Standards Plus Limited

Laurel House, 95 Hob Hey Lane

Culcheth, Warrington WA3 4NS
t 01925 765 050
e info@standardsplus.co.uk
w standardsplus.co.uk

ISO 27001 Information Security Management - in Laymans terms

Refer to the ISO 27001 document published in year 2013 BS ISO / IES 27001:2013
Dont bother with anything before page 1 (at the bottom of the page) its just warming up.
Info Sec = Information Security
Ref

Heading

Meaning

1.1

General

Ignore

1.2

Application

Ignore

Normative references

Ignore

Terms and definitions

Ignore

4.1

Understanding the organisation

List the internal and external Info Sec issues

4.2

Needs and expectations of

interested parties

Lists needs and expectations of interested parties

4.3

Scope of Info Sec

List whats in and whats out

4.4

Info Sec management

Need to have a working system

5.1

Leadership

The bosses need to take this seriously -time and

effort

5.2

Info Sec Policy

Grandstand statement on Info Sec

Must contain certain phrases (listed in the
standard)

5.3

Organisation, Roles and

Responsibilities

We need list of Who does what around here?

6.1.1

Risks and Opportunities - General

List the risks and opportunities linked to

interested parties (from above)

6.1.2

Info Sec Risk Assessment

Risk Assessment on Info Sec

6.1.3

Info Sec Risk Treatment

What we do to control the risks identified

above.
Needs to include controls for Annex A

6.2

Objectives

Info Sec objectives need to be set

Objectives need to be measurable

7.1

Provision of resources

We need sufficient manpower, machinery,

materials and money to do the job

Ref
7.2

Heading

Meaning

Training, awareness and

competence

We need a training plan.

7.3

Awareness

Staff and contractors need to be aware of Info Sec

7.4

Communication

List the internal and external communications

7.5.1

Documents - general

Info Sec has to be written down

7.5.2

Creating and updating documents

Document ID

Every individual needs their own personal training

record

Document approval
7.5.3

Document Control

Documents need to be safe protected, stored,

version controlled etc

8.1

Operational Control

Need documented procedures

8.2

Info Sec Risk Treatment

Need documented controls

9.1

Measuring and monitoring

performance

Need a procedure for measuring performance

9.2

Internal Audit

Written procedure required.

Timetable (schedule) required.
Trained people required.
Records of audits required.

9.3

Management Review - General

Minutes are required from the Directors

Meeting
Have an agenda for the Directors Meeting
The minutes need to say who will do what and by
when

10.1

Non conformances (Info Sec

incident)

Non-con also known as mistake or WTF?

Written procedure required.
Records of mistakes are required.
What we did to fix a problem.
Written procedure required
Records of How we fixed a problem are
required.

10.2
Annex A

Continual improvement

We need to get better (all areas).

Ref
A.5

Heading
Info Sec Policy

Meaning
Repeat of 5.2 above.
Policy needs to be reviewed

A.6.1

Internal Organisation

Repeat of 5.3 above, with more details

.6.2

Mobile devices

Need a policy for all remote access devices

A.7.1

Prior to employment

Need pre-employment screening

Need contracts of employment

A.7.2

During employment

Need Info Sec awareness

Need Info Sec as a disciplinary offence

A.7.3

Changes to employment

Info Sec does not finish when you leave!

A.8.1

Info Sec Assets

Need a List of Assets

Need an Acceptable Use policy

A.8.2

Info Classification

Need to classify information

Need to label it as well.

A.8.3

Media Handling

Need procedures for handling and disposal of

hardware

A.9.1

Access control - networks

Need a policy on (network) access

A.9.2

User management

Need a procedure for registering / deregistering

users.
Passwords, usernames and permissions.
Need to review privileges

A.9.3

User responsibilities

Secret authentication (your mothers dogs

favourite colour)

A.9.4

Access control - systems

Logging on, passwords, changing passwords

A.10.1

Encryption

Use of encryption and encryption keys

A.11.1

Physical security

Perimeter, building access, secure rooms, delivery

areas

A.11.2

Equipment

Location, services, cabling, maintenance,

unattended equipment
Clear desk policy

A.12.1

Operations

Procedures need to be documented

Change management
Capacity management

A.12.1

Malware

Anti virus

Ref

Heading

Meaning

A.12.3

Back up

Do backups and test them

A.12.4

Event logging

Protecting user event logs (from alterations)

Protecting administrators event logs (from
alteration)
Clock synchronisation

A.12.5

Operating software

Procedure for installing software

A.12.6

Technical vulnerability

Procedures for software updates

A.12.7

Audit considerations

Dont interfere with operations

A.13.1

Network security

Service level agreements

Segregation of networks

A.13.2

Information transfer

Formal agreements on support calls, formal

reports
Non disclosure agreements
Applies to all external organisations

A.14.1

Public networks

Info Sec when using the public networks

A.14.2

Development and support

Applies to software development

Applies to support services
Changes need to be controlled, reviewed, tested
and accepted

A.14.3

Test data

Keep it safe

A.15.1

Suppliers

Non disclosure agreements and Service Level

Agreements need to include Info Sec

A.15.2

Managing suppliers

Monitor suppliers performance

Changes to services need to be managed

A.16.1

Info Sec incidents

Same as 10.1 above

A.17.1

Business Continuity

Need a business continuity plan / disaster

recovery plan
It needs to be tested (parts of it)

A.17.2

Redundancies

Need spare capacity

Ref
A.18.1

Heading
Legal compliance

Meaning
Need a procedure for keeping up to date with
legislation
Need to be award of our contractual obligations
with customers
Need to be aware of intellectual property /
licensing obligations

A.18.2

Info Sec reviews

Need to review Info Sec from time to time

Dont bother with anything after page 22 (at the bottom of the page) its just cooling down.