Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

ISO 27001:2013 by Mind Map: ISO 27001:2013
5.0 stars - 24 reviews range from 0 to 5

ISO 27001:2013

Gap Analysis

Gap analysis of current management system compliance and effectiveness against the requirement of the standard and document the gap

The Gap Analysis is a technique to determine the steps to move from current state to a desired future state. This is a response to three questions:

What is our current situation?

What is the target?

What is the difference between current and target?

Inventory List

Asset Register

Information Classification

Department Process and Procedures

Interviews of Employees

Analysis of Process and Procedures


Internal VA/PT Tests

Internal Application Assessments


External PT/Perimeter

Tests Physical Security Assessments

Social Engineering Attacks



Guide of good practices of the industry (September) initially published as a British Standard Institute (BSI) publication;

This guide was the basis for the British Standard: BS 7799-1


Release of BS 7799-1


Release of the ISMS certification model (Published as BS 7799-2:1998)


Revision of BS 7799-1:1999 (updates and addition of new security controls)

Release of BS 7799-2


Release of ISO 17799


Release of BS 7799-2:2002


Publication of the new version of ISO 17799:2005

Release of ISO 27001:2005, which replaces BS7799-2


Release of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just identification number)

Release of ISO 27006:2007


Release of ISO 27005:2008

Release of ISO 27011:2008


Release of ISO 27000:2009

Release of ISO 27004:2009

Release of ISO 27033-1:2009


Release of ISO 27003:2010

Release of ISO 27033-3:2010


Release of ISO 27005:2011

Release of ISO 27006:2011

Release of ISO 27007:2011

Release of ISO 27008:2011


Revised version of ISO 27001

ISO 27001:2013 Sections

0 Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Context of the Organization

Understanding the organization and its context

Understanding the needs and expectations of interested parties

Determining the scope of the ISMS

Information security management system, ISMS maintenance

5 Leadership (top management)

Leadership and commitment

Policy, Security policy

Organizational roles, responsibilities and authorities

6 Planning

Information security objectives and planning to achieve them

Actions to address risks and opportunities

7 Support


Competence, Determine competence of people working

Awareness, Security awareness for people working

Communication, Determine need for internal and external communications

Documented information, Documented and publish necessary information

8 Operation

Operational planning and control, Plan, implement and control the required processes

Information security risk assessment, Perform risk assessments at planned intervals or after significant changes

Information security risk treatment, Implement risk treatment plan

9 Performance Evaluation

Monitoring, measurement, analysis and evaluation, Evaluate performance and effectiveness of ISMS

Internal audit, Conduct internal audits at planned intervals

Management review, Review of ISMS by management at regular intervals

10 Improvement

Nonconformity and corrective action, Actions for nonconformity

Continual improvement, Continually improve ISMS

Annex A

A5 Information security policies, A5.1 Management direction for information security

A6 Organization of information security, A6.1 Internal organization, A6.2 Mobile devices and teleworking

A7 Human resource security, A7.1 Prior to employment, A7.2 During employment, A7.3 Termination and change of employment

A8 Asset management, A8.1 Responsibility of assets, A8.2 Information classification, A8.3 Media handling

A9 Access control, A9.1 Business requirements of access control, A9.2 User access management, A9.3 User responsibilities, A9.4 System and application access control

A10 Cryptography, A10.1 Cryptographic controls

A11 Physical and environmental security, All.l Secure areas, A11.2 Equipment

A12 Operations security, A12.1 Operational procedures and responsibilities, A12.2 Protection from malware, A12.3 Backup, A12.4 Logging and monitoring, A12.5 Control of operational software, A12.6 Technical vulnerability management, A12.7 Information systems audit considerations

A13 Communications security, A13.1 Network security management, A13.2 Information transfer

A14 System acquisition, development and maintenance, A14.1 Security requirements of information systems, A14.2 Security in development and support processes, A14.3 Test data

A15 Supplier relationships, A15.1 Information security in supplier relationships, A15.2 Supplier service delivery management

A16 Incident management, A16.1 Management of security incidents and improvements

A17 Business continuity management, A17.1 Information security continuity, A17.2 Redundancies

A18 Compliance, A18.1 Compliance with legal and contractual requirements, A18.2 Information security reviews

General information

ISO 27001 is a set of guidelines / best practices for Information Security Management System (NOT Information Technology Security Management System)

Simply saying ISMS has business context not just Technology context


Context of Organization





Performance Evaluation Improvement


2005 version, 11 control sections, 133 Controls

2013 version, 14 control sections, 114 Controls

Is based on PDCA Cycle

Plan, Establish the ISMS

Do, Implement and operate the ISMS

Check, Monitor and review the ISMS

Act, Maintain and improve the ISMS

Implementation Process

1. Management Support

Obtain management interest

Clarify organization’s priorities

Define security objectives

Create business case and project plan

Identify roles and responsibilities

Get approval from the management

2. Scoping

Define organizational scope

Define physical scope

Define technology scope

3. Create Inventory Lists

Identify assets

Identify asset owner and information classification

4. Perform Gap Analysis

Conduct external assessments, technology perimeter assessment, physical security assessment

Conduct internal assessments, assessment of critical applications

Review departmental processes, interview department head, interview mid-level employee in the department, analyse process and practices

5. Perform Risk Assessment

Create a risk treatment policy

Define a risk calculation procedure

Calculate the risk

Identify controls to mitigate (remove/reduce/transfer) identified risks

6. Create SOA

Select the relevant controls from the standard

Create a document with the objectives/exceptions for the selected controls

7. Create RTP

Create a risk treatment plan

Obtain management approval

8. Create ISMS (Policies, Procedures, Training and Reports)

Create security policy

Create all referenced individual policies

Create procedure documents

Publish the policies

Conduct awareness training

9. Management Review / Internal Audit

Review all documentation

Review SOA, RTP and policies

Review controls

Measure effectiveness

10. Pre-Certification Audit

Conduct a mock audit

Identify all NCs

Take relevant actions to close identified NCs

Identify and contact a certification body for the audit

References / Publications

Guide to Implementing and Auditing of ISMS Controls

How to Achieve 27001 Certification: An Example of Applied Compliance Management

3rd party software / toolkits

IS027k Forum

IS027k Toolkit,


ISO 17799 Checklist,

SANS Security Policy Project,




Practical Threat Analysis,

Related ISO Standards

ISO 27002

Code of practice for information security controls

Generic guidance document

ISO 27011, Guidelines for telecommunications companies

ISO 27015, Guidelines for financial services

ISO 27019, Guidelines for energy utility companies

ISO 27799, Guidelines for healthcare companies

ISO 27003

Guidance on ISMS implementation

ISO 27004

Security metrics for measuring effectiveness

ISO 27005

Information security risk management

ISO 27006

Requirements of auditing / certification bodies

ISO 27007

Guidelines for ISMS auditing (management system)

ISO 27008

Guidelines for ISMS auditing (controls)

ISO 27010

Guidelines on inter-organisation communications

ISO 27013

Guidelines on integrating ISO 27001 and ISO 20000

ISO 27014

Guidelines for governance of information security

ISO 27031

Guidelines for business continuity (ICT)

ISO 27032

Guidelines for cybersecurity

ISO 27033

Guidelines for network security

ISO 27034

Guidelines for application security

ISO 27035

Guidelines for incident management

ISO 22301

Business Continuity Management standard

Updated version of ISO 25999 standard ISO 22301

ISO 31000

Risk management - Principles and guidlines

Pre-certification audit

Simulation of an actual audit

Identify any NCs

Take necessary actions to close any identified NCs


Phase 1

Document review

1 day


Phase 2

Control review

Multi-day based on scope


Risk Management

Risk Management Policy

Risk Assessment Procedure

Procedure for Risk Calculation

Risk Assessment Document


Risk Treatment Plan

Polices and Procedures

Security Policy

Obtain management objectives

Create the policy

Refer individual policies

Obtain management approval

Referenced Policies

Acceptable Use Policy

Email Use Policy

Internet Use Policy

Mobile Use Policy

Wireless Security Policy

Incident Handling Policy

Change Management Policy



Define procedure to implement each policy


Organization Scope

Organizational units: department, service project, subsidiary, etc.

Organizational structures and responsibilities of managers

Business Process: Sales management. Procurement process, hiring, etc.

Physical Scope

All physical locations, both internal and external, that are included in the ISMS should be considered.

Identify area (data centre/server rooms/specific area)

In the case of outsourced physical sites, the interfaces with the ISMS and the applicable service agreements have to be considered.

Information Systems Scope

Networks: internal networks, wireless networks, etc.

Operating Systems: Windows, Linux, etc.

Applications: CRM, software management payroll, ERP. utilities, database

Data: customer records, medical data, research and development, etc.

Processes: Consider processes that transport, store or process information.

Telecommunications equipment: routers, firewalls, etc.

Any change in scope must be evaluated, approved and documented!

Mandatory Documents


Logs of Management Review Meetings

Review Plans

Action Reports

ISMS Related

Scope Statement

Roles and Responsibilities Document

Statement of Applicability (SoA)

Security Metrics


Security Policy

Individual Policies

Procedure Documents

Risk Management

Risk Management Policy

Risk Assessment Procedure

Risk Assessment Document

Risk Treatment Plan

Security Awareness Training

Training Records

Training Material


Other Documents

Operating Procedures

Document Control Procedure

Record Control Procedure

Corrective Action Procedure

Preventive Action Procedure

Statement of Applicability (SOA)

Statement of Applicability

Defines which controls from ISO 27001 you select to implement

Document listing the controls applicable along with their objective

ISO 27001 does not specify the form of the statement of applicability.

It simply requires making a list of security controls, selected or not, the reasons for these choices and actions being implemented to meet the security controls being selected in the document.

The additional controls put in place must also appear in the statement of applicability.

It is good practice to include in the statement of applicability, the title or function of the responsible person per control and the list of documents or records relating to it.

This freeware, non-commercial mind map was carefully hand crafted with passion and love for learning and constant improvement... (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Please don't hesitate to contact me for :-) Mirosław Dąbrowski, Poland/Warsaw.


White Papers

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013