ISO 27001:2013 requirements
The core requirements of the ISO 27001:2013 standard are outlined beginning from clause 4.1 to clause 10.2. Below is a list of all the clauses with a summary for each:
Clause 4.1 Understanding the organisation and its context, first requirement for ISO 27001
Clause 4.1 of the ISO 27001 requirements is the starting point of every successful ISO 27001 implementation. The organisation seeking certification must identify the external and internal issues relative to its operation, which has the potential of compromising its ability to reach the intended outcome of its information security management system (ISMS).
4.2 Understanding the needs and expectations of interested parties
Clause 4.2 of the requirements is about identifying interested parties and their conditions pertinent to the ISMS; Interested party requirements may be legal, regulatory, or contractual.
4.3 Determining the scope of the ISMS
This clause involves creating a document determining the scope of your ISMS and delimiting its boundaries and applicability. In crafting the ISMS scope document, the following elements must be considered:
- External and internal issues (4.1)
- Requirements of its interested parties (4.2)
- Interfaces and dependencies between business activities
4.4 ISMS standards
Clause 4.4 states that organisations must create, implement, maintain, and continually improve an ISMS, as per the ISO 27001:2013 standard requirements.
5.1 Leadership and commitment concept in ISO 27001 requirement
This clause highlights the value of having upper management demonstrate leadership and commitment through visible and material support for information security.
5.2 Information security policy
This clause dictates that upper management must elaborate an information security policy to clarify organisational information security objectives and reiterate their commitment to satisfying its information security requirements.
5.3 Organisational roles, responsibilities, and authorities
Clause 5.3 requires upper management to clearly define roles, obligations, and authorities for the ISMS.
6.1 Actions to address risks and opportunities
Clause 6 explains that the organisation must have plans in place that cover:
- actions being taken for the identification, assessment, and remediation of these risks and opportunities
- how these actions will be integrated and implemented into ISMS processes
- how these actions will be evaluated and continually monitored
6.2 Information security objectives and planning
This clause makes high-level organisational objectives more relevant and measurable to information security activities, especially with protecting confidentiality, integrity, and data availability.
7.1 Resources, impact of resources in the process of obtaining ISO 27001
Clause 7.1 requires that sufficient resources be allocated to establishing, implementing, maintaining, and continually improving the ISMS.
The ISO 27001:2013 clause 7.2 states that organisations must determine the required competency level for each role within the ISMS and decide if it should be documented by elaborating a position description. The organisation should also assign roles within the ISMS to employees based on their aptitudes.
Clause 7.3 states that all relevant interested parties must be aware, while working, of the following:
- The information security policy
- How their input contributes to making the ISMS more effective
- The consequences of when the ISMS does not comply with requirements
The organisation must determine the level of internal and external communication appropriate for the ISMS. It must also decide on what, when, and with whom to communicate, who will be communicating, and the processes by which communication shall be achieved.
7.5 Documented information
The importance of accurate, properly maintained and easily accessible documentation cannot be overstated when implementing the ISO 27001:2013 standard. The purpose of documentation is to illustrate your organisation’s ISMS, its intended outcomes, and the approach used to achieve them.
8.1 Operational planning and control
This clause states that when planning, implementing and controlling relevant processes, the ISMS must comply with requirements 6.1, 6.2 and 7.5. Documentation must be kept to ensure processes have been carried out as intended. As needed, planned and unplanned changes controls must be put in place, with corrective action taken to mitigate undesirable effects.
8.2 Information security risk assessment
Information security risk assessments must be documented and conducted at scheduled times or when a change warrants it. This clause is fulfilled by meeting the requirements of clauses 6.1 and 6.2.
8.3 Information security risk treatment
An information security risk treatment plan must be implemented and its results documented, as per clause 6.1 requirements.
9.1 Monitoring, measurement, analysis and evaluation
This clause requires the evaluation of knowledge security performance which is the effectiveness of the ISMS, to help the organisation determine whether its intended outcome of data security activities is reached as expected.
9.2 Internal audit
Clause 9.2 states that frequent pre-planned internal audits must be conducted to determine if the ISMS is effectively implemented, properly maintained, and aligned with the ISO 27001:2013 standard requirements.
9.3 Management review
Upper management is responsible for conducting recurring and frequent ISO 27001 management reviews to ensure the ISMS supports organisation goals.
10.1 Nonconformity and corrective action
This clause falls under the ISO 27001 improvement requirement. It highlights the importance of corrective action plans and their pivotal role in the ISMS’ improvement process.
10.2 Continual improvement
The standard’s biggest strength is ever-evolving through its constant assessing, testing, reviewing and performance measuring of the ISMS. Thus, continual evaluation and improvement are engrained in the fabric of the ISO 27001:2013 standard requirements.