[class #8] ISO 27001:2022 controls and the SoA

In this class, Alejandro Orrego, CEO at Pirani, teaches us about the ISO 27001 standard in its 2022 update, what controls it recommends, and how to perform the SoA.

Information technology, Security techniques, Information security management systems: Overview and vocabulary

ISO/IEC 27000 series. This series provides a framework for information security management systems (ISMS) and includes guidelines, best practices, and terminology related to information security.

The ISO/IEC 27000 series encompasses various standards that address different aspects of information security. Some of the notable standards within this series include:

• ISO/IEC 27001: The cornerstone of the series, provides the requirements for establishing, implementing, maintaining, and improving an ISMS.
  Annex A | Information security controls reference Certification
• ISO/IEC 27002: Formerly known as ISO/IEC 17799, this standard offers a comprehensive set of security controls and guidelines for implementing security practices within an organization. It covers various security areas, including access control, cryptography, incident response, etc.
• ISO/IEC 27003: Provides guidelines for the implementation of an ISMS. It assists organizations in understanding the key steps involved in establishing an effective ISMS based on the ISO/IEC 27001 requirements.
• ISO/IEC 27005: Focuses on information security risk management. It provides guidelines for assessing and managing risks to information security effectively.
• ISO/IEC 27006: Outlines requirements for bodies providing certification and auditing of ISMS against the ISO/IEC 27001 standard.
• ISO/IEC 27017: Offers guidelines for information security controls applicable to cloud computing services, assisting cloud service providers and customers in maintaining a secure environment.
• ISO/IEC 27018: Guides protecting personally identifiable information (PII) in public cloud environments. It's specifically focused on privacy controls within cloud computing.

Information security, cybersecurity, and privacy protection

ISO 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of an organization. It provides a systematic approach to managing sensitive information, ensuring its confidentiality, integrity, and availability.

ISO 27001 revisions

• ISO/IEC 27001:2005: The initial version of the standard was published in 2005. This version provided the foundation for the management of information security systems.
• ISO/IEC 27001:2013: A significant update occurred in 2013. This version brought several improvements and refinements to the standard. It incorporated a risk-based approach to information security management and included additional controls to address emerging security threats.
• ISO/IEC 27000:2018: Some terms and definitions have been removed; Clause 3 has been aligned on the high-level structure for MSS; Clause 5 has been updated to reflect the changes in the standards concerned; Annexes A and B have been deleted.
• ISO/IEC 27001:2022: The number of controls has decreased from 114 to 93. The controls are placed into 4 sections, instead of the previous 14. There are 11 new controls, while none of the controls were deleted, and many controls were merged.

ISO 27001 controls

93 controls

• Organizational controls: 37
• People controls: 8
• Physical controls: 14
• Technological controls: 34

Organizational controls

5.1 Policies for information security: Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to, and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals if significant changes occur.

5.2 Information security roles and responsibilities: Information security roles and responsibilities shall be defined and allocated according to the organization's needs.

5.3 Segregation of duties: Conflicting duties and conflicting areas of responsibility shall be segregated.

and 34 more.

People controls

6.1 Screening: Background verification checks on all candidates to become personnel shall be carried out before joining the organization and on an ongoing basis, taking into consideration applicable laws, regulations, and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

6.2 Terms and conditions of employment: The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.

6.3 Information security awareness, education, and training: Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education, and training, and regular updates of the organization's information security policy, topic-specific policies, and procedures, as relevant for their job function.

and 5 more.

Physical controls

7.1 Physical security perimeters: Security perimeters shall be defined and used to protect areas that contain information and other associated assets.

7.2 Physical entry: Secure areas shall be protected by appropriate entry controls and access points.

7.3 Securing offices, rooms, and facilities: Physical security for offices, rooms, and facilities shall be designed and implemented.

and 13 more.

Technological controls

8.1 User endpoint devices: Information stored on, processed by, or accessible via user endpoint devices shall be protected.

8.2 Privileged access rights: The allocation and use of privileged access rights shall be restricted and managed.

8.3 Information access restriction: Access to information and other associated assets shall be restricted by the established topic-specific policy on access control.

and 31 more.

SoA Statement of Applicability

The Statement of Applicability (SoA) is a crucial document in the ISO/IEC 27001 Information Security Management System (ISMS) framework.

The SoA serves as a comprehensive summary describing which controls outlined in ISO/IEC 27001 Annex A apply to the organization. It also usually explains how each control is implemented or why it is excluded.

Produce a Statement of Applicability that contains:

The necessary controls

• Determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
• NOTE 1 Organizations can design controls as required, or identify them from any source.
• Compare the controls determined above with those in Annex A and verify that no necessary controls have been omitted.
• NOTE 2 Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.
• NOTE 3 The information security controls listed in Annex A are not exhaustive, and additional information security controls can be included if needed.

Justification for their inclusion

Whether the necessary controls are implemented or not, and

The justification for excluding any of the Annex A controls.

Selection of Controls

The SoA lists the controls the organization has decided to apply in its ISMS. These controls are chosen based on a comprehensive risk assessment, as well as legal, contractual, and other requirements that the organization is obliged to meet.

Justification for Inclusion or Exclusion

For each control listed in Annex A of ISO/IEC 27001, the SoA should indicate whether the control is applicable and explain why. If a control is not implemented, the SoA should justify its exclusion. This ensures interested parties understand why specific controls were or were not implemented.

Status of Implementation

The SoA often includes each control's implementation status, providing an overview of how far along the organization is in applying the selected controls.

In essence, the Statement of Applicability links the risk assessment and risk treatment processes, and the selection of controls that have been applied. It is fundamental for demonstrating compliance and is often considered a 'live' document that should be updated regularly to reflect the current state of the organization's ISMS.