Lock on laptop keyboard showing how ISO standards can protect data

ISO Standards for Information and Data Protection

Information and data protection is essential for business operations. Here are the ISO standards used to protect your data.

Information and data are key elements for an organization’s daily operations and, as such, they need to be protected properly. This is easily seen through the evolution of contracts, laws, and regulations to include information security clauses.

However, proper protection does not mean much in terms of how to go about it, and contracts, laws, and regulations often do not provide much detail, either.

As a result, many organizations don’t know where to start, and this can negatively impact their operational performance and compliance capabilities.

Fortunately, there are several solutions on the market that can help. In this article, we’ll present some elements of the ISO 27k series, which can provide guidance on how to implement and maintain a sustainable information and data protection environment.

ISO 27k series

The ISO 27k series are a set of standards, published by the International Organization for Standardization, which provide requirements, guidance, and recommendations for a systematic approach to protect information, in the form of an Information Security Management System (ISMS).

This series comprises more than a dozen standards, of which the most commonly used are:

  • ISO 27001 – defines the basic requirements for an Information Security Management System (ISMS), and the security controls and security control objectives to be considered for implementation.
  • ISO 27002 – It provides guidance and recommendations for the implementation of security controls defined in ISO 27001.
  • ISO 27017 – It provides specific guidance and recommendations for the implementation of security controls in cloud environments.
  • ISO 27018 – It provides specific guidance and recommendations for the implementation of security controls related to privacy issues in cloud environments.
  • ISO 27701 – It defines the basic requirements for a Privacy Information Management System (PIMS). Basically, it is ISO 27001 developed to include privacy topics.
  • ISO 27001 and ISO 27701 are certifiable standards; i.e., organizations can be certified against them by certification bodies, and they provide the basis for continual improvement, which helps keep implemented controls relevant to business objectives and needs and expectations of interested parties, like customers and governments.
  • ISO 27002, ISO 27017, and ISO 27018 are supporting standards; i.e., they are not certifiable, and only provide best practices for the implementation of controls.

Management standards structure

The requirements from sections 4 through 10 of both ISO 27001 and ISO 27701 can be summarized as follows:

  • Clause 4: Context of the organization – defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS / PIMS scope.
  • Clause 5: Leadership – defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy / Privacy Information Policy.
  • Clause 6: Planning – defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security / privacy information objectives.
  • Clause 7: Support – defines requirements for availability of resources, competencies, awareness, communication, and control of documents and records.
  • Clause 8: Operation – defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security / privacy information objectives.
  • Clause 9: Performance evaluation – defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
  • Clause 10: Improvement – defines requirements for nonconformities, corrections, corrective actions, and continual improvement.

Supporting standards structure

ISO 27002 has 114 controls, divided into 14 sections. Besides specific details for several controls, ISO 27017 adds 7 controls specifically related to security in the cloud environment. For ISO 27018, there are 24 additional controls to secure privacy in the cloud environment, besides specific details for existing controls.

Considering ISO 27001 and ISO 27002 as a basis, we have these variations related to the inclusion of ISO 27017 and ISO 27018:

ISO 27001 / ISO 27002 controls additions to ISO 27017 and ISO 27018

ISO 27001 / ISO 27002 control sectionLevel of additional items in ISO 27017Level of additional items in ISO 27018
A.5. Information security policiesModerateModerate
A.6. Organization of information securityModerateLow
A.7. Human resource securityModerate/LowLow
A.8. Asset managementModerate/LowLow
A.9. Access controlHighLow
A.10. CryptographyModerateLow
A.11. Physical and environmental securityModerate/LowLow
A.12. Operations securityModerate/HighHigh
A.13. Communications securityModerate/HighLow
A.14. System acquisition, development and maintenanceModerateLow
A.15. Supplier relationshipsModerate/HighLow
A.16. Information security incident managementModerateModerate
A.17. Information security aspects of business continuity managementLowLow
A.18. ComplianceModerate/HighModerate/High

Broadly speaking, controls cover these fields:

  • Technical controls, implemented in information systems, such as software, hardware, and firmware components. E.g. backup, antivirus software, etc.
  • Organizational controls, implemented as rules to be followed, and expected behavior. E.g. Access Control Policy, BYOD Policy, etc.
  • Legal controls, implemented to ensure the enforcement of laws, regulations, contracts, and other similar legal instruments. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.
  • Physical controls, implemented through equipment or devices that physically interact with people and objects. E.g. CCTV cameras, alarm systems, locks, etc.
  • Human resource controls, implemented through provision of knowledge, education, skills, or experience to persons so they can work in a secure way. E.g. security awareness training, ISO 27001 internal auditor training, etc.

Which standards to use

ISO 27001 was built as an overall approach to information security, applicable to organizations of any size or industry, so, unless you have specific requirements demanding controls for cloud security and privacy, or a specific management system for privacy of information, ISO 27001 is sufficient to ensure a robust basis for information and data protection.

ISO 27k series: Fulfill protection and data security needs in a unique way

From an organizational point of view, the most interesting point of using the ISO 27k standards is that they give you a clear guide to being compliant with customers’ and other interested parties’ requirements for information and data protection.

So, if you are thinking about implementing information and data protection practices, ISO/IEC 27001, ISO 27701, and their supporting standards are the perfect set of references to begin with and, furthermore, you can also certify with them!