nformation processing facility means any equipment, operating systems, or infrastructurethat are

necessary or facilitate to process data completely, accurately, and effectively, such as IT

equipment, applications, computer network systems, procedures, or information processing
areas, etc. Related to information processing facility Information processing system means an
electronic system for creating, generating, sending, receiving, storing, displaying, or processing
information. Processing facility means an establishment that prepares, treats, or converts tangible
personal property into finished goods or another form of tangible personal property. The term
includes a business engaged in processing agricultural, aquacultural, or maricultural products and
specifically includes meat, poultry, and any other variety of food processing operations. It does
not include an establishment in which retail sales of tangible personal property are made to retail
customers. Outsourcing facility means a facility that is engaged in the compounding of sterile
drugs and is currently registered as an outsourcing facility with the U.S. Secretary of Health and
Human Services and that complies with all applicable requirements of federal and state law,
including the Federal Food, Drug, and Cosmetic Act. Information Provider means the person or
organisation providing the Information under this licence. Customer Proprietary Network
Information (“CPNI”) is as defined in the Act. Confidential System Information means any
communication or record (whether oral, written, electronically stored or transmitted, or in any
other form) provided to or made available to Grantee; or that Grantee may create, receive,
maintain, use, disclose or have access to on behalf of HHSC or through performance of the
Project, which is not designated as Confidential Information in a Data Use Agreement. UNICEF
Supply Website means UNICEF's public access webpage available at
http://www.unicef.org/supply/index_procurement_policies.html, as may be updated from time to
time. Billing information means any data that enables any person to access a customer’s or
donor’s account, such as a credit card, checking, savings, share or similar account, utility bill,
mort- gage loan account, or debit card. User Information means information about a User made
available to you in connection with such User’s request for and use of Transportation Services,
which may include the User’s name, pick-up location, contact information and photo.
Confidential commercial information means records provided to the govern- ment by a submitter
that arguably contain material exempt from release under Exemption 4 of the Freedom of
Information Act, 5 U.S.C. 552(b)(4), be- cause disclosure could reasonably be expected to cause
substantial competi- tive harm. Recycling facility means equipment used by a trade or business
solely for recycling: Line Information Data Base (“LIDB”) means a Service Control Point (SCP)
database that provides for such functions as calling card validation for telephone line number
cards issued by Embarq and other entities and validation for collect and billed-to-third services.
Line Information Data Base (LIDB) means a transaction-oriented database system that functions
as a centralized repository for data storage and retrieval. LIDB is accessible through CCS
networks. LIDB contains records associated with End User line numbers and special billing
numbers. Processing Services means those services, which are necessary to issue a Card and
process a transaction in accordance with Government Requirements and the Rules of any System
and Regulatory Authority. Such services shall include but not be limited to: set-up and
maintenance of the Card and Cardholder Funds, transaction authorization, processing, clearing
and Settlement, System access, Cardholder dispute resolution, System compliance, regulatory
compliance, security and fraud control, and activity reporting. Operation Procedures means the
procedures contained in Annexure A hereto which the Contractor is obliged to follow when
performing work on behalf of the company Manufacturing Facility means buildings and
structures, including machinery and equipment, the primary purpose of which is or will be the
manufacture of tangible goods or materials or the processing of such goods or materials by
physical or chemical change. Program Information means all non-public Fund or CMA
information provided to Supplier for the purposes of Supplier’s provision of Services hereunder,
including, without limitation, data entered into Supplier’s system or those systems of its
Subcontractors. Patient Information means information (however recorded) which— Electronic
and Information Resources Accessibility Standards means the accessibility standards for
electronic and information resources contained in Title 1 Texas Administrative Code Chapter
213. Information Resources means any and all computer printouts, online display devices, mass
storage media, and all computer-related activities involving any device capable of receiving
email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting
Data including, but not limited to, mainframes, servers, Network Infrastructure, personal
computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers,
distributed processing systems, network attached and computer controlled medical and
laboratory equipment (i.e. embedded technology), telecommunication resources, network
environments, telephones, fax machines, printers and service bureaus. Additionally, it is the
procedures, equipment, facilities, software, and Data that are designed, built, operated, and
maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Vending facility means automatic vending machines, cafeterias, snack bars, cart service, shelters,
counters, and such other appropriate auxiliary equipment which may be operated by licensed
managers and which is necessary for the sale of newspapers, periodicals, confections, tobacco
products, foods, beverages, and other articles or services dispensed automatically or manually
and prepared on or off the premises in accordance with all applicable health laws and including
the vending or exchange of chances for any lottery authorized by State Law and conducted by an
agency of a State within such State. [CFR 34, Part 395.1(X)] Staffing Information means written
information about each of the Supplier or its Sub-Contractor’s staff including in particular: the
percentage of working time spent by each of them in the provision of the services; job title,
remuneration (meaning salary and benefits and any enhanced redundancy terms), age, length of
service, notice period, particulars of employment in accordance with section 1 of the
Employment Rights Act 1996, the applicability of any collective agreement to such staff, any
disciplinary action taken against any of them in the preceding two (2) years, details of any
grievances raised by any of them in the preceding two (2) years, any Court or employment
tribunal proceedings brought by any of them in the preceding two (2) years, any potential
proceedings which the Supplier or its Sub-Contractor reasonably considers may be raised by any
of them, and information about any of them who have been absent from work for one (1) month
or more regardless of the reason at the time the staffing information is requested; Marijuana
processor means a person who processes marijuana items in this state. Information Services
means the Municipal Securities Rulemaking Board’s Electronic Municipal Market Access
System; or, such other services providing information with respect to called municipal
obligations as the District may specify in writing to the Paying Agent or as the Paying Agent
may select. Federal contract information means information, not intended for public release, that
is provided by or generated for the Government under a contract to develop or deliver a product
or service to the Government, but not including information provided by the Government to the
public (such as on public Web sites) or simple transactional information, such as necessary to
process payments. Infrastructure facility means any publicly or privately owned facility
providing or distributing services for the benefit of the public, such as water, sewage, energy,
fuel or communications.
 ARCHIVE OF PLAIN ENGLISH
ISO 27001 2005 DEFINITIONS

Asset

An asset is any tangible or intangible thing or characteristic

that has value to an organization. There are many types of
assets. Some of these include obvious things like machines,
facilities, patents, and software. But the term can also include
less obvious things like services, information, and people,
and characteristics like reputation and image or skill and
knowledge.

Availability

Availability is a characteristic that applies to assets.

An asset is available if it is accessible and usable when
needed by an authorized entity. In the context of this
standard, assets include things like information, systems,
facilities, networks, and computers. All of these assets
must be available to authorized entities when they
need to access or use them.

Confidentiality
Confidentiality is a characteristic that applies to information.
To protect and preserve the confidentiality of information
means to ensure that it is not made available or disclosed
to unauthorized entities. In this context, entities include
both individuals and processes.

Control

A control is any administrative, management, technical,

or legal method that is used to manage risk. Controls are
safeguards or countermeasures. Controls include things
like practices, policies, procedures, programs, techniques,
technologies, guidelines, and organizational structures.

Corrective actions

Corrective actions are steps that are taken to address existing

nonconformities and make improvements. Corrective actions
deal with actual nonconformities (problems), ones that have
already occurred. They solve existing problems by removing
their causes. In general, the corrective action process can be
thought of as a problem solving process.

Document

The term document refers to information and the medium

that is used to bring it into existence. Documents can take
any form or use any type of medium. The extent of your ISMS
documentation will depend on the scope of your ISMS, the
complexity of your security requirements, the size of your
organization, and the type of activities it carries out.

Information processing facility

An information processing facility is defined as any system,

service, or infrastructure, or any physical location that houses
these things. A facility can be either an activity or a place;
it can be either tangible or intangible.

Information security

Information security is all about protecting and preserving

information. It’s all about protecting and preserving the
confidentiality, integrity, authenticity, availability, and
reliability of information.

Information security event

An information security event indicates that the security of

an information system, service, or network may have been
breached or compromised. An information security event
indicates that an information security policy may have
been violated or a safeguard may have failed.

Information security incident

An information security incident is made up of one or more

unwanted or unexpected information security events that
could very likely compromise the security of information
and weaken or impair business operations.

Information security management system

An information security management system (ISMS) includes

all of the policies, procedures, plans, processes, practices,
roles, responsibilities, resources, and structures that
are used to protect and preserve information. It includes all
of the elements that organizations use to manage and
control their information security risks. An ISMS is
part of a larger management system.

Information security policy

An information security policy statement expresses

management’s commitment to the implementation,
maintenance, and improvement of its information
security management system.

Integrity

To preserve the integrity of information means to protect

the accuracy and completeness of information and the
methods that are used to process and manage it.
Management review

The purpose of a management review is to evaluate the

overall performance of an organization's information
security   management system and to identify
improvement opportunities.

Owner

In the context of ISO 27001 and ISO 27002, an owner is a

person or entity that has been given formal responsibility
for the security of an asset or asset category. It does not
mean that the asset belongs to the owner in a legal sense.
Asset owners are formally responsible for making sure
that assets are secure while they are being developed,
produced, maintained, and used.

PDCA model

PDCA stands for Plan-Do-Check- Act. ISO IEC 27001 says

that every I S M S process should be structured using the
PDCA model. This means that every process should be
planned (Plan); implemented, operated, and maintained (Do);
monitored, audited, and reviewed (Check); and improved (Act).

Policy

A policy statement defines a general commitment,

direction, or intention. An information security policy
statement expresses management’s commitment to
the implementation, maintenance, and improvement
of its information security management system.
Preventive actions

Preventive actions are steps that are taken to avoid

potential nonconformities and make improvements.
Preventive actions address potential nonconformities
(problems), ones that haven't yet occurred. Preventive
actions prevent the occurrence of problems by removing
their causes. In general, the preventive action process
can be thought of as a risk management process.

Procedure

Procedures control processes or activities. A well defined

procedure controls a logically distinct process or activity,
including the associated inputs and outputs.

Procedures can be very general or very detailed, or anywhere

in between. While a general procedure could take the form of a
simple flow diagram, a detailed procedure could be a one page
form or it could be several pages of text.
A detailed procedure defines the work that should be done,
and explains how it should be done, who should do it, and
under what circumstances. In addition, it explains what
authority and what responsibility has been allocated,
which supplies and materials should be used, and which
documents and records must be used to carry out the work.
While procedures may be documented or undocumented,
ISO usually expects them to be documented.

Process

In general, a process uses resources to transform inputs

into outputs. Inputs are turned into outputs because some
kind of work or activity is carried out.  

ISO IEC 27001 recommends that you structure your ISMS

processes using the Plan-Do-Check-Act (PDCA) model .
This means that every process should be planned (Plan);
implemented, operated, and maintained (Do); monitored,
audited, and reviewed (Check); and improved (Act).

Process approach

The process approach is a management strategy. When

managers use a process approach, it means that they control
their processes, the interaction between these processes, and
the inputs and outputs that “glue” these processes together.
It means that they manage by focusing on processes and on
inputs and outputs. ISO IEC 27001 suggests that you use
a process approach to control your ISMS processes.

Record

A record is a document that contains objective evidence

which shows how well activities are being performed or
what kind of results are actually being achieved. It always
documents what has happened in the past. Records can
take any form or use any type of medium.

Requirement

A requirement is a need, expectation, or obligation. It can be

stated or implied by an organization, its customers, or other
interested parties. There are many types of requirements.
Some of these include security requirements, contractual
requirements, management requirements, regulatory
requirements, and legal requirements.

Residual risk

Residual risk is the risk left over after you’ve implemented

a risk treatment decision. It’s the risk remaining after you’ve
done one of the following: accepted the risk, avoided the
risk, transferred the risk, or reduced the risk.

Risk

The concept of risk combines three ideas: it selects an event,

and then combines its probability with its potential impact. It
asks two questions: what is the probability that a particular
event will occur in the future? And what negative impact
would this event have if it actually occurred?

So, a high risk event would have both a high probability

of occurring and a big negative impact if it occurred. The
concept of risk is always future oriented: it worries about
the impact events could have in the future.

Risk acceptance

Risk acceptance is part of the risk treatment decision

making process. Risk acceptance means that you’ve
decided that you can live with a particular risk.
Risk analysis

Risk analysis uses information to identify possible

sources of risk. It uses information to identify threats
or events that could have a harmful impact. It then
estimates the risk by asking: what is the probability
that this event will actually occur in the future? And
what impact would it have if it actually occurred?

Risk assessment

A risk assessment combines two techniques:

a risk analysis  and a risk evaluation .

Risk evaluation

A risk evaluation compares the estimated risk with a set

of risk criteria. This is done in order to determine how
significant the risk really is. The estimated risk is
established by means of a risk analysis.

Risk management

Risk management is a process that includes four activities:

risk assessment, risk acceptance, risk treatment, and risk
communication. Risk management includes all of the
activities that an organization carries out in order
to manage and control risk.
Risk treatment

Risk treatment is a decision making process. For each risk,

risk treatment involves choosing amongst at least four
options: accept the risk, avoid the risk, transfer the risk,
or reduce the risk. In general, risks are treated by selecting
and implementing measures designed to modify risk.

Standard

A standard is a document. It is a set of rules that control how

people develop and manage materials, products, services,
technologies, tasks, processes, and systems.

ISO IEC standards are agreements. ISO IEC refers to them

as agreements because its members must agree on content
and give formal approval before they are published.

ISO IEC standards are developed by technical committees.

Members of these committees come from many different
countries. Therefore, ISO standards tend to have very
broad support.

Statement of applicability

A Statement of Applicability is a document that lists your

organization’s information security control objectives and
controls . In order to figure out what your organization’s
unique information security controls and control objectives
should be, you need to carry out a risk assessment, select
risk   treatments , identify all relevant legal and regulatory
requirements, study your contractual obligations, and review
your organization’s own business needs and requirements.
Once you’ve done all of this, you should be ready to prepare
your organization’s unique Statement of Applicability.
 Third party

In the context of a specific issue, a third party is any person

or body that is recognized as independent of the people
directly involved with the issue in question.

Threat

A threat is a potential event. When a threat turns into

an actual event, it may cause an unwanted incident.
It is unwanted because the incident may harm an
organization or system.

Vulnerability

A vulnerability is a weakness in an asset or group

of assets. An asset’s weakness could allow it to be
exploited and harmed by one or more threats.

What are the Physical Security Controls in

ISO 27001?
For many organizations, COVID-19 has meant a halt to on-premise operations and the
introduction of broad work-from-home policies.

Sure, that pivot has been key to business survival. But it does carry serious risk, including a
greater opportunity for physical security incidents from less oversight. How to mitigate that risk
with a remote, fragmented staff? Best-practice security standard, ISO 27001 offers some clues.
So, where do physical security controls factor into international standard, ISO 27001, which
deals largely with information assets? Well, as the standard lays out, information assets exist in
physical space, leaving them vulnerable, even despite the most robust cyber security measures.

And that’s exactly why ISO 27001 dedicates discussion to physical and environmental security
control objectives and controls. The standard’s main takeaway: plan ahead.

Indeed, the practices outlined in the physical and environmental security control clauses even
follow the same logic and framework as those that deal with digital information. That logic and
framework being – the higher the value and risk, the higher the level of protection. Of course,
information assets are under increased risk on the cyber front, as well, so Security teams must be
extra vigilant.

What’s the solution? ISO 27001 offers up physical security requirements that fall into two broad
categories: secure areas and equipment security. Secure areas provisions – secure areas being
sites where organizations handle sensitive information or shelter valuable IT equipment and
personnel to achieve important business objectives – deal with protecting the physical
environment in which assets are housed, in other words: building, offices, etc.

Here, the standard instructs certifying organizations to look at risks relating to physical access to
those assets. Organizations must then put in controls, where appropriate, to manage (limit or
simply control) physical access to those assets – especially now that those facilities might be
vacated or guarded by skeleton crews.

The ISO 27001 protocols for equipment security follow the same logic. Essentially, they instruct
organizations to consider where equipment is housed and whether it’s housed appropriately (or
liable to be housed appropriately). That puts the onus on security managers to ask the following:

 Is important IT equipment vulnerable?

 Who’s responsible for maintaining equipment? Are they qualified?
 What provisions are in place for equipment that leaves the premises?
The full list of ISO 27001 physical security controls follows:

Secure Areas

Type Control

Security perimeters (barriers such as walls, card-controlled entry gates

Physical Security
or manned reception desks) shall be used to protect areas that contain
Perimeter
information and information processing facilities.

Physical Entry Secure areas shall be protected by appropriate entry controls to ensure
Controls that only authorized personnel are allowed access.

Securing Offices, Physical security for offices, rooms, and facilities shall be designed and
Rooms, and Facilities applied.

Protecting Against
Physical protection against damage from fire, flood, earthquake,
External and
explosion, civil unrest, and other forms of natural or man-made disaster
Environmental
shall be designed and applied.
Threats

Working in Secure Physical protection and guidelines for working in secure areas shall be
Areas designed and applied.
Access points such as delivery and loading areas and other points where
Public Access,
unauthorized persons may enter the premises shall be controlled and, if
Delivery, and
possible, isolated from information processing facilities to avoid
Loading Areas
unauthorized access.

Equipment Security

Type Control
Equipment shall be sited or protected to reduce the risks from
Equipment Sitting
environmental threats and hazards, and opportunities for unauthorized
and Protection
access.
Equipment shall be protected from power failures and other disruptions
Supporting Utilities
caused by failures in supporting utilities.
Power and telecommunications cabling carrying data or supporting
Cabling Security
information services shall be protected from interception or damage.
Equipment Equipment shall be correctly maintained to ensure its continued
Maintenance availability and integrity.
Equipment, information, or software shall not be taken off-site without
Removal of Assets
prior authorization.
Security or
Security shall be applied to off-site equipment taking into account the
Equipment Off-
different risks of working outside the organization’s premises.
Premises
All items of equipment containing storage media shall be checked to
Secure Disposal or
ensure that any sensitive data and licensed software has been removed
Re-Use of Equipment
or securely overwritten prior to disposal.
Unattended User Users shall ensure that unattended equipment has appropriate
Equipment protection.
Clear Desk and Clear A clear desk policy for papers and removable storage media and a clear
Screen Policy screen policy for information processing facilities shall be adopted.

Finally, Security teams working in tandem with COVID-19 response teams must add mandatory
evacuations (from public health crises) to the list of external and environmental threats against
which valuable security assets must be protected, so as to prevent loss, damage, theft, and/or
compromise that would imperil business continuity.

Not sure how to get the entire security apparatus up and running per best-practice guidance?
Read our Guide to ISO 27001 to find out:

7.1 USE SECURE AREAS TO PROTECT FACILITIES

  Use physical methods to control access

to information processing facilities.

  Use physical methods to prevent people from damaging

or interfering with your information processing facilities.

  Identify the areas within your facility that should receive

special protection and be treated as secure areas.

  Use secure areas to protect sensitive

or critical information processing facilities.

  Use entry controls to protect your

information processing facilities.

  Make sure that your physical protection methods

are commensurate with your security risks.
7.1.1 USE PERIMETERS TO PROTECT SECURE AREAS

  Use physical security perimeters and barriers to protect

your organization’s information processing facilities.

  Make sure that your physical security perimeters

and barriers provide more protection for high
risk areas than low risk areas.

  Make sure that your physical security barriers and

perimeters are free of physical gaps and weaknesses.

  Make sure that external doors and entrance

ways are used to prevent unauthorized access
to information processing facilities.

  Restrict building access to authorized personnel.

  Use physical barriers to prevent unauthorized access.

  Make sure that physical barriers are used to prevent

contamination from external environmental sources.

  Make sure that external perimeter doors

are controlled by fire alarm systems.

  Make sure that all external perimeter doors

automatically slam shut in response to a fire.

7.1.2 USE ENTRY CONTROLS TO PROTECT SECURE AREAS

  Use physical entry controls to protect secure areas.

  Make sure that your physical entry controls ensure that

only authorized people are given access to secure areas.

  Make sure that visitors to secure

areas are given a security screening.

  Make sure that you supervise

all visitors to secure areas.

  Record the date and time visitors

 enter and leave secure areas.

  Make sure that all visitors to secure areas

are given specific security instructions.

  Make sure that all visitors to secure areas are

made aware of your emergency procedures.

  Use physical controls to restrict

access to sensitive information.

  Use physical controls to restrict access

to information processing facilities.

  Validate the identity of all persons

who wish to access secure areas.

  Ensure that all persons who access

secure areas wear visible identity tags.

  Maintain a record of all access to secure areas.

  Review access rights to secure areas on a regular basis.

  Update access rights to secure areas on a regular basis.

7.1.3 USE DESIGN STRATEGIES TO PROTECT SECURE AREAS

  Design your secure areas to withstand natural disasters.

  Design secure areas to withstand man-made disasters.

  Design your secure areas in accordance with all

relevant health and safety regulations and standards.

  Protect your secure areas from security threats

that neighboring facilities might present.

  Site secure areas in order to avoid public access to them.

  Site secure area photocopiers and other equipment so

that routine access to them will not compromise security.
  Design your information processing facilities in
order to hide their true purpose from the public.

  Use locks to control access to secure areas.

  Lock all information processing facility doors and

windows when these facilities are not being used.

  Install external window protections

for your information processing facilities.

  Use intruder detection systems

to prevent access to secure areas.

  Make sure that your intruder detection systems

cover all external doors and accessible windows.

  Make sure that your intruder detection systems comply

with professional installation and maintenance standards.

  Test your intruder detection systems on a regular basis.

  Keep unoccupied secure areas alarmed at all times.

  Separate physically your information processing

facilities from facilities that are managed by third parties.

  Prevent public access to internal directories and documents that

specify the location of sensitive information processing facilities.

  Site fallback equipment away from secure areas

in order to avoid damage during a disaster.

  Site backup media away from secure areas

in order to avoid damage during a disaster.

  Store hazardous materials away from secure areas.

  Store combustible materials away from secure areas.

7.1.4 USE WORK GUIDELINES TO PROTECT SECURE AREAS

  Use guidelines to control the work that
your personnel perform in secure areas.

  Use guidelines to control the work that

third parties perform in secure areas.

  Allow third party support service personnel to access

secure areas only when access is clearly required.

  Monitor third party access to your secure areas.

  Ensure that third party access to secure areas is authorized.

  Use a need-to-know policy to control

information about secure areas and facilities.

  Supervise all work performed in secure areas.

  Lock secure areas that are vacant.

  Check secure areas that are vacant.

  Prevent the unauthorized use of photographic

and other recording equipment inside secure areas.

7.1.5 USE HOLDING AREAS TO PROTECT SECURE AREAS

  Control the use of delivery and loading areas.

  Separate your delivery and loading areas from

all of your information processing facilities.

  Make sure that all delivery and loading functions

are carried out in a carefully controlled holding area.

  Make sure that you restrict access to your holding area.

  Make sure that holding area is designed so that supplies

can be unloaded without allowing access to secure areas.

  Make sure that your holding area is designed so that the

external door is secured when the internal door is open.
  Inspect all incoming supplies and materials
to ensure that all hazards are identified before
these items are transferred to secure areas.

  Record all incoming supplies and materials.

7.2 PROTECT EQUIPMENT FROM HAZARDS

  Protect your equipment from

security threats and hazards.

  Protect your equipment from

environmental threats and hazards.

  Make sure that your physical security

measures reduce the risk that people will
have unauthorized access to your data.

  Make sure that your physical security

measures protect data from loss or damage.

7.2.1 SAFEGUARD YOUR EQUIPMENT

  Site your equipment so that unnecessary

access to related work areas is minimized.

  Isolate all equipment that requires

an extra level of protection.

  Adopt security measures that protect

your equipment against theft.

  Adopt security measures that protect

your equipment against fire.

  Adopt security measures that protect

your equipment against explosives.

  Adopt security measures that protect

your equipment against smoke.

  Adopt security measures that protect

 your equipment against flooding.

  Adopt security measures that protect

your equipment against water leaks.

  Adopt security measures that protect

your equipment against dust.

  Adopt security measures that protect

your equipment against grime.

  Adopt security measures that protect

your equipment against vibration.

  Adopt security measures that protect your

equipment against destructive chemicals.

  Adopt security measures that protect your

equipment against electrical interference.

  Adopt security measures that protect your

equipment against electromagnetic radiation.

  Adopt security measures that protect your

equipment against accidental damage.

7.2.2 PROTECT YOUR POWER SUPPLIES

  Protect your equipment from power failures.

  Protect your equipment from electrical anomalies.

  Make sure that your power supplies comply with the

specifications provided by equipment manufacturers.

  Ensure that electrical power will

be provided without interruption.

  Consider using multiple power feeds.

  Use uninterruptible power supplies (UPSs)

to protect your critical equipment.
  Develop contingency plans to address UPS failures.

  Check your UPS equipment on a regular basis.

  Test your UPS equipment on a regular basis.

  Make sure that you have back-up generators

that you can use during prolonged power failures.

  Test your back-up generators on a regular basis.

  Make sure that you have an adequate supply of fuel available

that back-up generators can use during emergencies.

  Make sure that your equipment rooms have emergency power switches.

  Make sure that power switches are located near emergency exits.

  Attach lightning protection filters to all external communication lines.

  Install emergency back-up lights.

  Install lightning protection for all buildings.

7.2.3 SECURE YOUR CABLES

  Protect your power lines from

unauthorized interception or damage.

  Protect your telecommunications cables

from unauthorized interception or damage.

  Place power lines underground whenever those lines

are connected to information processing facilities.

  Place telecommunications cables underground whenever

they are connected to information processing facilities.

  Use conduits to prevent unauthorized

interception or damage to cables and lines.

  Use armored conduit to protect critical systems.

  Avoid routing cables and lines through public areas.

  Segregate your power lines from your telecommunications cables.

  Use locked rooms and boxes at cable inspection and termination points.

  Consider using alternative routings.

  Consider using alternative transmission media.

  Consider using fiber optic cables

  Consider using sweeps to detect the presence

of unauthorized cable monitoring devices.

7.2.4 MAINTAIN YOUR EQUIPMENT

  Maintain your equipment to

ensure that it functions properly.

  Follow the equipment manufacturer’s

recommended maintenance schedule.

  Follow the equipment manufacturer’s

recommended maintenance specifications.

  Allow only authorized maintenance people

to service and repair your equipment.

  Keep a record of all preventive and

corrective maintenance activities.

  Keep a record of all equipment faults and problems.

  Control off-site equipment maintenance and repair.

  Comply with the requirements that insurance polices

impose on off-site equipment maintenance and repair.

7.2.5 CONTROL OFF-SITE EQUIPMENT

  Make sure that management authorization is required before

 information processing equipment can be removed and used
outside of your organization’s premises.

  Make sure that off-site equipment security measures are at

least as rigorous as on-site equipment security measures.

  Take additional equipment security measures to deal

with the added risks associated with working off-site.

  Make sure that all appropriate security measures are

taken to control the off-site use of personal computers.

  Make sure that all appropriate security measures are

taken to control the off-site use of personal organizers.

  Make sure that all appropriate security measures are

taken to control the off-site use of mobile phones.

  Make sure that all appropriate security measures are

taken to control the off-site use of paper documents.

  Make sure that your personnel never leave

information processing equipment or media
unattended in public places.

  Make sure that personnel treat portable computers

as hand luggage while they are traveling.

  Make sure that your personnel conceal or disguise

their portable computers while they are traveling.

  Develop special security measures

for people who work at home.

  Develop special security measures to address your

organization’s unique or unusual security risks.

  Ensure that your personnel follow your equipment

manufacturers’ recommended security precautions.

  Make sure that you have adequate

insurance for off-site equipment.
7.2.6 CONTROL EQUIPMENT DISPOSAL

  Control the disposal of old or obsolete

information processing equipment.

  Control the re-use of old or obsolete

information processing equipment.

  Destroy all data storage devices or securely overwrite

all data before you re-use or dispose of those devices.

  Ensure that all licensed software has been overwritten or

removed before you re-use or dispose of storage devices.

  Check all storage devices, before you re-use or dispose of them,

in order to verify that all security requirements have been met.

7.3 CONTROL ACCESS TO INFORMATION AND PROPERTY

  Prevent unauthorized access to your

sensitive or critical information.

  Prevent the unauthorized modification

of your sensitive or critical information.

  Prevent the theft of your information.

  Minimize the damage that would be

caused by the loss of your information.

  Prevent unauthorized access to

your information processing facilities.

  Prevent the theft of your information

processing equipment.

  Minimize the damage that would be caused by

the loss of your information processing equipment.

7.3.1 ESTABLISH A CLEAR-DESK AND CLEAR-SCREEN POLICY

  Establish a clear-desk policy to protect

 your information processing facilities.

  Use a clear-desk policy to protect paper.

  Use a clear-desk policy for removable storage media.

  Established a clear-screen policy to protect

your information processing facilities.

  Store important papers in locked cabinets.

  Store computer media in locked cabinets.

  Store your organization’s most critical or sensitive

information in fire-resistant safes or cabinets.

  Make sure that users log off when personal

computers, terminals, and printers are not in use.

  Protect personal computers, terminals, and printers by

means of passwords or other suitable security controls.

  Protect your incoming and outgoing mail points.

  Protect your unattended fax and telex machines.

  Protect your photocopiers from unauthorized

use during weekends and after-work hours.

  Clear immediately sensitive or classified

information from printers after every print job.

7.3.2 CONTROL THE REMOVAL OF PROPERTY

  Make sure that management authorization

is required before equipment is taken off-site.

  Make sure that management authorization

is required before information is taken off-site.

  Make sure that management authorization

is required before software is taken off-site.
  Make sure that users log out and log
back in whenever equipment is returned.

  Make sure that personnel are warned that spot-checks

will be carried out to detect missing equipment.

  Make sure that you carry out unannounced spot-checks

to detect the unauthorized removal of equipment.

ISO 27001 Controls: What is Annex A:11?

 November 18, 2020
The set of ISO 27001 controls Annex A:11 focuses on physical and environmental security
programs. It defines the various controls that protect organizations from loss of information
caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment
failure, and power failures.

Physical security measures should be sufficient enough to deal with foreseeable threats and
should be tested periodically for their effectiveness and functionality, as well as increasing the
rate of risk-based thinking and planning when it comes to risks surrounding information security.
Best practices and ISO standards can assist with evaluating physical security controls, such as
ISO/IEC 27002:2013 to ensure your organisation remains protected online.

 Environmental Controls
 Natural Disaster Controls
 Supporting Utility Controls
 Physical Protection and Access Controls
 System Reliability
 Physical Security Awareness and Training
 Contingency Plans

iso 27001 certification by best practice

A:11 Physical and Environmental Security
Annex A Controls: 11 is all about the physical and environmental security of your office and
related areas. Furthermore, it helps to understand how to maintain a good environment around
your organization’s workspace.

Below are the controls that are covered explained by Annex: 11.

A:11 Secure Areas:

To prevent unauthorized physical access, damage, and interference to the organization’s

information and information processing facilities.

A:11.1.1 Physical Security Perimeters:

Security perimeters should be established, as well as the location and intensity of each parameter.
It should depend on the security requirements of the assets inside the perimeter and on the results
of the risk assessment. It refers to the office premises, corridors, facilities.

A physical security perimeter is defined as “any transition boundary between two areas of
differing security protection requirements”.

Good illustrations to these perimeters are; At the outer boundary of the site and outdoor and
indoor spaces; Between outside a building and inside it; Between a corridor and office or
between the outside of a storage cabinet and inside it.

Examples of the types of property and premises the organisation that should be taken into
consideration include:

1. The Data centres that host information assets;

2. Head office;
3. Employees working from home and
 4. Employees who are travelling, like using hotels and other facilities etc.

In simple terms, the organization must establish secure areas that protect the valuable
information and information assets that only authorized people can access.

Get Your Free ISO 27001 Gap Analysis Checklist

A:11.1.2 Physical entry Controls:
Here the clause is talking about building security; where the work premises are. It is highly
recommended if you are looking for the ISO 27001 certification, the information secured area
must be protected from unauthorized entry.

1. The building or facility perimeters should be physically secure. There should be no gaps,
where the break-in can occur.
2. The premises’ exterior and interior buildings, walls, and floors should be securely built.
All external doors should be properly locked and must-have key entries.
3. Multi-floor buildings need extra surveillance and protection, Main entry should be
manned with a receptionist.
4. Doors and windows should always be closed at all times.

A:11.1.3 Securing Offices, rooms and facilities:

This clause helps to maintain the organization’s electronic asset security. For exmaple, every
organization has computers, laptops, servers, and much more physical equipment that we need to
secure properly. If you are looking to achieve ISO 27001 certifications, the standard says the
information should be stored and retained securely. What are the perimeters for this physical
security, Are you making your electronic asset restricted-access only? We have previously
discussed this clause in Annex A:7 regarding information security.

Things to remember:

1. Never give access to unauthorized personnel in your organization.

2. Protect your information with strong passwords.
3. Lock the screens, if away from the working desks.
4. Maintain a surveillance system around the area where the information is stored.
A:11.1.4 Protecting against external and environmental threats:
This clause centers on protecting the inevitable attacks on the organizations. These attacks can be
environmental, or a cyber threat that steals your information, or the private data on your
customers and/or suppliers. Natural disasters like floods, earthquakes, and fires are inevitable
events. Organizations must include procedures and policies to deal with these threats. This
pandemic has made organizations aware of the fact they need to proceed with remote working;
some may work where the risk is high, and this needs to be identified by the management team.

This could be addressed by identifying the risk around the business areas. Understanding your
location and what is in the immediate vicinity is critical to identifying potential risks. It is
required under this standard, physical and environmental threats are recognized and controlled
by the organization well.

A:11.1.5 Working in Secure areas:

This clause under Annex 11 deals with the safety of the people of the organization and their
safety. It defines how to establish the procedures for working in secure areas shall be designed
and applied.

1. A restricted awareness of the location and function of secure areas;

2. Restrictions on the use of electronic recording devices within secure areas;
3. Restriction on unsupervised working within secure areas wherever possible;
4. In and out monitoring and logging.
A:11.1.6 Delivery and Loading areas:

There should be complete control of all the access points where necessary. The information
stored within the building should be secured and consider as a legal responsibility. SOA will
look into the delivery and pick up points should have monitored and valid key entry.

Digital or virtual workplaces might not have any need for a policy or control around delivery and
loading areas can exclude from the Statement of Applicability (SOA).

Examples of these controls may include;

1. Docks away from the main office building;

2. Security Guards; CCTV monitoring & recording; and
3. procedures to prevent external and internal access.

What is an Information Security Management System?

Data and information are valuable assets in every organisation and deserve to be protected
from potential risks or threats.To secure your intellectual property, financial data and
third party or employee information, you have to implement an Information Security
Management System (ISMS).

An ISMS is a combination of processes and policies that help you identify, manage, and protect
vulnerable corporate data and information against various risks. Specifically the ISMS’s key
objective is to ensure the confidentiality, integrity and availability of data and information in
maintained.

ISO 27001
ISO 27001 is an internationally recognised standard that sets requirements for ISMS. The
requirements provide you with instructions on how to build, manage, and improve your
ISMS. The standard updated in 2013, and currently referred to as ISO/IEC 27001:2013, is
considered the benchmark to maintaining customer and stakeholder confidentiality.

As of the end of 2017, almost 40,000 businesses worldwide had achieved certification to ISO
27001; a 19% increase on the year prior.

Benefits of ISO 27001

If you are a business owner who is thinking about implementing an ISMS in his/her organisation
or a manager in a company who wants to get Senior Management on board with an ISMS, you
need to know more about what value ISO 27001 can add to your business. Here we explain some
of the major benefits that you can expect to achieve:

 
1. Allows for the secure exchange of information 

This standard helps you identify the threats toward your information security and create plans to
address them. For any specific risk, you will have someone who is responsible capable enough to
control the situation in case something goes wrong. This kind of process can manage and
minimise risk exposure and automatically lead to a safer information exchange.

2. Makes information security everybody’s responsibility

When you implement ISO 27001 in your company, you create awareness among employees and
provide information security training to allow them to become accountable for information
security, regardless of their role in the organisation.

Eventually, data protection finds its way into the organisation’s culture, and somehow simplifies
the information security process in a way that everyone understands it and works to achieve it.

3. Brings a competitive advantage and builds reputation

It is safe to say that all of your clients or partners, who share their valuable data with you, are
perfectly aware of the importance of information security and expect you to grant them that.
Having certification to an information security standard such as ISO 27001 is a strong way of
demonstrating that you care about your partners and clients’ assets as well.This builds trust,
creates a positive reputation for you, and distinguishes you from your competitors who are not
certified to the ISO 27001.

4. Meets legal or third party obligations

It is probably the case that sometimes you are asked by a client, third party or by law to show
your organisation capability in information security. In situations like this, ISO 27001 could be
an excellent choice. This standard is recognised and used by many organisations worldwide, and
by applying its clear and practical instructions, you can prove your trustworthiness concerning
information and data security.

5. Achieve a return on investment

By implementing this standard, you can achieve a return on investment in at least two ways. One
way is through the marketing value that it adds to your organisation since the certification can
attract potential clients and also assist with pre-sales due diligence conducted by your potential
clients.
Second, ISO 27001 helps you avoid, eliminate or reduce the undesired effect of risks which
otherwise can severely impact your organisation’s reputation leading to financial penalties and
related legal issues.

Challenges solved by ISO 27001

 

1. Organisation doesn’t know its information assets:

Many organisations haven’t determined what exact information and data they are storing and are
responsible for.

The standard helps to identify the info assets, classify them and protect them thus maximising
their potential market value.

2. Information security isn’t organised or structured:

Orgs may have some systems in place but they might be scattered or not structured.

The very purpose of the Standard is to provide a framework for orgs to use and organize their
information security management system.

3. Organisations don’t know what risks they’re facing:

There are 2 types of organisations - those who have suffered a cyber attack and know it and those
who have suffered one and don’t know it. The standard provides a very robust framework that
empowers organisations to identify their risks, known and unknown. Furthermore, it provides a
very extensive list with security controls that companies can choose from and implement to
secure their data and IP.

4. Helps avoid legal “hot water”

The standard requires an organisation to identify its legal obligations when it comes to handling
data, thus limiting legal liability.

5. Client Assurance

Achieving and maintaining ISO 27001 certification provides assurance to the organisation’s
clients that Information Security is taken seriously and that the organisation has a robust system
of processes to secure their data.

4 facts about the Information Security Management

Standard you need to know
What it is that comes into your mind when you think about safety standards in general or ISO
27001 in particular? From what we have seen and heard, there are some general assumptions and
beliefsthat are not so helpful. Let us shed some light on that area and reveal some interesting
facts about ISO 27001.

1. This standard is not about documentation

ISO 27001, like other recently updated standards, uses the term documented information, which
means any organisation can retain the necessary information in the way that best suits it and to
the extent that is needed. In other words, you are in charge of the format and amount of
documented information that is kept for your records. After all, this documented information is
supposed to help you keep track of what you have done and what needs to be done in the future.

2. It is not complicated

The name of information security could be overwhelming for some of us and create this delusion
in our mind that everything related to it is too complicated for a non-technical person. ISO 27001
is here to make the process of implementing ISMS smooth and simple enough that everyone can
be a part of it.It provides all the guidance and outlines you need along the way to your
information.

3. It is not theIT departments responsibility

The truth is, just because it is about information security, it does not mean it shouldn’tconcern
other departments. In fact, every single person in the organisation will have responsibilities for
the ISMS as information isn’t just the concern of the information technology team.
ISO 27001 expects people who are involved in the process, to have enough competency and
awareness about ISMS so they are able to participate and be accountable for what they need to
do.

4. It is not prescriptive

ISO 27001 is a standard that sets the outcomes that are expected to be achieved but how you
actually do that is up to the organisation. For example, A.7.2.2 information security awareness,
education and training states that:

All employees of the organisation and, where relevant, contractors shall receive appropriate
awareness, education and training and regular updates in the organisational policies and
procedures, as relevant to their job function.

This requirement doesn’t state how often, what type of activity or which topics should be address
through awareness, education and training. From an auditor’s perspective, they may have certain
thoughts about what is appropriate or not based on their experience but they can’t mandate that
you take a certain approach if you can demonstrate that you have achieved the outcome in a way
that aligns with the context of your organisation. Context can include applicable legislation,
contractual requirements, expectations from the Board, information security risks or any other
item that is specific to your organisation.

ISMS Requirements
ISO 27001 provides organisations with 10 clauses that serve as information security management
system requirements and a section titled Annex A that outlines 114 controls that should be
considered by the organisation. Since organisationsof any size and type collect, process, and
communicate information in various ways, they can benefit from the implementation of an ISMS
that aligns with ISO 27001.

Clause 1 to 3 provide introductory information about terms and definitions and normative
reference of ISO 27001. The main content starts from clause 4 so we start from there as well.

4- Context of organisation

Context of organisation is a core concept that you build your ISMS on top of it.It is about
identifying and analysing your business and your environment. To do so, you have to determine
all the factors that can affect the success of your ISMS and achieving its goals, including:

 All the internal and external issues related to the ISMS

 All the internal and external interested parties and their expectations
 The scope of ISMS   

The importance of defining the context of the organisation comes from the fact that it is the base
for some important processes that you will build later on, such as risk management, and
continual improvement.
What you need to achieve at this point is identifying what are the assets you want to protect with
an ISMS and why.

Your context and the scope of your ISMS are what thatdifferentiates you from allthe other
organisations and gives you the opportunityto discover your uniqueness and enjoy the benefits of
ISO 27001.

5- Leadership and Commitment

When top manager involves in an organisation process, the chance of getting desired outcomes is
much higher than the time he/she is passive and not involved. ISMS success relies on top
management commitment and the standard emphasises on this fact by designating this clause to
the leadership role and responsibility. Here is what senior management should do to show
support and engagement:

 Establishing the ISMS policy and objectives or an objective framework

 Aligning the ISMS policy and objectives with the overall business strategy
 Allocating all the necessary resources
 Communicating with and supporting people who have a role to play in
ISMSimplementation

6- Planning

When planning for ISMS, ISO 27001 is strongly concerned with identifying and treating risks
and opportunities. It requires organisations to have a risk management process in place that
defines, determines and addresses the risks; the standard also emphasises that this should be an
ongoing process to ensure the continual improvement in the company. What you have found in
terms of internal and external issues and interested parties requirement as result of clause 4
provides the risk management basis.

The other part of the planning relates to setting information security goals and planning to
achieve them. These goals should be aligned with the ISMS policy and risk management results.
At the same time, goals should be measurable and communicated through the organisation.

7- Support

An adequate level of supportis necessary to successfully implement and maintain ISMS in an

organisation. This clause suggests that you can provide support when there are enough resources,
competencies, communications and documented information related to the ISMS.

Resources include people, time, budget, information and infrastructure that might be required in
the process of complying to ISO 27001. Competencies relateto the people and their capabilities
to performtheir part in ISMS. On the other hand, a communication process should be available to
facilitate access to the information for people who need it. The range of communications should
include all the internal and external interested parties to the extent that is necessary. Smooth and
adequate communication is a key to ISMS.
8- Operation

At this point, you havealready defined the context of organisation, risks and opportunities and
planned the necessary processes toachieve ISMS goals and address the risks. Now it is time to
execute the plans.

When youimplement the processes and controls, you have to make sure the ISMS requirements
are met as planned and you are capable of taking proper actions when there is a change to your
scope.

The result of the operation phase should be monitored and reviewed in case an adjustment is
required; for example, when interested parties have new expectations or an unexpected change to
the ISMS occurs.

9- Performance evaluation

When the required processes are implemented, it is time to evaluate and see if the company has
reached the predefined outcomes. In the evaluation phase, you want to find answers to these
questions:

 How is the information security performance?

 How effective is the ISMS?

To answer these questions, you need to determine exactly how to measure the ISMS processes.
ISO 27001 expects organisations to have an internal audit program, which is responsible to see if
all the ISMS requirements are met.

Once again top management should carry out the task of reviewing the whole process and
ensuring that everything is still align with the overall goals and strategic direction of the
organisation.

10- Improvement

There is always room for improvement. This could happen through removing minor or major
nonconformities or through acting on new opportunities that can berevealed during different
steps of the ISMS process.

Since the overall context and scope of any organisation is a subject to constant changes, making
improvement to the ISMS must be an ongoing process and a critical part of an effective ISMS.

Annex A

Annex A outlines 114 security controls that an organisation should consider, these controls are
divided across 14 security domains which are:

 
Security Domain Security categories and control objectives
A.5.1 Management direction for
information security

A.5 Information security policies Objective: To provide management direction

and support for information security in
accordance with business requirements and
relevant laws and regulations.
A.6.1 Internal organisation

Objective: To establish a management

framework to initiate and control the
implementation of operation of information
A.6 Organisation of information security security within the organisation.
A.6.2 Mobile devices and teleworking

Objective: To ensure security of teleworking

and use of mobile devices.
A.7.1 Prior to employment

Objective: To ensure that employees and

contractors understand their responsibilities
and are suitable for the roles for which they
are considered.
A.7.2 During employment

A.7 Human resource security Objective: To ensure that employees and

contractors are aware of fulfil their
information security responsibilities.
A.7.3 Termination and change of
employment

Objective: To protect the organisations

interests as part of the process of changing or
terminating employment.
A.8 Asset management A.8.1 Responsibility for assets

Objective: To identify organisational assets

and define appropriate protection
responsibilities.
 A.8.2 Information classification

Objective: To ensure that information receives

an appropriate level of protection in
accordance with its importance to the
organisation.
A.8.3 Media handling

  Objective: To prevent unauthorised disclosure,

modification, removal or destruction of
information stored on media.
A.9.1 Business requirements of access
control

Objective: To limit access to information and

information processing facilities.
A.9.2 User access management

Objective: To ensure authorised user access

and to prevent unauthorised access to systems
A.9 Access control and services.
A.9.3 User responsibilities

Objective: To make users accountable for

safeguarding their authentication information.
A.9.4 System and application access control

Objective: To prevent unauthorised access to

systems and applications.
A.10.1 Cryptographic controls

A.10 Cryptography Objective: To ensure proper and effective use

of cryptography to protect the confidentiality,
authenticity and/or integrity of information.
A.11 Physical and environment security A.11.1 Secure areas

Objective: To prevent unauthorised physical

access, damage and interference to the
organisation’s information and information
processing facilities.
 A.11.2 Equipment

Objective: To prevent loss, damage, theft or

compromise of assets and interruption to the
organisation’s operations.
A.12.1 Operational procedures and
responsibilities

Objective: To ensure correct and secure

operations of information processing facilities
A.12.2 Protection from malware

Objective: To ensure that information and

information processing facilities are protected
against malware.
A.12.3 Backup

Objective: To protect against loss of data

A.12.4 Logging and monitoring
A.12 Operations Security
Objective: To record events and generate
evidence
A.12.5 Control of operational software

Objective: To ensure the integrity of

operational systems.
A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical

vulnerabilities
A.12.7 Information systems audit
considerations

Objective: To minimise the impact of audit

activities on operational systems.
A.13 Communications security A.13.1 Network security management

Objective: To ensure the protection of

information in networks and its supporting
information processing facilities.

A.14 System acquisition, development and
maintenance
A.15 Supplier relationships
A.16 Information security incident
management
A.13.2 Information transfer
Objective: To maintain the security of
information transferred within an organisation
and with any external entity.
A.14.1 Security requirements of
information systems
Objective: To ensure that information security
is an integral part of information systems
across the entire lifecycle. This also includes
the requirements for information systems
which provides services over public networks.
A.14.2 Security in development and support
processes
Objective: To ensure that information security
is designed and implemented within the
development lifecycle of information systems.
A.14.3 Test data
Objective: To ensure the protection of data
used for testing.
A.15.1 Information security in supplier
relationships
Objective: To ensure protection of the
organisations assets that is accessible by
suppliers.
A.15.2 Supplier service delivery
management
Objective: To maintain an agreed level of
information security and service delivery in
line with supplier agreements.
A.16.1 Management of information security
incidents and improvements
Objectives: To ensure a consistent and
effective approach to the management of
information security incidents, including
communication on security events and
 weaknesses.
A.17.1 Information security continuity

Objective: Information security continuity

shall be embedded in the organisations
A.17 Information security aspects of business continuity management systems.
business continuity management
A.17.2 Redundancies

Objective: To ensure availability of

information processing facilities
A.18.1 Compliance with legal and
contractual requirements

Objective: To avoid breaches of legal,

statutory, regulatory or contractual obligations
related to information security and of any
A.18 Compliance security requirements.
A.18.2 Information security reviews

Objective: To ensure that information security

is implemented and operated in accordance
with the organisational policies and
procedures.

Risk Management and Security Controls

ISO 27001 considers information security risk management to be the foundation of ISMS and
demands organisations to have a process for risk identification and risk treatment. It is through
this process that businesses can fully leverage the ISMS benefits.

For the sake of simplicity, you can think of risks as everything that could go wrong in the scope
of your ISMS, such as a damaged server or a hacked bank account. Although it might not be
clear how to create the risk management process when you first start off with ISO 27001. That
being said, this section can help you make a better sense of the risk management process through
couple of steps, which are simplified to give you just the general idea of what needs to be done.

First step: risk identification

This step includes finding all the risks in the scope of your ISMS that could compromise the
confidentiality, integrity and availability of information.You should develop some specific
criteria for accepting the risk and those criteria come from the internal and external issue as well
as interested party requirements (clause 4 of the standard).

Second step: risk owner identification

You need to determine exactly who is responsible for each specific risk. This person should also
have enough authority to act when it is necessary, for example, who is accountable when a USB
flash containing client information is lost.

Third step: risk prioritising

Think about the consequences of every single risk if it really happens and the likelihood of that
risk happening one day. Doing so, you will be capable of prioritising all the risks based on the
possibility of their occurrence and the severity of the results.

Fourth step: controls and statement of applicability (SoA)

After identifying all the ISMS risks in the step 1, now you have to associate each risk with one or
more appropriate control from ISO/IEC 27001:2013, Annex A.

There are 114 controls in Annex A which include policies, processes, procedures, organisational
structures and hardware and software functions that you can implement to address risks to your
ISMS.

Then you can create your SoA, which contains all the selected controls along with some
explanations. In the explanations, you should mention the reason for including that specific
control and its status, meaning whether it has been implemented or not, you also need to
elaborate on the controls you haven’t used.

Fifth step: risk treatment plan

In the final step of your risk management, you have to create the risk treatment plan based on
what you have done in previous steps. There is no specific framework that you need to use but
the plan could include the controls that need to be implemented, their status and the risk owners
who are responsible for implementing controls and measuring the results for future
improvements. The result of this step should be retain as documented information.

Certification to ISO 27001

What does an ISO certification body do: Stage 1 and Stage 2 with audit certification body

Third Party Certification is the process of having your Management System audited by an
independent third party. This type of auditing is typically used by Conformity Assessment
Bodies (CABs) who are regulated by a government organization known as JAS-ANZ. These
CABs can issue registered certificates of compliance to various standards such as ISO 9001, AS
4801, and ISO 14001.
Stage 1 and Stage 2

The formal assessment process includes two stages. In stage 1, the auditing body will confirm
whether you have met the requirements of your proposed scope and the objectives you have set
for yourself. If the auditing body finds any areas of concern, which is normal at this point, you
will have some extra effort to put in which results in a better ISMS.

The auditing body will give you some time to address the areas of concern, before beginning
stage 2 of the audit. In stage 2, your system will be assessed again to make sure that all areas of
concern are corrected and identify any non-conformances indicating lapse in the implemented of
ISMS processes.

At this point, if there are no major nonconformities, your certification can be issued; otherwise,
you will be given time to correct existing nonconformities before the next visit of the audit and
only after removing all the major nonconformities you will be eligible for ISO 27001
certification.

Surveillance Audits

Typically, the certification body will conduct an annual surveillance of your management system
for the first three years after your certification is issued. This way, you will be sure that
everything is working the way that you expected and your ISMSstill meets the ISO 27001
requirements.

ISO 27001 start to finish

Now that we have covered different aspects of this information security standard, to summarise,
we can put everything together and see how you should go through yourISO 27001
journey,generally speaking you need to:

 Read the standard requirements and understand how it can apply to your business
 Establish the scope of your ISMS
 Perform a gap analysis to see where you are standing with regard to your information
security and where the standard requires you to be
 Gather all the information or support you need for implementing your ISMS
 Arrange for a third party certification audit

At the end, you should build an ISMS that improves your overall business condition by
increasing your ROI and helping you stand out in the crowd, so you need to implement it
perfectly.Although the whole process could be easier and faster if you decide to work with a
consultant. Here at Compliance Council we have helped many companies and developed an 8
step process to assist you with developing and implementing an ISMS which put your business
on the path to becoming certified.