, programs, and plans as necessary for ISO/IEC 27001.

Additionally, we offer remediation services for helping organizations “implement” the necessary controls for ensuring they develop a well-established Information Security Management System (ISMS) as required by ISO/IEC 27001.

13. What is the cost for earning ISO/IEC 27001 certification?

This is a difficult question to ask as all organizations have varying issues and needs. With that said, all of our services are priced at fixed fees. The best avenue for determining price is to begin with our ISO/IEC 27001 Micro Assessment services. 

MorganHill’s Micro-Assessment services offer a quick study of an organization’s overall readiness and ability to begin the process of moving forward with the ultimate goal of ISO/IEC 27001 certification.  For any organization wanting a clear, transparent, and honest initial assessment of their environment, the Micro-Assessment is a viable option. 

14. How long does it take to earn ISO/IEC 27001 certification?

It all depends on the organization's willingness to commit considerable resources to an ISO/IEC 27001 engagement. From our perspective, all the up-front, pre-certification ISO/IEC 27001 work can take anywhere from 2 to 6 months, or even longer. Many factors come into play, such as the following:

  • Senior leadership buy in and support.
  • Scope and overall complexity of the environment to be assessed.
  • Maturity, or lack thereof, of current security controls.

In all, expect your ISO/IEC 27001 journey - from an initial gap assessment to final certification - to be a 9-to-12-month exercise.

We recommend our Micro-Assessment services - a quick-study of an organization’s overall readiness and ability to begin the process of moving forward with the goal of ISO/IEC 27001 certification.  For any organization wanting a clear, transparent, and honest initial assessment of their environment, the Micro-Assessment is a viable option. 

15. What’s the difference between ISO/IEC 27001 ‘compliance’ and ISO/IEC 27001 ‘certification’?

ISO/IEC 27001 certification means that a third-party certification body (CB) has independently validated that an organization conforms to the actual ISO/IEC 27001 standard established by the International Organization for Standardization (ISO).

ISO/IEC 27001 compliance means that companies adhere to the requirements of the ISO/IEC 27001 standard without the formal certification and recertification processes from an actual certification body (CB).

Many organizations find immense value in working towards ISO/IEC 27001 ‘compliance’, opting not to seek ISO/IEC 27001 ‘certification’ because of cost and resource factors. 

16. What are the different types of audits that need to be performed for ISO/IEC 27001?

Initial Certification Audit: This is the first audit conducted by an accredited certification body to assess an organization's Information Security Management System (ISMS) against the requirements of the ISO 27001 standard. The objective is to determine if the organization's ISMS meets the standard's requirements and is ready for certification. Within the initial Certification Audit, there are two stages that are performed - a Stage 1 and a Stage 2.

  • Stage 1: Includes an assessment process of ISO/IEC 27001 clauses 4-10 and an organization’s readiness for stage 2. Stage 1 typically takes two to three days to complete and is seen as a tabletop exercise and a documentation review of an organization’s policies, procedures, programs, plans, and other related artifacts.

  • Stage 2: Includes an assessment of the in-scope controls to determine their implementation - more specifically - that such controls are functioning and operating as intended.

Look at Stage 1 as a document and process review audit, whereas Stage 2 is a full system review audit. Both stages are important, but both are quite different.

Surveillance Audit: Surveillance audits are conducted periodically (e.g., annually) by the certification body to ensure ongoing compliance and maintenance of the ISO 27001 certification. The scope of surveillance audits focuses on verifying the effectiveness and conformity of the ISMS and may include a sampling approach to cover various aspects of the organization's operations.

Re-certification Audit: Re-certification audits are conducted at the end of the certification cycle, typically every three years, to renew the ISO 27001 certification. These audits are similar to the initial certification audit and evaluate the organization's ISMS against the ISO 27001 standard to ensure continued compliance.

Internal Audit: Internal audits are performed by the organization's internal audit team or an independent internal auditor to assess the effectiveness and compliance of the ISMS. The purpose is to identify any non-conformities, gaps, or areas for improvement before the external certification audits. Internal audits are an essential part of the ongoing monitoring and maintenance of the ISMS.

17. What is an ISO/IEC 27001 Surveillance audit?

An ISO/IEC 27001 surveillance audit is a periodic assessment conducted by an accredited certification body to verify that an organization's Information Security Management System (ISMS) continues to meet the requirements of the ISO 27001 standard. It is part of the ongoing certification process to ensure that the organization maintains compliance with the standard over time.

It is important to note that surveillance audits are separate from recertification audits, which occur at the end of the certification cycle to renew the ISO 27001 certification. Surveillance audits provide ongoing oversight and monitoring of the organization's compliance between the re-certification audits.

The following types of ISO/IEC 27001 audits include the following:

  • Initial Certification Audit, Stage 1 and Stage 2.
  • Internal Audit
  • Surveillance Audit
  • Re-certification Audit
18. What is an ISO/IEC 27001 Internal Audit?

An ISO/IEC 27001 internal audit is a systematic and independent examination of an organization's information security management system (ISMS) to assess its compliance with the requirements of the ISO/IEC 27001 standard. The internal audit is conducted by trained individuals within the organization, referred to as internal auditors, who are independent of the areas being audited.

The purpose of an ISO/IEC 27001 internal audit is to evaluate the effectiveness, adequacy, and implementation of the ISMS controls and processes. It helps identify areas of non-compliance, weaknesses, and opportunities for improvement within the organization's information security practices.

MorganHill offers an industry-leading ISMS 27001 Internal Audit Program for download. 

19. What is an ANAB certification body?

It is an organization for which ANAB assesses and accredits as a certification body (CB) that demonstrates competence to audit and certify organizations conforming to management systems standards. Accreditation by a recognized and respected body such as ANAB ensures the impartiality and competence of the CB and fosters confidence and acceptance of the CB's certifications by end users in the public and private sectors.

20. Can you help us find an ANAB-accredited certification body for ISO 27001?

Yes, we can. Our ISO RFP for CB services are a great way of helping find the very best Certification Body (CB) for your organization. It’s important to take the time to find the very best CB for your organization as the wrong choice can cost you both time and money.

21. What are the main differences between the ISO 27001 publication and the ISO 27002 publication?

ISO/IEC  27001 is a standard for cybersecurity and for developing and implementing what’s known as an Information Security Management System (ISMS).  ISO/IEC SO 27002 is a supporting, supplementary, reference standard that guides how the information security controls can be chosen, and ultimately, implemented. Look at ISO/IEC 27001 as the blueprint for developing and implementing an Information Security Management System (ISMS). Look at ISO/IEC 27002 as the reference document that contains all of the ninety-three (93) controls in Annex A that organizations should consider for the scope of their ISMS.

22. What is the importance of ISO/IEC 27701:2019?

ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. With growing privacy concerns, PIMS-related requirements are becoming increasingly important for organizations.

Simply put, ISO/IEC 27701:2019 is an important standard because it addresses the growing need for organizations to effectively manage privacy risks and comply with privacy regulations while managing personal data.

Here are some reasons why ISO/IEC 27701:2019 is important:

  • Privacy Compliance: ISO/IEC 27701 helps organizations align their privacy practices with regulatory requirements.

  • Data Breach Prevention: ISO/IEC 27701 provides guidelines for identifying and mitigating privacy risks, which helps in preventing data breaches and unauthorized access to personal data.

  • Enhanced Consumer Trust: Adhering to ISO/IEC 27701 principles can help organizations build stronger relationships with their customers and stakeholders.

  • Global Applicability: ISO/IEC standards are globally recognized and accepted. Implementing ISO/IEC 27701 can help organizations ensure consistent privacy practices across borders, particularly for multinational companies dealing with data from different regions.

  • Integration with Information Security Management: ISO/IEC 27701 aligns with the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management.

  • Third-Party Assurance: Organizations often need to demonstrate their commitment to privacy and security to partners, customers, and regulators. ISO/IEC 27701 provides a framework for obtaining third-party assurance that the organization's privacy management practices are robust and effective.

  • Risk Management: The standard guides organizations in conducting privacy impact assessments and managing risks related to the processing of personal data. This proactive approach helps organizations identify and address potential privacy risks early in the process.

  • Clear Accountability: ISO/IEC 27701 defines roles and responsibilities for managing privacy within the organization.

  • Continuous Improvement: The standard emphasizes the importance of ongoing monitoring, evaluation, and improvement of the privacy management program. This ensures that privacy practices stay up-to-date and effective over time.

  • Efficiency and Cost Savings: Implementing a structured privacy management system as per ISO/IEC 27701 can lead to increased efficiency in managing personal data.
  • How long is an ISO/IEC 27001 certification good for?

Once certification is achieved, it is valid for three years. However, the ISMS must be managed and maintained throughout that period, for which the following audits must be performed:

  • Surveillance Audit: Surveillance audits are conducted periodically (e.g., annually) by the certification body to ensure ongoing compliance and maintenance of the ISO/IEC 27001 certification.

  • Re-certification Audit: Re-certification audits are conducted at the end of the certification cycle, typically every three years, to renew the ISO/IEC 27001 certification.

  • Internal Audit: Internal audits are performed by the organization's internal audit team or an independent internal auditor to assess the effectiveness and compliance of the ISMS.

The recertification process involves undergoing a full audit similar to the initial certification audit. This audit assesses whether the organization's Information Security Management System (ISMS) still conforms to the ISO 27001 standard requirements and whether it has effectively maintained and improved its security practices over time.

Between the initial certification and the recertification, organizations are also subject to regular surveillance audits conducted by the certification body. These surveillance audits occur annually or semi-annually, depending on the certification body's requirements. The purpose of these audits is to ensure that the organization's ISMS continues to operate effectively and that it remains in compliance with the ISO 27001 standard.

It's important to note that ISO 27001 certification is not a one-time achievement; it requires ongoing commitment to information security management and continuous improvement. Organizations that hold ISO 27001 certification should actively work to maintain their security practices, adapt to changing threats and technologies, and ensure that their ISMS remains effective in safeguarding information assets.

23. How long is an ISO/IEC 27001 certification good for?

Once certification is achieved, it is valid for three years. However, the ISMS must be managed and maintained throughout that period, for which the following audits must be performed:

  • Surveillance Audit: Surveillance audits are conducted periodically (e.g., annually) by the certification body to ensure ongoing compliance and maintenance of the ISO/IEC 27001 certification.
  • Re-certification Audit: Re-certification audits are conducted at the end of the certification cycle, typically every three years, to renew the ISO/IEC 27001 certification.
  • Internal Audit: Internal audits are performed by the organization's internal audit team or an independent internal auditor to assess the effectiveness and compliance of the ISMS.

The recertification process involves undergoing a full audit similar to the initial certification audit. This audit assesses whether the organization's Information Security Management System (ISMS) still conforms to the ISO 27001 standard requirements and whether it has effectively maintained and improved its security practices over time.

Between the initial certification and the recertification, organizations are also subject to regular surveillance audits conducted by the certification body. These surveillance audits occur annually or semi-annually, depending on the certification body's requirements. The purpose of these audits is to ensure that the organization's ISMS continues to operate effectively and that it remains in compliance with the ISO 27001 standard.

It's important to note that ISO 27001 certification is not a one-time achievement; it requires ongoing commitment to information security management and continuous improvement. Organizations that hold ISO 27001 certification should actively work to maintain their security practices, adapt to changing threats and technologies, and ensure that their ISMS remains effective in safeguarding information assets.

24. How many organizations have you helped with achieving ISO 27001 certification?

Since 2006, we’ve helped hundreds of organizations throughout the world when it comes to ISO/IEC 27001. Name the industry, and we can confidently tell you that our team of dedicated professionals has years of experience in taking organizations through the entire ISO 27001 lifecycle, from the initial scoping & gap assessment to finding them a well-qualified ISO 27001 auditor.

25. What are the main differences between ISO 27002: 2013 and ISO 27002: 2022?

From a high-level perspective, here is what has changed:

  • 11 new controls were introduced.
  • 57 controls were merged.
  • 23 controls were renamed.
  • 3 controls were removed.

Thus, within ISO/IEC 27001:2013, controls were organized into 14 different domains. In the new update, controls are placed into the following four themes instead:

  • People controls (8 controls)
  • Organizational controls (37 controls)
  • Technological controls (34 controls)
  • Physical controls (14 controls)
26. What are the control changes in Annex A from ISO/IEC 27002:2013 to ISO/IEC 27002:2022?

There's been some notable changes within Annex A as controls have either been merged, removed, with some new controls being added:

ISO 27001:2022 lists 93 controls as opposed to the 114 controls within 27001:2013.  Moreover, these controls are grouped into 4 ‘themes’ rather than 14 clauses. They are the following:

  • People (8 controls)
  • Organizational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)

The eleven (11) new controls are the following:

  • Threat intelligence
  • Information security for use of Cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

Lastly, the controls now also have the five following types of ‘attributes’ to make them easier to categorize:

  • Control type (preventive, detective, corrective)
  • Information security properties (confidentiality, integrity, availability)
  • Cyber security concepts (identify, protect, detect, respond, recover)
  • Operational capabilities (governance, asset management, etc.)
  • Security domains (governance and ecosystem, protection, defense, resilience)
27. What do I need to know regarding the transition to ISO 27001: 2022?

All organizations currently certified under the ISO 27001:2013 standard have until October 31, 2025 to transition to the new revision. New certification applicants may continue to be audited against the 2013 revision of ISO 27001 until April 30, 2024—an update from the initial deadline of October 31, 2023.

28. What size companies have you worked with?

MorganHill has worked in every conceivable sector around the globe when it comes to helping organizations fulfill their ISO/IEC 27001 journey. From agriculture to Artificial Intelligence (AI), our expert consultants have the knowledge and expertise to get the job done right. 

29. What are some of the most time-consuming and demanding aspects of earning ISO/IEC 27001 certification?

As with any major regulatory compliance initiative – ISO/IEC 27001 being no different – documentation (as discussed in an earlier F.A.Q.) in the form of policies and procedures is one of the most demanding and time-consuming measures to undertake. With ninety-three (93) Annex A controls that are potentially in scope for ISO/IEC 27001 – and each of the controls needing some form of a policy, procedure, program, or plan to be developed – you can quickly see that the workload for documentation can be large.

Furthermore, the ‘implementation’ of controls is also a time-consuming task. Specifically, once policies and procedures have been developed, I.T. tools and solutions have been acquired, it’s critical to follow-through with the implementation of the controls by putting them into action. For example, authoring a network security policy that says vulnerability scanning will be conducted regularly actually requires vulnerability scanning to be undertaken by I.T. personnel.

30. Can achieving ISO 27001 certification help with SOC 1 or SOC 2 compliance?

It can help because a large number of the ISO/IEC 27002:2022 Annex A controls can successfully map to the AICPA SOC 1 and SOC 2 framework. All the policies, procedures, programs, plans, and other measures put in place for ISO/IEC 27001 compliance and/or certification will go a long way in helping achieve SOC 1 or SOC 2 compliance.

Only a CPA firm can issue a SOC 1 or SOC 2 report. We work exclusively with a firm in North America that issues such reports and would be happy to recommend them to you.

31. Can you provide references regarding before engaging with you?

Yes, we can. We have clients all throughout the world who can attest to our expertise when it comes to ISO/IEC 27001, and all other related cybersecurity, information security and data privacy measures. 

32. What is an Information Security Management System (ISMS)?

An ISMS is a framework of policies, procedures, processes - and other related measures and initiatives - that systematically manages information security, cybersecurity, and privacy risks throughout an organization. Key elements of an ISMS consist of the following:

  • An ISMS provides a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving the information security within an organization.

  • The implementation of an ISMS based on ISO/IEC 27001 helps organizations establish a robust information security management framework that addresses confidentiality, integrity, and availability of information assets.

  • An ISMS is the very fabric and foundation of one’s ability to successfully earn - and maintain - ISO/IEC 27001 certification.
33. What is an ISO/IEC 27001 Statement of Applicability (SoA) and why is it important?

An ISO/IEC 27001 Statement of Applicability (SoA) is a document that lists the Annex A controls (that are listed in detail in the ISO/IEC 27002 standard) that are included - and also excluded - with an information security management system (ISMS) based on your organization's assessment of their relevance to mitigating security risks.

At a minimum, your ISO/IEC 27001 SoAshould include the followingfor each control:

  • Control title and description (Language directly from Annex A).
  • Whether control is applicable to your organization or not.
  • Justification (i.e., providing an explanation) for applicability or non-applicability.
  • Rationale for including control within the scope of SoA. (Business, Legal, Contractual, Risk-based).
  • The status of the control.
  • Date of validation for each respective control within the SoA.
  • Notes and Comments.
  • Any other relevant information.

The SoA must be accessible throughout the phase of the actual ISO/IEC 27001 audit when the auditor tests your controls to ensure that they are properly designed and functioning to meet the goals of the standard itself, and for the scope of the audit. The SoA must be reviewed and approved by top management or an appropriate authority within an organization. 

Lastly, the SoA should be updated regularly, with access to the SoA document tightly controlled. The SoA is a valuable document that can be given to clients, prospects, regulatory bodies - almost anyone with a credible interest in understanding and validating an organization’s information security (i.e., information security, cybersecurity, and privacy) controls.

34. How do you decide which of the Annex A Controls are to be included in your ISO/IEC 27001 Statement of Applicability (SoA)?

When you take some time to review the Annex A Controls listed in ISO/IEC 27002:2022, you quickly realize that the vast majority - if not all - of the controls should be included within the scope of one’s ISMS. And why? Because the Annex A Controls are best practices that all organizations should be employing, regardless of industry, size, sector, or location.  Sure, you can leave some out that truly do not have applicability, but the vast majority of the Annex A Controls warrant being included within the scope of your ISMS.

Remember, it is important to conduct a risk assessment, as required by ISO/IEC 27001, as this will greatly assist in determining controls to be included within the scope of developing and implementing an ISMS. 

35. How should I document N/A within the ISO/IEC 27001 Statement of Applicability (SoA) if there are controls from Annex A that do not apply to my organization?

By simply providing a valid justification for why the specific Annex A control is Not Applicable (NA). The justification could be any number of reasons, such as it’s a process that does not fit into the organization’s overall business objectives, it is a control that is not necessary, or any number of other reasons. It is completely acceptable to N/A the control, so long as you give a valid and credible reason why it is actually N/A.

36. Does ISO/IEC 27001 require a Continuous Monitoring (ConMon) program to be in place?

Per ISO/IEC 27001: 2022, 10.1 Continual improvement, organizations are to "...continually improve the suitability, adequacy and effectiveness of the information security management system." This, in effect, requires a Continuous Monitoring (ConMon) program, or similar program, for undertaking such measures.  The only way an organization truly improves upon the ISMS is by monitoring the very controls that were adopted and implemented from Annex A of ISO 27002:2022.

At MorganHill, we develop highly customized Continuous Monitoring (ConMon) programs for organizations of all sizes, industries, and sectors. Additionally, you can also download our ConMon program template today at the MorganHill Compliance Portal (MHCP)

37. What is an ISO/IEC 27001 internal audit?

An ISO/IEC 27001 internal audit is a systematic and independent examination of an organization's information security management system (ISMS) against the requirements outlined in the ISO/IEC 27001 standard. ISO/IEC 27001 is an internationally recognized framework that provides a structured approach to managing and protecting sensitive information within an organization.

An internal audit is conducted by internal auditors or a team within the organization who are independent of the processes being audited. The purpose of the internal audit is to assess the effectiveness and adequacy of the organization's information security controls, processes, and policies.

Keep in mind that a well-defined internal audit program should cover a wide range of auditing measures, such as sampling, auditing methodologies (i.e., inspection, re-performance, inquiry, observation, etc.).  Additionally, the internal audit program should document all findings, allowing for all intended users to consume the results of the outcome, and what, if any, steps need to be taken for improving upon one’s controls.

38. What considerations should be taken in terms of ISMS scoping?

The ISO 27001 standard provides a wide range of scope options. The service provider implementing the ISMS oversees defining the scope of its management system and deciding which individuals, groups, organizations, things, and locations should be covered by it. As part of this flexibility, the service provider is allowed to designate parts of the business that won't interface with the ISMS and to point out instances in which some duties might be delegated to third parties, such a public cloud provider.

The primary tasks for creating, running, or protecting the organization's vital systems, service offerings, and procedures should be identified during scoping conversations. The scoping effort may start out broadly across several places, but scoping variables may subsequently be used to reduce and refine the scope to deliver the most value.

The standard specifies a few things that must be taken into account while determining scope. It is necessary to assess the motivation for the ISMS initiative as the first of these requirements. Customers' demands for certification, identified revenue increase linked to ISMS certification, decreased response times to vendor questionnaires, or pressure on the Board of Directors (BoD) to adopt cutting-edge information security governance practices may all be motivators for deploying an ISMS. There are probably obvious internal and external difficulties with the ISMS endeavor that could guide the scoping evaluation.

The second criterion is to take into account the internal and external stakeholders who have an interest in the success of the ISMS after defining the drivers for its implementation. Employees, the Board of Directors, investors, present or potential clients, and regulatory agencies may be some of these. To make sure that the ISMS scope matches the requirements and expectations of these stakeholders, it is crucial to obtain feedback from relevant parties.

Finally, the ISO 27001 standard mandates that both internal and external interfaces and dependencies to the ISMS be considered. These elements are essential, particularly for firms that intend to separate organizational functions and rely on third-party infrastructure or tooling for development operations, hosting of systems, or control operation. Departments that support the essential ISMS operations, such as in a control ownership or budgetary capacity, are included in internal interfaces and dependencies.

39. What are examples of External Interfaces and Dependencies for ISO/IEC 27001?

External interfaces and dependencies refer to the processes, functions, and the relevant service providers and tools/solutions offered by external entities that interface with the ISMS. By identifying these EXTERNAL interfaces and dependencies, organizations can gain a stronger understanding of a third-party’s responsibilities in relation to the controls within an ISMS.  Common examples consist of the following:

  • Data Center/colocation facilities
  • Cloud Service Providers (i.e., AWS, Microsoft Azure, GCP, salesfore.com, etc.)
  • Contract workers (i.e., offshore development, etc.)
  • Managed Security Services (i.e., MSSPs that perform managed network, managed application, etc.)
  • Hosted Software Platforms (i.e., ticketing systems, online payroll systems, etc.)

Once the dependencies have been identified, it’s critical to then assess how such dependencies ‘interface’

with an organization’s ISMS. More specifically, what are the connectivity points between the relevant service providers and your organization.

WORLD CLASS ISMS SECURITY DOCUMENTS

Get Access to dozens of ISMS templates to accelerate your ISO/IEC 27001 journey.

Why Morgan Hill?

Since 2006, a Global Leader in ISO/IES Advisory Solutions. 
A True Footprint all around the World.

Respected. Recognized. Resourceful.