ISO/IEC 27001:2013

Spring 2019, MAJU

Nauman H. Ansari
ISO/IEC 27001 certificates worldwide; about 20% increase year
ISO/IEC 27001:2013 ISMS
• ISO/IEC 27001:2013 (ISO 27001) is the international standard that
describes best practice for an ISMS (information security management
system).
• Achieving accredited certification to ISO 27001 demonstrates that your
company is following information security best practice, and provides an
independent, expert verification that information security is managed in
line with international best practice and business objectives.
• This standard 27001:2013 does not suggest any specific layers or a layered
approach, but it provides guidance as to various structural elements for an
effective information security implementation, through control clauses.
• ISO 27001 is supported by its code of practice for information security
management, ISO/IEC 27002:2013.
Sections of ISO/IEC 27002:2013 Code of Practice for ISMS
ISO 27001 Sections/Domains
1. Information security policies - Management direction for information security. Controls on how
the policies are written and reviewed.
2. Organization of information security - Internal organization and Mobile devices and
teleworking. Controls on how the responsibilities are assigned; also includes the controls for
mobile devices and teleworking.
3. Human resource security - Prior to employment, During employment, Termination and change
of employment.
4. Asset management - Controls related to responsibility and inventory of assets and acceptable
use, also for information classification and media handling.
5. Access control - Business requirements of access control, User access management, User
responsibilities; and System and application access control
6. Cryptography - Controls related to encryption and key management
7. Physical and environmental security - Controls defining secure areas, entry controls, protection
against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.
ISO 27001 Sections/Domains
8. Operations security - lots of controls related to management of IT production: Operational
procedures and responsibilities, Protection from malware, Backup, Logging and monitoring,
change management, capacity management, Control of operational software, Technical
vulnerability management and Information systems audit coordination.
9. Communication security - Network security management and Information transfer. controls
related to network security, segregation, network services, transfer of information, messaging,
etc.
10. System acquisition, development and maintenance - Security requirements of information
systems, Security in development and support processes and Test data
11. Supplier relationships - Information security in supplier relationships and Supplier service
delivery management. controls on what to include in agreements, and how to monitor the
suppliers
12. Information security incident management - controls for reporting events and weaknesses,
defining responsibilities, response procedures, and collection of evidence
13. Information security aspects of business continuity management - controls requiring the
planning of business continuity, procedures, verification and reviewing, and IT redundancy
14. Compliance – compliance with legal and contractual requirements and information security
reviews
ISO 27001 Annex A Controls
• The best way to understand Annex A is to think of it as a catalogue of
security controls you can select from. Annex A gives you a perfect overview
of which controls you can apply so that you don’t forget some controls that
would be important, and it gives you the flexibility to choose only those
controls you find applicable to your business so that you don’t have to
waste resources on the ones that are not relevant to you.
• So, not all of these 114 controls are mandatory – a company can choose for
itself which controls it finds applicable and then it must implement them
(in most cases, at least 90% of the controls are applicable); the rest are
declared to be non-applicable.
• There are now 114 Controls in 14 Domains and 35 Control Objectives in ISO
27001:2013.
• In ISO 27001:2005 there was 11 Domains and 133 Controls
ISP Project (Total Marks: 10)
You are Information Security Officer of your organization. You have to develop an Information Security Policy based on ISO
27001:2013 standard.

You have to include following domains:

1. Information security policies
2. Organization of information security
3. Human resource security
4. Asset management
5. Access control
6. Physical and Environmental Security
7. Operations Security
8. Communications Security
9. Information Security aspect of Business Continuity Management
10. Compliance
You also have to include, Document Control, Table of Contents, Scope, Purpose, Audience on initial pages. A sample
“document control” is attached. You must use standard font and scaling in policy document and should be well presented.

This is a group (4-5 students) project. You have to present printed copy of the project from 22-29 May 2019. Viva exam will
be conducted on the same day.
A.5 Information Security Policies
A.5 Information Security Policies
• Objective: To provide management direction and support for
information security in accordance with business requirements and
relevant laws and regulations.
• Management should define a set of policies to clarify their direction
of, and support for, information security. There should be an overall
“information security policy”

• A.5.1.1 Information security policy document

• A.5.1.2 Review of the information security policy
A.6 Organization of Information Security
A.6 Organization of Information Security
• The organization should lay out the roles and responsibilities for
information security, and allocate them to individuals. Where
relevant, duties should be segregated across roles and individuals to
avoid conflicts of interest and prevent inappropriate activities. There
should be contacts with relevant external authorities on information
security matters.
• Controls on how the responsibilities are assigned; also includes the
controls for mobile devices and teleworking.
A.18 Compliance
A.18 Compliance
• A.18.1 Compliance with legal and contractual requirements
The organization must identify and document its obligations to external
authorities and other third parties in relation to information security,
including intellectual property rights, [business] records protection,
privacy/personally identifiable information and regulation of cryptographic
controls.
• A.18.2 Information security reviews
The organization’s information security arrangements should be
independently reviewed (audited) and reported to management. Managers
should also routinely review employees’ and systems’ compliance with
security policies, procedures etc. and initiate corrective actions where
necessary.
Makeup Class
• 25 December holiday

• 23 December 2018
• 3:00 – 6:00 PM