The essential guide to ISO 27001

The facts in a nutshell

• The ISO 27001 standard provides the framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) to help organisations secure their information assets.
• Displaying this accreditation boosts client confidence, promotes a security-conscious organizational culture and ensures continued compliance and improvement.
• An information security management system (ISMS) is a framework of policies and procedures to minimize risk incidents and ensure business continuity by mitigating the impact of a security breach.
• Adopting the international security standard ensures the best security practices and strategies to tighten information security in an organisation.

In this article

• What is ISO 27001?
• About the ISO and IEC
• Why is ISO 27001 important?
• What are the benefits of ISO 27001 compliance for your organisation?
• What is an ISMS?
• How is the ISO framework used?
• What are the 10 clauses of ISO 27001?
• What are the 4 themes of ISO 27001? 
• Is ISO 27001 a legal requirement?
• What are the best practices to follow when working toward ISO 27001 compliance?
• How can you achieve ISO 27001 compliance and certification?
• What are the advantages of ISO 27001 certification for an organisation?
• Who needs to be ISO 27001 certified?
• How much does it cost to become ISO 27001 certified?
• How long does it take to become ISO 27001 certified?
• How to maintain ISO 27001 certification
• Conclusion
• FAQs

What is ISO 27001?

ISO 27001, formally recognised as ISO/IEC 27001:2013 and recently updated to ISO/IEC 27001:2022, is the primary international standard for information security. This standard meticulously outlines best practices for establishing an Information Security Management System (ISMS). More than just a set of guidelines, ISO 27001, along with other ISO standards, is designed to implement, operate, monitor and maintain an ISMS, ensuring that organisations are equipped to address the people, process and technology challenges of information security.

This framework was developed out of a collaboration between the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It helps safeguard your information assets and assure your stakeholders about the safety of their data.

In this article, learn about what the ISO 27001 standard is, its purpose, ISO 27001 certification, how much it costs to be ISO 27001 certified, how businesses can benefit from being fully ISO 27001 certified and why this is important for the growth of your business.

About the ISO and IEC

The ISO is an international, non-governmental, independent body comprising multiple national standards. The role of the ISO is to develop and publish standardisation for many fields; as of 2022, there were 167 member countries within the ISO.

The IEC is also an international standards organisation, with its scope being limited to electrical, electronic and related technologies. These areas, collectively referred to as “electrotechnology”, are out of the scope of the ISO.

The ISO’s joint technical committee with the IEC was formed to develop Information and Communication Technology (ICT) standards for organisations worldwide.

Why is ISO 27001 important?

ISO 27001-certified organisations generally guarantee higher security for sensitive data. Their chances of being prosecuted or losing clients' trust as a result of a data breach are also very low. The implementation of a strong ISO 27001 ISMS may reduce the chance of suffering a data breach and losing clients' trust as a result.

ISO 27001 is intended to give a framework of policies, procedures and controls to organisations of all sizes and industries to reduce the risk of information security breaches. Those risks include but are not limited to:

• Physical hazards such as server room fires.
• Dangers posed by employees include willful data theft or errors due to lack of training and negligence.
• System and process hazards such as outdated software.
• Threats from cybercrime such as ransomware attacks.

In its framework, the norm includes all the risk controls (physical/technical/legal) and ensures that security controls are implemented to safeguard data and information.

What are the benefits of ISO 27001 compliance for an organisation?

A compliant ISO 27001 ISMS allows an organisation to identify and treat risks – but how will this help your organisation? Overall, ISO 27001 compliance has various benefits. 

• Building trust with stakeholders
  

  ISO 27001 equips an organisation with the information they need to protect valuable information by practising good information security. By complying with ISO 27001, an international standard, your customers, clients, and other key stakeholders are also aware that global best practices and processes have been set up to keep their information safe.

• Protecting your organisation from data breaches
  

  The ISO 27001 standard defines policies and regulations that, when implemented, work to protect an organisation from unauthorised access and eventual loss of data. These measures reduce the risk of data breaches and incurring regulatory fines. These policies guide processes across the organisational structure. Additionally, the ISO 27001 standard ensures that the incident is handled carefully and effectively if there is a breach or compromise.

• Securing your employee's personal data
  

  Third-party information is not the only information safeguarded under ISO 270001 - personal employee data is also protected. The organisation’s information security measures must be disclosed to all parties so they are aware of, in agreement with and consenting to them. This is a requirement of the standard to ensure that the organisation is in line with industry regulations and operating procedures.

   

  Though many businesses would appreciate a ready-made blueprint for implementing information security, the ISO 27001 can be vague and abstract, and for a good reason: it is meant to help organisations of all shapes and sizes. The goal isn’t to achieve “100 % security”, so to speak. Instead, each organisation must assess its risks and mitigate them according to their individual risk appetite.

   

  Organisations must set up an ISMS, an efficient, risk-based, and technology-neutral way to keep their information assets secure, informed by regular security risk assessments.

ISO 27001 ensures that your ISMS is up to an international information security standard. But what exactly does an ISMS do?

What is an ISMS?

An information security management system (ISMS) is an approach to/system of maintaining an organisation’s information security. It is a set of regulations that must be implemented in order to:

• Determine who your stakeholders are and what they anticipate from the organisation in terms of information security.
• Determine which information-related dangers exist.
• To achieve the defined requirements and manage risks, develop controls (safeguards) and other mitigation strategies.
• Set clear goals for what needs to be accomplished in terms of information security.
• Put in place all of the controls and other risk-reduction strategies.
• Measure whether the established controls are performing as planned on a regular basis.
• Make continual improvements to improve the overall performance of the ISMS.

Overall, an organisation can benefit from an ISMS in the following ways:

• To comply with legal requirements.
• To gain an edge over competitors.
• To avoid/reduce costs.
• To achieve a better organisational structure.

Organisations have the option to get their ISMS certified against ISO 27001. In some industries, certification is vital for securing large contracts.

But to get certified, you first need to build a successful ISMS. This is where ISO 27003  comes into play; it guides the implementation of an ISO 27001-compliant ISMS and the other steps of the ISO 27001 certification process.

As the “gold standard” in information security, the ISO 27001 standard has become integral to many organisations’ IT governance, risk and compliance management.

Now that you know what an ISMS is, let’s take a look at how the ISO 27001 framework is used and how it is connected.

How is the ISO framework used?

ISO 27001 is a risk management-based approach to information. Its main philosophy is to identify and systematically treat information security risks through controls. To clearly outline its framework, the ISO 27001 standard is broken into clauses and controls.

What are the 10 clauses of ISO 27001?

The ISO 27001 clauses facilitate understanding the standard and detail its requirements. In short, it lays the groundwork for anyone looking to align their organisation with the standard.

• Clause 1: Scope
• Clause 2: Normative references
• Clause 3: Terms and definitions

Clauses 1-3 outline general information about the standard. Clauses 4-10 define its requirements.

• Clause 4: Context of the organisation: It is important to remember the context of the organisation and define the scope of the ISMS. Requirements may extend beyond regulatory issues, which need to be identified and considered.
• Clause 5: Leadership: The commitment of higher management is vital to the success of the ISMS. Objectives and responsibilities must be properly assigned to meet the requirements of the standard. Similarly, necessary resources must be made available.
• Clause 6: Planning: When planning in an ISMS environment, it is important to note the following: the risk assessment should guide your information security objectives, and these objectives must align with your organisation’s overall objectives. Those involved with the organisation should work towards the security goals.
• Clause 7: Support: The awareness and commitment of employees is key to supporting your organisation’s information security cause. Furthermore, all relevant information should be documented, created, updated and controlled. The maintenance of this information is necessary for an effective ISMS.
• Clause 8: Operation: Previously identified risks must be addressed. Risk treatment methodologies and controls must be implemented.
• Clause 9: Performance evaluation: Internal audits and routine checks must be performed to confirm the effectiveness of implemented controls. The ISO 27001 standard requires monitoring, measurement, analysis, and evaluation of the ISMS.
• Clause 10: Improvement: A continuous process of improvement should be implemented to routinely weed out discrepancies and ineffective controls.

The second section of the ISO 27001 standard is Annex A controls. They are a list of 114 security objectives and controls that can be identified and applied to an organisation’s ISMS on a case-by-case basis. These controls are then categorised into 14 domains. These controls aren’t all mandatory; implementation depends on risk assessment and should cater to the organisation’s risk management process.

What are the 4 themes of ISO 27001? 

As of 2022, the ISO 27001 Annex A controls and domains have been restructured. Unlike the previous 114 controls and 14 domains, ISO/IEC 27001:2022 now has only 93 controls and 4 “themes” rather than domains.

The new ISO 27001 themes are:

• Organisational (37 controls) - Outlines the rules and expectations to be followed in relation to the organisation’s equipment, software and systems.
• Physical (14 controls) - Regulates security through the use of equipment and devices that people interact with, such as CCTV and alarm systems.
• Technological (34 controls) - Primarily implemented by adding components to the information system that strengthen its software, hardware and firmware. Installing antivirus programs is an example of this.
• People (8 controls) -  Implemented to prepare and equip individuals to perform their duties while remaining compliant with the organisation’s security objectives. Training programs are an example of this.

While several of the Annex A controls have been merged or renamed to reduce the number of controls, the biggest change is the addition of 11 new controls. They are:

• Threat intelligence
• Information security for the use of cloud services
• Information and communications technology for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering 
• Secure coding

Is ISO 27001 a legal requirement?

No, none of the controls are universally mandatory for compliance. The ISO 27001 standard recognises that the implementation of controls depends on the organisation’s needs and requirements. While it is not a universal requirement, some countries require organisations within certain industries to be ISO 27001 compliant.

Furthermore, private and public sector organisations may choose to stipulate ISO 27001 compliance as a legal requirement in any legal instruments (such as contracts or agreements) between them and stakeholders, including providers or contractors. Additionally, countries can require any organisations operating within their territory to comply with ISO 27001 in order to protect the information of its residents.

Before starting on the ISO 27001 implementation process, you could benefit from some best practices that would help make compliance and certification smoother.

What are the best practices to follow when working towards ISO 27001 compliance? 

The following best practices checklist can prepare you for and avoid complications during ISO 27001 certification. You will need to:

• Consult with your stakeholders and Identify their information security expectations
• Define the scope of your ISMS and information security controls
• Lay out a clear security policy
• Conduct a risk assessment to identify any existing and potential information security risks
• Implement controls and risk management methods with clear objectives
• Continuously evaluate the strength of your information security practices and assess risks on a regular basis

Once you have applied these best practices to your ISMS, it’s time to implement ISO 27001 in your organisation.

How can you achieve ISO 27001 compliance and certification?

As an organisation, you can stay compliant with ISO 27001 by following 7 steps, even if you decide not to pursue the certification.

Step 1: Complete gap analysis  

A gap analysis helps you determine which of your organisation's assets need to be protected and which processes have gaps that need to be addressed.

Step 2: Prioritise recommendations

After the gap analysis, you will be provided with a list of recommendations that must be implemented before your external audit.

Step 3: Asset management

All your information assets will need to be tracked and classified according to the level of protection needed. You will also need to assess the associated risk for each asset.

Step 4: Risk management 

For risk management, you can use the outcomes of the gap analysis to identify and mitigate risks in your ISMS.

Step 5: ISMS documentation

Documentation is needed to implement the ISMS-compliant processes, rules, and procedures. The Standard requires the following documents:

• The scope of the ISMS.
• Information security policy framework.
• Process of assessing information security risks.
• Process for assessing and treating information security risks.
• The Statement of Applicability.
• Objectives for information security.
• Competence evidence.
• Documented information that the organisation deems required for the ISMS to function effectively.
• Control and planning of operations.
• The results of the risk assessment for information security.
• The treatment of information security risks yielded the following results.
• Evidence of results monitoring and measuring.
• An internal auditing procedure that is documented.
• The audit programs' evidence, as well as the audit results.
• Evidence of management reviews' outcomes.
• Evidence indicating the nature of the nonconformities and any measures taken as a result.
• Evidence of the outcomes of any corrective actions that have been taken. 

Step 6: Internal audit

Internal audits of the ISMS are frequently required by ISO 27001. The personnel in charge of establishing and maintaining ISO 27001 compliance in your organisation must have a practical understanding of the lead audit process.

Step 7: Management review    

The ISO 27001 management review makes sure that an organisation's ISMS objectives are still relevant to the organisation's mission, problems, and risks related to its information assets. This step is also necessary for the certification process.

If your organisation is already ISO 27001 compliant, the next step would be to pursue certification. For ISO 27001 certification, follow this additional step:

Step 8: External audit and certification

Once your ISMS is up and running, the next step is to pursue ISO 27001 certification via an external audit. It is recommended that any organisation that wants to undergo an ISO 27001 certification needs to make sure they have their ISMS audited by an accredited body. Note that some organisations, such as automotive suppliers, will require an audit on TISAX® on top.

Download our ISO 27001 Implementation Roadmap Guide for a detailed look at these steps.

What are the advantages of ISO 27001 certification for an organisation?

An organisation becoming ISO 27001 certified provides a competitive advantage helping an organisation gain new business contracts and staying ahead of competitors who may not be certified. Here are a few:

• Attract new clients and improve your competitiveness
• Avoid the financial penalties and losses that data breaches can cause
• Continuously improve your brand perception
• Business, legal, economic, and regulatory obligations will all be met
• Improve your structure and concentration
• Reduce the number of audits required
• Obtain an unbiased assessment of your security posture

Our team of ISO 27001 consultants at Dataguard can guide you on the journey to certification and ensure the development and maintenance of a successful and ISO 27001-compliant ISMS.

Who needs to be ISO 27001 certified?

Organisations of all sizes across various industries can benefit from ISO 27001 certification. In some cases, they may be required to obtain it, mainly if they intend to or are already improving their information security, privacy, and asset protection processes.

Organisations that may need ISO 27001 certification include:

• Healthcare organisations - Healthcare organisations manage some of the world's most valuable information, including data on pharmaceutical R&D and private patient information. As a result, healthcare organisations must take rigorous precautions to secure their patients' personal data against hacking and other online dangers.
• Small businesses - With the introduction of new technologies, even small businesses are able to quickly collect large amounts of important data. ISO 27001 can aid in safely processing, storing, and managing this data.
• Banks and financial institutions - ISO 27001 certification demonstrates financial institutions’ commitment to information security management. It also ensures the security of software, projects, and client services.
• FinTech companies - Generally, FinTech companies rely on online platforms, which makes them more vulnerable to data breaches. ISO 27001 can help to set up transparent processes and identify security flaws to create a safer ISMS.

How much does it cost to be ISO 27001 certified?

It is difficult to determine the exact cost of getting certified, as this depends on a number of factors:

• The size of the company and physical/logical scope of the ISO-27001 certificate
• The current maturity level of the Information Security Management System (ISMS)
• The gap between the current state and the desired state of the control environment
• The in-house capability/capacity to develop the ISMS and close the identified gaps
• How quickly is the certificate required
  
  

  For a detailed cost breakdown, check out our guide to ISO 27001 Certification Cost.

How long does it take to become ISO 27001 certified?

Obtaining ISO 27001 can take anywhere from 3 to 20 months, depending on the resources and consultants you use. Outlined below is a rough estimate of the time it would take to obtain your certification if you choose to go with a consultant.

• 1 to 20 employees - Up to 3 months
• 20 to 50 employees - 3 to 5 months
• 50 to 200 employees - 5 to 8 months
• More than 200 employees - 8 to 20 months

It is also important to take into account several other factors that may affect the time it takes for you to obtain the certification, such as:

• The number of individuals on the ISMS implementation project (relative to the size of the business)
• The amount of time individuals have available to spend on the project
• Resources available to implement any new controls
• Engagement/endorsement/support from leadership
• The size of the organisation and complexity
• Auditor availability to conduct the external audit

When implementing your ISMS, you may experience unforeseen challenges which may delay certification as well.

How to maintain ISO 27001 certification

ISO 27001 certification requires recertification audits every three years. Organisations are also required to have mandatory surveillance audits at least once every year in between the external certification audits done every three years.

Your ISMS will be closely monitored by the organisation that issued your ISO 27001 certification. Over the three years, it will be subject to periodic external and internal maintenance audits. Treat these audits with the same level of importance as your first certification audit. Our ISO 27001 toolkit can assist you in maintaining your certification.

Conclusion

An ISO 27001 certification makes it easier to comply with legal requirements, highlights the trustworthiness of your business towards your partners and proves commitment to meeting the highest standards of information security. It definitely adds to your brand value, which inevitably leads to win-win outcomes. Check out our ISO 27001 roadmap and gain insights on the complete documentation for ISO 27001 implementation.

Need help navigating the world of information security or preparing for a certification audit? We’re happy to help – get in touch with one of our information security experts today.

FAQs

How many steps are there in ISO 27001 and what are they?

The ISO 27001 process comprises 8 steps; 7 to achieve compliance and an additional 1 to achieve certification.

Steps to ISO 27001 compliance:

Step 1: Complete gap analysis

Step 2: Prioritise recommendations

Step 3: Asset management

Step 4: Risk management

Step 5: ISMS documentation

Step 6: Internal audit

Step 7: Management review

Steps to ISO 27001 certification:

Step 8: External audit and certification

Who performs ISO 27001 audits?

It takes at least two audits to get ISO 27001 certified. The internal audit can be conducted by employees within the organisation, while the external audits need to be conducted by third-party certified and approved Certification Bodies (CBs).

What are the ISO 27001 requirements?

The ISO 27001 requirements are a set of clauses that can help you set up a strong information security policy for your organisation. They are:

Clause 4: Context of the organisation

Clause 5: Leadership

Clause 6: Planning

Clause 7: Support

Clause 8: Operation

Clause 9: Performance evaluation

Clause 10: Improvement

Why is ISO 27001 important?

ISO 27001 helps organisations implement an ISMS that complies with international information security standards. Organisations can protect sensitive data better, gain customer trust and avoid data breach fines with ISO 27001.

What are the three principles of ISO 27001?

The basic goal of ISO 27001 and an ISMS is to protect the three aspects of information – also known as the CIA triad:

• Confidentiality - Information can only be accessed by authorised personnel
• Integrity - Information can be changed only by authorised personnel
• Availability - Authorised personnel should be able to access information when needed

These pillars are implemented through a risk-management approach that covers an organisation’s people, processes and technology.

How difficult is achieving ISO 27001 certification?

If you already have good information security practices, achieving the ISO 27001 certification is simply a matter of framing and improving it. If you don’t, the ISO 27001 standard will help you build it from the ground up. See how long it takes to become ISO 27001 certified.

What happens if you fail an external ISO 27001 audit?

Failing an external audit from a Certification body audit may have your ISO 27001 certification revoked since external audits help reveal non-conformance and quality management issues. If you recently failed an audit, you can use it as a learning opportunity to improve your compliance and get back on track.

Can ISO 27001 help achieve GDPR compliance?

Article 24 of the GDPR says that you can show compliance by following codes of conduct and getting approved certifications like ISO 27001. So, certification with ISO 27001 can make it easier to meet GDPR requirements.

Which is better: ISO 27001 or NIST?

ISO 27001 is an international standard that was made for organisations that are more operationally mature. NIST was made for U.S. government agencies and is good for organisations that are just starting to make plans for risk management.

Which is better: ISO 27001 or SOC 2?

When compared to SOC 2, ISO 27001 is a more prescriptive certification that complies with universal standards across all industries and regions. However, SOC 2 allows for greater adaptation to each organisation's unique standards and requirements.

What is the latest version of ISO 27001?

In 2022, the international standard ISO 27001 was revised. The new standard is called ISO/IEC 27001:2022 and replaces the previous ISO 27001:2013. Your organisation must upgrade to ISO 27001:2022 before your next surveillance or recertification audit if you are presently certified to ISO 27001:2013.