ISO 27001 Requirements

About ISO 27001 requirements

Looking to obtain ISO 27001 certification but unsure exactly what is required? This guide explains the key documents and processes you will need to prepare your organization for certification.

About ISO 27001

ISO/IEC 27001 – currently the 2022 edition – is the international standard for an information security management system (ISMS) and its continual improvement. It sets out control mechanisms organizations can use to protect their customers’ and clients’ personal information from security risks and attacks. Implementing it builds customer confidence in your operations and security.

ISO 27001 documentation

ISO 27001 does not impose a single, one-size-fits-all security approach, because every organization faces unique information security concerns. Instead, the standard requires you to develop the processes and policies that suit your context – and by demonstrating these, you show successful implementation. The key documents include the following.

Scope of the ISMS

This document outlines the operations the Information Security Management System (ISMS) will cover and the boundaries that apply. It describes the products and services your company offers and where (regionally, across Canada, across North America, or worldwide), and specifies which parts of the organization – processes, locations, departments, and divisions – are within the ISMS.

Information Security Policy and objectives: A statement that your organization’s objective is to handle data securely, in line with applicable laws and ethical obligations, and with a commitment to continual improvement.

Risk assessment and treatment methodology: How you identify information security risks and how you plan to mitigate and resolve them when they arise.

Statement of Applicability (SoA)

The Statement of Applicability explains which of the 93 information security controls in Annex A of ISO/IEC 27001:2022 you apply, and why. (The 2022 revision reorganized Annex A into 93 controls across four themes – Organizational, People, Physical, and Technological – replacing the 114 controls in 14 categories used by the 2013 version.) In the SoA you: 

• Identify which controls apply to your organization
• State why they apply
• Describe how they have been implemented
• Justify why any controls were not selected (exclusions)

Risk Treatment Plan

Once you have decided which controls to use, the Risk Treatment Plan sets out how you will put the relevant controls in place, who is responsible for implementation, what resources are needed, and how much time it will take.

• Roles and responsibilities: Defines the roles and responsibilities of each job involved in information security.
• Inventory of assets: Documents every asset used to store data – desktops, laptops, servers, phones, and tablets, as well as physical papers, financial data, email systems, and cloud services.
• Acceptable use of assets: Because these assets handle sensitive data, this defines how permanent and temporary staff and contractors may use them.
• Access control policy: Helps ensure sensitive information is only accessible to those who need it.
• IT management operating procedures: Documented procedures for areas where sensitive information is at risk from faulty IT use – identified by your risk assessments.
• Secure system engineering principles: How you apply security to new IT projects and existing infrastructure, including business continuity and disaster preparedness as well as firewalls and secure passwords.
• Supplier security policy: Sets security expectations for suppliers, so a supplier’s weaknesses do not expose your data to theft or loss.
• Incident management procedure: Documented protocols for how your organization responds to an information security breach.
• Business continuity procedures: Defined procedures so the organization can keep operating during a data security incident.
• Contractual, legal, and regulatory obligations: Documents the obligations that apply to how you manage information, and acts as a quick reference for staff.
• Training, skills, and qualification records: Shows that employees have the expertise to understand the requirements, and that your organization invests in ongoing training and development.
• Internal audit and outcomes: Internal audits assess the effectiveness of the ISMS and your information security performance, and help demonstrate compliance. Any non-conformities and the actions taken must be documented.

ISO 27001 and information security in Canada

In Canada, organizations have legal obligations to protect personal information – under the federal PIPEDA and provincial laws such as Quebec’s Law 25. ISO 27001 gives Canadian organizations a structured, internationally recognized way to demonstrate that they manage information security risk effectively, which supports these obligations and builds trust with customers and partners.

ISO 27001 certification

You do not need every document above from day one – what matters most is the willingness to put these processes and policies in place to strengthen your information security. The path to ISO 27001 certification begins with an external auditor from a certification body assessing your ISMS and identifying any gaps. You then make the necessary changes before the auditor returns for a second assessment to confirm they have been addressed. Once all requirements are met, your organization is awarded certification.

Contact IAS today to learn more about ISO 27001, or visit our frequently asked questions page.

Explore Now

• ISO 27001 Certification in Canada – information security certification
• ISO 27001 Training in Canada – lead auditor, internal auditor, and awareness courses
• VAPT Certification in Canada – penetration testing that supports ISO 27001 controls