ISO 27001 is an international security standard to regulate information security across an organization. It is a part of the ISO/IEC 27000 series that deal with information security. Read on to learn more.
The facts in a nutshell
- The ISO 27001 standard provides the framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) to help organizations secure their information assets.
- Displaying this accreditation boosts client confidence, promotes a security-conscious organizational culture and ensures continued compliance and improvement.
- An information security management system (ISMS) is a framework of policies and procedures to minimize risk incidents and ensure business continuity by mitigating the impact of a security breach.
- Adopting the international security standard, ensures best security practices and strategies to tighten information security in an organization.
In this article
- What exactly is ISO 27001?
- About the ISO and IEC
- Why is ISO 27001 important?
- What are the benefits of ISO 27001 compliance for your organisation?
- What is an ISMS?
- How is the ISO 27001 framework used?
- What are the ISO 27001 clauses?
- What are the ISO 27001 Annex A controls?
- Is ISO 27001 a legal requirement?
- How can you achieve ISO 27001 compliance?
- What are the advantages of ISO 27001 certification for an organisation?
- How much does it cost to become ISO 27001 certified?
- ISO 27001:2013 and ISO 27001:2017: What's the Difference?
What exactly is ISO 27001?
ISO 27001, formally known ISO/IEC 27001:2013, is the international standard for information security and the version of the standard currently in use was updated in 2013. This framework was developed out of a collaboration between the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC).
As the global standard, it lays out the best practices for an information security management system (ISMS). ISO 27001 is one out of a family of ISO standards designed to implement, operate, monitor and maintain an ISMS.
In this article, learn about what the ISO 27001 is, its purpose, ISO 27001 certification, how much it costs to be ISO 27001 certified, how businesses can benefit from being fully ISO 27001 certified and why this is important for the growth of your business.
About the ISO and IEC
The ISO is an international non-governmental independent body that comprises multiple national standards bodies. The role of the ISO is to develop and publish standardisation for many fields and as of 2022, there were 167 member countries within the ISO.
The IEC is also an international standards organisation, with its scope being limited to electrical, electronic and related technologies. These areas, collectively referred to as “electrotechnology”, are out of the scope of the ISO.
The ISO’s joint technical committee with the IEC was formed to develop Information and Communication Technology (ICT) standards for organisations worldwide.
Why is ISO 27001 important?
In short, the ISO 27001 is meant to provide organisations of all sizes and industries with a framework of policies, procedures and controls to mitigate the risk for information security breaches. Those risks include but are not limited to:
- Physical hazards such as server room fires.
- Dangers posed by employees such as willful data theft or errors due to lack of training as well as negligence.
- System and process hazards such as outdated software.
- Threats from cybercrime such as ransomware attacks.
In its framework, the norm includes all the risk controls (physical / technical /legal) and ensures that security controls are implemented to safeguard data and information.
What are the benefits of ISO 27001 compliance for an organisation?
A compliant ISO 27001 ISMS allows an organisation to identify and treat risks – but how will this help your organisation? Overall, ISO 27001 compliance helps you:
- Build trust with stakeholders
ISO 27001 equips an organisation with the information they need to protect valuable information by practising good information security. An ISO 27001 compliant organisation provides their customers, clients and key stakeholders assurance that necessary security measures have been implemented to safeguard information.
- Protect your organisation from data breaches
The ISO 27001 standard defines policies and regulations that, when implemented, work to protect an organisation from the unauthorised access, and eventual loss, of data. Having these measures in place reduces the risk of data breaches and incurring regulatory fines. These policies guide processes across domains, and the ISO 27001 standard ensures careful and effective information security incident management in the event of a breach or compromise.
- Secure your employee's personal data
It is not only third-party information that is safeguarded under ISO 27001 — personal employee data is also protected. The organisation’s information security measures must be disclosed to all parties so they are aware of, in agreement with and consenting to them. This is a requirement of the standard to ensure that the organisation is in line with industry regulations and operating procedures.
Though many businesses would appreciate a ready-made blueprint for implementing information security, the ISO 27001 can be vague and abstract, and for good reason: it is meant to help organisations of all shapes and sizes. The goal isn’t to achieve “100 % security”, so to speak. Instead, each organisation must assess its risks and mitigate them according to their individual risk appetite.
To do this, organisations have to set up an ISMS, an efficient, risk-based, and technology-neutral way to keep their information assets secure, informed by regular information security risk assessments.
What is an ISMS?
An information security management system (ISMS) is an approach to/system of maintaining an organisation’s information security. It is a set of regulations that must be implemented in order to:
- Determine who your stakeholders are and what they anticipate from the organisation in terms of information security.
- Determine which information-related dangers exist.
- To achieve the defined requirements and manage risks, develop controls (safeguards) and other mitigation strategies.
- Set clear goals for what needs to be accomplished in terms of information security.
- Put in place all of the controls and other risk-reduction strategies.
- Measure whether the established controls are performing as planned on a regular basis.
- Make continual improvements to improve the overall performance of the ISMS.
Overall, an organisation can benefit from an ISMS in the following ways:
- To comply with legal requirements.
- To gain an edge over competitors.
- To avoid/reduce costs.
- To achieve a better organisational structure.
Organisations have the option to get their ISMS certified against ISO 27001. In some industries, the certification is vital for securing large contracts. The certification can increase trust and drive business opportunities. As the “gold-standard” in information security, the ISO 27001 standard has become an integral aspect of many organisations’s IT governance, risk and compliance management.
Now that you know what an ISMS is, let’s take a look at how the ISO 27001 framework is used and how it is connected.
How is the ISO framework used?
ISO 27001 is a risk management-based approach to information. Its main philosophy is to identify and systematically treat information security risks through controls. To clearly outline its framework, the ISO 27001 standard is broken into clauses and controls.
What are the ISO 27001 clauses?
The ISO 27001 clauses facilitate an understanding of the standard and details its requirements. In short, it lays the groundwork for anyone looking to align their organisation with the standard.
- Clause 0: Introduction
- Clause 1: Scope
- Clause 2: Normative references
- Clause 3: Terms and definitions
Clauses 0-3 outline general information about the standard. Clauses 4-10 define its requirements.
- Clause 4: Context of the organisation
It is important to remember the context of the organisation and define the scope of the ISMS. Requirements may extend beyond regulatory issues, which need to be identified and considered.
- Clause 5: Leadership
The commitment of higher management is vital to the success of the ISMS. Objectives and responsibilities must be properly assigned to meet the requirements of the standard. Similarly, necessary resources must be made available.
- Clause 6: Planning
When planning in an ISMS environment, it is important to note the following: the risk assessment should guide your information security objectives, and these objectives must align with your organisation’s overall objectives. Those involved with the organisation should work towards the security goals.
- Clause 7: Support
The awareness and commitment of employees is key to supporting your organisation’s information security cause. Furthermore, all relevant information should be documented, created, updated and controlled. The maintenance of this information is necessary for an effective ISMS.
- Clause 8: Operation
Previously identified risks must be addressed. Risk treatment methodologies and controls must be implemented.
- Clause 9: Performance evaluation
Internal audits and routine checks must be performed to confirm effectiveness of implemented controls. The ISO 27001 standard requires monitoring, measurement, analysis, and evaluation of the ISMS.
- Clause 10: Improvement
A continuous process of improvement should be implemented to routinely weed out discrepancies and ineffective controls.
The second section of the ISO 27001 standard is Annex A controls. They are a list of 114 security objectives and controls that can be identified and applied to an organisation’s ISMS on a case-by-case basis. These controls aren’t all mandatory; implementation depends on risk assessment and should cater to the organisation’s risk management process.
What are the ISO 27001 Annex A controls?
These controls span 14 categories and address potential risks to all facets of an organisation. The controls you select will be informed by the risks you’ve identified. The Annex A controls cover the following domains:
- 5 Information security policies
- 6 Organisation of information security
- 7 Human resource security
- 8 Asset management
- 9 Access control
- 10 Cryptography
- 11 Physical and environmental security
- 12 Operations security
- 13 Communications security
- 14 System acquisition, development and maintenance
- 15 Supplier relationships
- 16 Information security incident management
- 17 Information security aspects of business continuity management
- 18 Compliance
ISO 27001 compliance is not only restricted to information technology (IT), but covers all areas of an organisation, taking into account people, processes and technology. To learn more, read our comprehensive guide on ISO 27001 controls.
The controls included in Annex A can be technical, organisational, legal, physical or HR-related.
- Technical controls are primarily implemented by adding components to the information system that strengthen its software, hardware and firmware. Installing antivirus programs is an example of this.
- Organisational controls outline the rules and expectations to be followed in relation to the organisation’s equipment, softwares and systems.
- Legal controls concern compliance. They are implemented to ensure rules and expectations align with the legal contracts and regulations the organisation is bound to.
- Physical controls regulate security through the use of equipment and devices that people interact with, such as CCTV and alarm systems.
- Human resource controls are implemented to prepare and equip individuals to perform their duties while remaining compliant with the organisation’s security objectives. Training programs are an example of this.
Is ISO 27001 a legal requirement?
The ISO 27001 standard recognises that the implementation of controls depends on the organisation’s needs and requirements. While it is not a universal requirement, some countries require organisations within certain industries to be ISO 27001 compliant.
Furthermore, private and public sector organisations may choose to stipulate ISO 27001 compliance as a legal requirement in any legal instruments (such as contracts or agreements) between them and stakeholders, including providers or contractors. Additionally, countries can require any organisations operating within their territory to comply with ISO 27001 in order to protect the information of its residents.
How can you achieve ISO 27001 Compliance?
As an organisation, you have the option to remain compliant with the ISO 27001 standard without pursuing official certification. You may consider this checklist of best practices to follow when working toward ISO 27001 compliance:
- Consult with your stakeholders and Identify their information security expectations
- Define the scope of your ISMS and information security controls
- Lay out a clear security policy
- Conduct a risk assessment to identify any existing and potential information security risks
- Implement controls and risk management methods with clear objectives
- Continuously evaluate the strength of your information security practices and assess risks on a regular basis
Here's a detailed breakdown of the journey to ISO 27001 Compliance:
- Reading the standard gives you a good understanding of ISO 27001 and its requirements. There are numerous ways to improve your ISO 27001 knowledge.
- To learn more about the standard, download a free whitepaper.
2. Determine the scope, context and goals
- From the start, it's critical to define the project's and ISMS's goals, as well as the project's budget and timeline. You must decide whether you will hire a consultant or have the necessary in-house skills.
3. Create a management structure
- The management framework outlines the procedures that a business must take in order to achieve its ISO27001 implementation goals.
- The ISMS's accountability, a schedule of activities, and regular auditing are among the mechanisms that promote a cycle of continuous improvement.
4. Conduct risk assessment
- While ISO 27001 does not specify a risk assessment methodology, it does stipulate that the risk assessment be conducted in a formal manner.
- This involves the planning of the procedure as well as the documentation of the data, analysis, and results.
5. Implement risk mitigation controls
- The organisation must determine whether to address, tolerate, terminate, or transfer the risks after they have been identified.
- All risk response decisions must be documented since the auditor will want to review them during the registration (certification) audit.
6. Examine and update the necessary documentation
To support the appropriate ISMS processes, rules, and procedures, documentation is required. The following documentation is required by the Standard:
- The scope of the ISMS.
- Information security policy framework.
- Process of assessing information security risks.
- Process for assessing and treating information security risks.
- The Statement of Applicability.
- Objectives for information security.
- Competence evidence.
- Documented information that the organisation deems required for the ISMS to function effectively.
- Control and planning of operations.
- The results of the risk assessment for information security.
- The treatment of information security risks yielded the following results.
- Evidence of results monitoring and measuring.
- An internal auditing procedure that is documented.
- The audit programs' evidence as well as the audit results.
- Evidence of management reviews' outcomes.
- Evidence indicating the nature of the nonconformities and any measures taken as a result.
- Evidence of the outcomes of any corrective actions that have been taken.
7. Measure, track and evaluate
- ISO 27001 encourages continuous improvement. This requires ongoing analysis and monitoring of the ISMS's effectiveness and compliance, as well as the identification of improvements to existing processes and controls.
8. Perform an internal audit
- Internal audits of the ISMS are required by ISO 27001 on a frequent basis. The manager in charge of establishing and maintaining ISO 27001 compliance must have a practical understanding of the lead audit process.
If your business is already ISO 27001 compliant, the next step would be to pursue certification – especially If you’ve already adhered to the best practices and aligned with your organisation’s information security practices with the standard’s requirements.
What are the advantages of ISO 27001 certification for an organisation?
An organisation becoming ISO 27001 certified provides a competitive advantage helping an organisation gain new business contracts and staying ahead of competitors who may not be certified. Here are a few:
- Attract new clients and improve your competitiveness
- Avoid the financial penalties and losses that data breaches can cause
- Continuously improve your brand perception
- Business, legal, economic, and regulatory obligations will all be met
- Improve your structure and concentration
- Reduce the number of audits required
- Obtain an unbiased assessment of your security posture
Our team of ISO 27001 consultants at Dataguard can guide you on the journey to certification, and ensure the development and maintenance of a successful and ISO 27001 compliant ISMS.
How much does it cost to be ISO 27001 certified?
It is difficult to determine the exact cost of getting certified, as this depends on number of factors:
- The size of the company and physical/logical scope of the ISO-27001 certificate
- The current maturity level of the Information Security Management System (ISMS)
- The gap between the current state and the desired state of the control environment
- The in-house capability/capacity to develop the ISMS and close the identified gaps
- How quickly the certificate is required
For a detailed cost breakdown, check out our guide to ISO 27001 Certification Cost.
ISO 27001:2013 and ISO 27001:2017: What's the Difference?
The latest published version of the ISMS standard is BS EN ISO/IEC 27001: 2017. The 2017 publication was introduced to indicate that the standard had been approved, by the European Committee for Standardisation (CEN) and the European Committee for Electrotechnical Standardisation (CENELEC), for use as a European Standard (hence the “EN” designation).
In short, there are no significant differences between the older and updated versions of the standard. ISO 27001:2017 contains a few minor changes to terminology, specifically in Clause 6.1.3 and Annex A clause 8.1., but does not contain significant changes when understanding how to comply.
An ISO 27001 certification makes it easier to comply with legal requirements, highlights the trustworthiness of your business towards your partners and proves commitment on meeting the highest standards of information security. It definitely adds to your brand value which inevitably leads to win-win outcomes. Check out our ISO 27001 roadmap and gain insights on the complete documentation for ISO 27001 implementation.
Need help navigating the world of information security, or in preparing for a certification audit? We’re happy to help – get in touch with one of our information security experts today.
What does ISO 27001 mean?
The full name for ISO 27001 is ISO/IEC 27001:2013, and is a standard for information security developed through a partnership between the ISO and IEC.
What are the ISO 27001 requirements?
The certification process is stringent and takes a matter of months to complete. Therefore, many documents, records and processes are required that may differ on a case-by-case basis. Here are some you can expect:
- Scope of the Information Security Management System
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Statement of Applicability
- Risk Treatment Plan
- Risk assessment and risk treatment report
- Definition of security roles and responsibilities
- Inventory of assets
- Acceptable use of assets
- Access control policy
- Operating procedures for IT management
- Secure system engineering principles
- Supplier security policy
- Incident management procedure
- Business continuity procedures
- Legal, regulatory, and contractual requirements
- Records of training, skills, experience and qualifications
- Monitoring and measurement of results
- Internal audit programme and results
- Results of the management review
- Non-conformities and results of corrective actions
- Logs of user activities, exceptions, and security events
What is ISO 27001 and why is it important?
ISO 27001 is the international standard for information security and demonstrates a commitment to the protection of valuable information assets. Aligning with the standard prevents data breaches and related fines, and gives an organisation a competitive edge.
What are the three principles of ISO 27001?
ISO 27001 addresses three pillars of information security; confidentiality, integrity and availability. It does this through a holistic risk-management approach that covers an organisation’s people, processes and technology.
Does implementing an ISMS according to ISO 27001 help with GDPR compliance?
Unfortunately, not a great deal. This is because data privacy and information security come from two different vantage points. Data privacy laws such as the GDPR are meant to protect the people behind the data. Information security is supposed to protect businesses from certain risks.
There is an overlap between the two. For instance, both GDPR and ISO 27001 call for the implementation of technical and organisational measures. Envision a big data breach caused by a cyber-attack, for instance. Preventing such a disaster is both in the interest of data privacy as well as information security. Therefore, the Data Protection Officer (DPO) and the Chief Information Security Officer (CISO) – or whoever handles the information security of an organisation – can benefit greatly from joining forces.
Are you looking to simplify your approach towards ISO 27001 compliance?
Whether you are looking for industry-specific advice, support to set up your information security management system (ISMS), or preparing for an external audit, we got you covered.
Meet your information security goals today.