This report is a high-level summary of an organization's compliance with ISO/IEC 27001:2013 (explained below), using Security Ratings risk vectors and data as supporting evidence for compliance, much like our data-driven organization-specific NIST CyberSecurity Framework report.
Our automated report makes use of data from our Security Ratings system and can be accessed at any time to help your organization supplement existing self-reporting systems and save valuable time getting started qualifying vendors, clients, and parent companies through the ISO/IEC 27001 standard.
Share this report with regulators, auditors, and clients / vendors, so they can get a clear understanding of the cyber security performance of the company and its vendors as it relates to the ISO/IEC 27001 standard.
Frequently Asked Questions
What is the ISO/IEC 27001:2013 report?
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
The report defines requirements and control objectives for achieving the above mission statement.
What is in the ISO/IEC 27001 report?
The report shows our evaluation of how well an organization meets the requirements of the standard, shows which of an organization's risk vectors and data count as coverage for each control, and grades each control according to the grades of risk vectors used. Reading the report will show in which risk vectors an organization should improve in order to raise their ISO/IEC 27001 grades.
How do I obtain a copy of my organization's ISO/IEC 27001 report?
Visit the Security Ratings overview page for any organization, including your own, and choose View ISO/IEC 27001 Report from the Reports menu.
How is the ISO/IEC 27001 report organized?
The report first evaluates control objectives and their controls, listed as A#, and the standard's requirements, listed as Req. #.
For example, in the image of the sample report below, Req. 8.2 (Information Security Risk Assessment) is nested under Req. 8: Operation. Similarly, Control 18.2, Information Security Reviews, is nested under A18: Compliance, the control objective.
How are control objectives mapped with evidence?
We have coordinated with industry professionals to determine which of our data can be mapped to requirements and objectives.
How are requirements and controls graded?
Requirements and control objectives are graded A through F and are calculated as a grade point average of control evidence grades, which are sourced directly from our Security Ratings data. An A for a requirement or control objective indicates overall good evidence grades, and therefore strong coverage within the requirement or control; an F indicates the company needs to make significant improvements to their cybersecurity posture.
How much of the ISO/IEC 27001 is covered?
While we can help support a company‘s alignment from the outside using our data sources, there are certain mappings that require internal data for which we have no outside visibility. For example, Requirement 5.1, Leadership and commitment, states that “Top management shall demonstrate leadership and commitment with respect to the information security management system(...)”. This requirement will need to be assessed through other channels. We can only report on categories and subcategories for which we have qualifying data.
How is the report graded?
The grades for requirements and controls are the averages of the risk vector grades being used for the evidence. Risk vector data comes directly from that organization's Security Rating report.
Data Breaches, Open Ports, Botnet Infections, Pot. Exploited and Torrents have a higher weight than the other risk vectors; the grade of those risk vectors will affect the average grade for a control objective or requirement more than other risk vectors.
An A for a requirement or control objective indicates overall good evidence grades, and therefore strong coverage within the requirement or control; an "F" indicates the company needs to make significant improvements to their cybersecurity posture.
Supported Requirements and Controls
Below is a list of requirements and controls and supporting risk vectors and data. If a requirement category or control is not listed, we do not support it yet. If a requirement or control uses the ratings product, Forensics, Bitsight Discover, or Benchmarking, they will not appear in the ISO report for other organizations, only your own, and only if your organization has purchased those features.
If your organization does not have a product or feature needed to grade certain requirements or controls, there is no penalty in that instance, and that requirement/control will not appear in the report.
Requirements
* Only shown in your own report if your organization is a Bitsight customer. Does not appear in ISO/IEC 27001 reports on your organization generated by others.
| Requirement | Description | Supporting evidence | Summary |
|---|---|---|---|
| * 8.2 Information security risk assessment | (Re)assess and document information security risks regularly, and on changes. | Ratings product | The use of a Bitsight report is a significant part of the security risk assessment program and as such should in part demonstrate the implementation of a program. |
| * 9.1 Monitoring, measurement, analysis and evaluation | Monitor, measure, analyze, and evaluate the ISMS and the controls. | ||
| * 9.2 Internal Audit | Plan & conduct internal audits of the ISMS. | ||
| 10.1 Nonconformity and corrective action | Identify, fix, and take action to prevent recurrence of nonconformities, and document the actions. | Bitsight rating, rating improvement over 6 months | The use of Bitsight and the generation of a security ratings report is a significant part of the vulnerability management program and, as such, should in part demonstrate the implementation of vulnerability detection and mitigation activities. |
| 10.2 Continual improvement | The organization shall continually improve the suitability, adequacy, and effectiveness of the information security management system. | Using ratings, an organization can attest the continuous improvement of its security posture. |
Control objectives and controls
* Only shown in your own report if your organization is a Bitsight customer. Does not appear in ISO/IEC 27001 reports on your organization generated by others.
A.5: Information Security Policies
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A.5.1: Management direction for information security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. |
|||
| A.5.1.1: Policies for information security | A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. | Bitsight rating, rating increase over 6 months | Using ratings, an organization can confirm the effectiveness of its policies by quantifying the organization's security posture. |
A6: Organization of information security
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A6.2: Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. |
|||
| A6.2.1: Mobile device policy | A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. | Mobile Software | We support this control with evidence of operating system (OS) and web browser versions, evaluating if the versions are up-to-date. |
A8: Asset Management
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A8.1: Responsibility for assets Objective: To identify organizational assets and define appropriate protection responsibilities. |
|||
| A8.1.3: Acceptable use of assets | Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. | File Sharing | We support this control with File Sharing evidence, to determine if employees are using the company's assets to share/download potentially illegal or risky content. |
A10: Cryptography
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
|||
| A10.1.1: Policy on the use of cryptographic controls | A policy on the use of cryptographic controls for protection of information shall be developed and implemented. | SSL Configurations, SSL Certificates | We support this control with evidence of SSL encryption and certificates enforced; SSL configuration shows validation of correct encryption standards, or failing and weak protocols. |
A12: Operations security
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A12.2 Protection from malware Objective: To ensure that information and information processing facilities are protected against malware. |
|||
| A12.2.1: Controls against malware | Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. | Spam Propagation, Unsolicited Comm., Malware Servers, Botnet Infections, Potentially Exploited | We support this control with evidence of Compromised Systems such as Botnets, Spam Propagation, and Malware Servers attempting to communicate from within an organization's network, found during an external observation of the organization's network perimeter. |
|
A12.6: Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. |
|||
| A12.6.1 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. | Patching Cadence, Server Software, Mobile Software, Desktop Software | We support this control with evidence of Patching Cadence information on devices during an external observation of the organization's network perimeter; OS and web browser versions on Mobile and Desktop devices; software versions of Server Software packages. |
| A12.6.2: Restrictions on software installation | Rules governing the installation of software by users shall be established and implemented. | File Sharing | We support this control with File Sharing evidence, to determine if employees are using the company's assets to share/download potentially illegal or risky content. |
A13: Communications security
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. |
|||
| A13.1.1: Network controls | Networks shall be managed and controlled to protect information in systems and applications. | SSL Certificates, SSL Configurations, Open Ports | We support this control with evidence of SSL encryption and certificates enforced; SSL configuration showing validation of correct encryption standards or failing and weak protocols; Open Ports found to exist on firewalls and other devices during an external observation of the organization's network perimeter. |
| A13.1.2: Security of network services | Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
SSL Certificates, SSL Configurations, Open Ports, SPF, DKIM, DNSSEC |
We support this control with evidence of SSL encryption and certificates enforced; SSL configuration showing validation of correct encryption standards or failing and weak protocols; Open Ports found to exist on firewalls and other devices during an external observation of the organization's network perimeter; SPF and DKIM records, and the validation of the source and destination. |
|
A13.2: Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. |
|||
| A13.2.1: Information transfer policies and procedures | Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
Spam Propagation, Unsolicited Comm, Malware Servers, Botnet Infections, Potentially Exploited, SSL Configurations, SSL Certificates, File Sharing |
We support this control with evidence of SSL encryption and certificates enforced; SSL configuration showing validation of correct encryption standards or failing and weak protocols; File Sharing evidence, to determine if employees are using the company's assets to share/download potentially illegal or risky content; Compromised Systems such as Botnets, Spam Propagation and Malware Servers attempting to communicate from within an organization's network, found during an external observation of the organization's network perimeter. |
A14: System acquisition, development & maintenance
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A14.1: Security requirements of information systems Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. |
|||
| A14.1.2: Securing application services on public networks | Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. | SSL Configurations, SSL Certificates | We support this control with evidence of SSL encryption and certificates enforced; SSL configuration showing validation of correct encryption standards or failing and weak protocols. |
| A14.1.3: Protecting application services transactions | Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. | SSL Configurations, SSL Certificates | We support this control with evidence of SSL encryption and certificates enforced; SSL configuration showing validation of correct encryption standards or failing and weak protocols. |
A14: System acquisition, development & maintenance
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A14.1: Security requirements of information systems Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. |
|||
| A14.1.2: Securing application services on public networks | Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. | SSL Configurations, SSL Certificates | We support this control with evidence of SSL encryption and certificates enforced; SSL configuration showing validation of correct encryption standards or failing and weak protocols. |
| A14.1.3: Protecting application services transactions | Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. | SSL Configurations, SSL Certificates | We support this control with evidence of SSL encryption and certificates enforced; SSL configuration showing validation of correct encryption standards or failing and weak protocols. |
A15: Supplier relationships
* Only shown in your own report if your organization is a Bitsight customer. Does not appear in ISO/IEC 27001 reports on your organization generated by others.
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A15.1: Information security in supplier relationships Objective: To ensure protection of the organization's assets that is accessible by suppliers. |
|||
| * A15.1.1: Information security policy for supplier relationships | Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. | Vendor Risk Management | Using ratings for VRM is a significant part of a supplier risk management program and should in part demonstrate the implementation of the program. |
|
A15.2: Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. |
|||
| * A15.2.1: Monitoring and review of supplier services | Organizations shall regularly monitor, review and audit supplier service delivery. | Bitsight Vendor Risk Management | Using ratings for VRM is a significant part of a supplier risk management program and should in part demonstrate the implementation of the program. |
A16: Information security incident management
* Only shown in your own report if your organization is a Bitsight customer. Does not appear in ISO/IEC 27001 reports on your organization generated by others.
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A16.1: Management of information security incidents & improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. |
|||
| * A16.1.1: Responsibilities and procedures | Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. | Bitsight Security Ratings | The ratings measures the performance of an organization's security posture. |
| * A16.1.7: Collection of evidence | The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. | Forensics | We support this control with evidence of Forensics, which shows details of malware communications found to exist on devices during an external observation of the organization's network perimeter. |
A18: Compliance
* Only shown in your own report if your organization is a Bitsight customer. Does not appear in ISO/IEC 27001 reports on your organization generated by others.
| Control | Description | Supporting Risk Vector(s) | Summary |
|---|---|---|---|
|
A18.2: Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. |
|||
| * A18.2.1: Independent review of information security | The organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. | Bitsight Security Ratings | We support this control with use of our ratings product that aggregates and correlates data from multiple external sources and sensors, which can be used to validate relevant policies. |
| * A18.2.2: Compliance with security policies and standards | Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. | Bitsight Security Ratings | We support this control with use of our ratings product that aggregates and correlates data from multiple external sources and sensors, which can be used to validate relevant policies. |
| * A18.2.3: Technical compliance review | Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards. | Bitsight Security Ratings | We support this control with use of our ratings product that aggregates and correlates data from multiple external sources and sensors, which can be used to validate relevant policies. |