The goal of UNI CEI EN ISO/IEC 27001:2017 "Information Technology - Security Techniques - Information Security Management Systems - Requirements" is to protect the confidentiality, integrity and availability of a company's information.
All this is done by discovering what potential problems could happen to the information (i.e. assessing the potential risk), then defining what needs to be done to prevent such problems from occurring (risk mitigation or risk treatment).
The filosofia alla base della ISO 27001:2017, therefore, is based on a risk management process: discovering where the risks are and treating them systematically, through the implementation of security controls.
The standard is divided into two parts. The first part, the main one, consists of 11 chapters (from 0 to 10). The second part, called Annex A, provides a guideline for 114 objectives and controls. Chapters 0 to 3 (Introduction, Scope, Regulatory references, Terms and definitions) define the introduction of the standard ISO 27001. Points 4 to 10 provide the requirements of ISO 27001 whose compliance is mandatory if the company wants to be compliant with the standard. Annex A supports the individual chapters and their requirements with a list of non-mandatory controls, but selected as part of the risk management process.
The requirements of sections 4 to 10 can be summarized as follows:
Chapter 4: Context of the organization – A prerequisite for successfully implementing an information security management system is understanding the context in which the organization operates. External and internal issues, as well as stakeholders, must be identified and taken into consideration. Requirements may include regulatory issues but may also go far beyond. With this well in mind, the organization must define the scope of the system, i.e. to what extent ISO 27001 will be applied in the company.
Chapter 5: Leadership – ISO 27001 requirements for adequate leadership are manifold. Commitment from top management is mandatory for a management system. Objectives must be established based on the strategic objectives of an organization. Providing the resources needed for the management system, as well as supporting people to contribute to it, are other examples of the obligations to be met. In addition, top management must stabilire una politica per la sicurezza delle informazioni which should be documented and communicated within the organization and to all stakeholders. Roles and responsibilities must also be assigned in order to meet the requirements of ISO 27001.
Chapter 6: Planning – Planning in an environment aimed at information security management should always take into account risks and opportunities and, consequently, system objectives should be based on risk assessment and promoted within the company. From the risk assessment and security objectives, a risk treatment plan is derived, based on the controls listed in Annex A.
Chapter 7: Support – Resources, employee competence, awareness and communication are key issues for supporting the system. Another requirement is that information must be documented, created and updated, as well as controlled. Adequate documentation must be maintained to support the success of the management system.
Chapter 8: Operating activities – The processes for implementing information security must be planned, implemented and controlled. Risk assessment and treatment must be put in place.
Chapter 9: Performance evaluation - The requirements of the ISO 27001 standard include monitoring, measuring, analyzing and evaluating the information security management system. At regular intervals the work is verified through internal audits. Every six or twelve months (this is just an example, the timings are established by the company), top management must review the organization's management system.
Chapter 10: Improvement – Following the previous assessment, an improvement must be made: non-conformities must be addressed by acting and eliminating the causes where applicable. In addition, a continuous improvement process should be implemented, even if following the PDCA (Plan-Do-Check-Act) cycle is no longer mandatory (but is highly recommended).