As we have previously discussed in detail in our previous blog, "What is the ISO 27001 Information Security Standard?", the standard guides organisations, regardless of size or industry, on how to build, manage, and protect vulnerable corporate data and information against various risks.
The Compliance Council explains that "ISO 27001 provides organisations with 10 clauses that serve as information security management system requirements and a section titled Annex A that outlines 114 controls that should be considered".
The 114 controls are then divided across 14 security domains, which provide the best practices for an information security management system (ISMS). These security domains help organisations perform a gap analysis to identify any areas of risk in their ISMS, as well as specify appropriate controls to address them.
While ISO 27001 is the most widely known ISMS standard, it is important to note that specific organisations (such as providers of employment skills training and disability employment services) may be required by the Australian Government to submit additional controls in order to gain certification.
The Compliance Council details the Security Domains as below:
Security Domain |
Security categories and control objectives |
A.5 Information security policies |
A.5.1 Management direction for information security Objective: To provide management direction and support for information security under business requirements and relevant laws and regulations. |
A.6 Organisation of information security |
A.6.1 Internal organisation Objective: To establish a management framework to initiate and control the implementation of the operation of information security within the organisation. |
A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. |
|
A.7 Human resource security |
A.7.1 Prior to employment Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. |
A.7.2 During employment Objective: To ensure that employees and contractors are aware of fulfilling their information security responsibilities. |
|
A.7.3 Termination and change of employment Objective: To protect the organisation's interests as part of the process of changing or terminating employment. |
|
A.8 Asset management |
A.8.1 Responsibility for assets Objective: To identify organisational assets and define appropriate protection responsibilities. |
A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation. |
|
|
A.8.3 Media handling Objective: To prevent unauthorised disclosure, modification, removal or destruction of information stored on media. |
A.9 Access control |
A.9.1 Business requirements of access control Objective: To limit access to information and information processing facilities. |
A.9.2 User access management Objective: To ensure authorised user access and to prevent unauthorised access to systems and services. |
|
A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. |
|
A.9.4 System and application access control Objective: To prevent unauthorised access to systems and applications. |
|
A.10 Cryptography |
A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
A.11 Physical and environment security |
A.11.1 Secure areas Objective: To prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities. |
A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations. |
|
A.12 Operations Security |
A.12.1 Operational procedures and responsibilities Objective: To ensure correct and secure operations of information processing facilities |
A.12.2 Protection from malware Objective: To ensure that information and information processing facilities are protected against malware. |
|
A.12.3 Backup Objective: To protect against loss of data |
|
A.12.4 Logging and monitoring Objective: To record events and generate evidence |
|
A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. |
|
A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities |
|
A.12.7 Information systems audit considerations Objective: To minimise the impact of audit activities on operational systems. |
|
A.13 Communications security |
A.13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. |
A.13.2 Information transfer Objective: To maintain the security of information transferred within an organisation and with any external entity. |
|
A.14 System acquisition, development and maintenance |
A.14.1 Security requirements of information systems Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems that provides services over public networks. |
A.14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. |
|
A.14.3 Test data Objective: To ensure the protection of data used for testing. |
|
A.15 Supplier relationships |
A.15.1 Information security in supplier relationships Objective: To ensure protection of the organisation's assets that are accessible by suppliers. |
A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. |
|
A.16 Information security incident management |
A.16.1 Management of information security incidents and improvements Objectives: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. |
A.17 Information security aspects of business continuity management |
A.17.1 Information security continuity Objective: Information security continuity shall be embedded in the organisations business continuity management systems. |
A.17.2 Redundancies Objective: To ensure availability of information processing facilities |
|
A.18 Compliance |
A.18.1 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. |
A.18.2 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organisational policies and procedures. |
Our team of Business Technology Consultants have partnered with organisations across a range of sectors to ensure their ISO 27001 preparedness. The 14 security domains can seem daunting, however, our team of experts are here to guide you through the ISO 27001 certification process. Contact us today on 1300 307 907.