What does ISO 27001 actually look like?

ISO / IEC 27001, divided into 11 sections and Annex A. Parts 0 through 3 are input (and not required for implementation), but parts 4 through 10 are obsolete - that is, all requirements must be applied to an organization. The checks in A must be applied only if declared applicable in the Applicability Statement.

According to the Annex SL of the International Organization of ISO / IEC Directives, the chapter headings in ISO 27001 are the same for ensuring easier integration of the same standards as ISO 22301: 2012 and ISO 9001: 2015.

Chapter 0: Introduction - explains the purpose of ISO 27001 and its compliance with other management standards.

Part 1: Scope - explains that any organization of this standard may be applied.

Part 2: Normative references - refers to ISO / IEC 27000 as the standard by which terms and definitions are given.

Chapter 3: Terms and definitions - again refers to ISO / IEC 27000.

Chapter 4: Content of the organization - this chapter is part of the Plan phase of the Plan-Do-Check-Ack cycle and defines the requirements for understanding external and internal issues, interested parties and their requirements and defining the scope of the ISMS.

Chapter 5: Leadership - this chapter is part of the Plan phase in the PDCA cycle and defines senior management responsibilities by identifying the roles and responsibilities and content of senior Information security policy.

Chapter 6: Planning - this chapter is part of the Plan phase in the PDCA cycle and describes the requirements for risk assessment, risk treatment, the Statement of Applicability, the risk treatment plan, and the determination of information safety objectives.

Chapter 7: Support - this section is part of the Plan phase in the PDCA cycle and defines requirements for the availability of resources, competencies, awareness, communication and documentation and control of records.

Chapter 8: Operation - this section is part of the Do step in the PDCA cycle and defines the implementation of the risk assessment and treatment as well as the controls and other processes required to achieve information security objectives.

Chapter 9: Performance evaluation - this section is part of the Check phase in the PDCA cycle and defines requirements for monitoring, measuring, analyzing, evaluating, internal auditing and management auditing.

Chapter 10: Improvement - this section is part of the implementation phase in the PDCA cycle and defines requirements for nonconformities, corrective actions, and continuous improvement.

Annex A - this annex presents 114 control (protection) catalogs with 14 divisions (sections A.5 to A.18).

Compulsory documents:

ISO 27001 requires the following documents to be written:

ISMS coverage (item 4.3)
The information security policy and objectives (articles 5.2 and 6.2)
Risk assessment and risk treatment methodology (article 6.1.2)
Declaration of applicability (Article 6.1.3 d)
Risk treatment plan (articles 6.1.3 and 6.2)
Risk assessment report (Article 8.2)
Definition of security roles and responsibilities (art. A.7.1.2 and A.13.2.4)
Inventory of assets (article A.8.1.1)
Acceptable use of assets (article A.8.1.3)
Access control policy (Article A.9.1.1)
Working procedures for IT management (article A.12.1.1)
Safe system engineering principles (article A.14.2.5)
Supplier security policy (item A.15.1.1)
Event management procedure (article A.16.1.5)
Business continuity procedures (article A.17.1.2)
Legal, regulatory and contractual requirements (article A.18.1.1)

Compulsory records:

Records of training, skills, experience and qualifications (Article 7.2)
Monitoring and measurement results (Article 9.1)
Internal audit program (Article 9.2)
The results of internal audits (article 9.2)
Results of the management evaluation (Article 9.3)
Results of corrective actions (Article 10.1)
Records of user events, exceptions and security incidents (art. A.12.4.1 and A.12.4.3)
Of course, if a company deems it necessary, it may decide to write additional security documents.

How to get a certificate?

Organizations can obtain a certificate to prove that they comply with all the mandatory requirements of the standard.
In order for an organization to be certified, it must be implemented in the manner described in the previous sections, and then passed through the certification audit conducted by the certification body.

Certificate checking is performed in the following steps:

Stage 1 audit (document review) - auditors will review all documents.
Stage 2 audit (main audit) - auditors conduct an on-site audit to check that all activities in a company comply with the ISO 27001 and ISMS certifications.

Surveillance visits - after the certificate is issued, during the 3-year validity, the auditors will check whether the company maintains the ISMS.