ISO/IEC 27001 Information Security Management (ISMS)

You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. ISO/IEC 27001 helps you implement a robust approach to managing information security (infosec) and building resilience.

About ISO/IEC 27001

Internationally recognized ISO/IEC 27001 is an excellent framework which helps organizations manage and protect their information assets so that they remain safe and secure. It helps you to continually review and refine the way you do this, not only for today, but also for the future. That’s how ISO/IEC 27001 protects your business, your reputation and adds value.

ISO 27001 definition: What is ISO 27001?

ISO/IEC 27001:2013 (also known as IS027001) is the international standard for information security. It sets out the specification for an information security management system (ISMS).

The information security management system standard’s best-practice approach helps organisations manage their information security by addressing people, processes and technology.

Certification to the ISO 27001 Standard is recognised worldwide as an indication that your ISMS is aligned with information security best practice.

Part of the ISO 27000 series of information security standards, ISO 27001 is a framework that helps organisations “establish, implement, operate, monitor, review, maintain and continually improve an ISMS”.

Speak to an ISO 27001 expert

Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard. Throughout your project, we can support you, from carrying out an initial gap analysis to choosing a certification body. Speak to one of our experts for more information on how we can help you.

What is an ISMS?

An ISMS is a holistic approach to securing the confidentiality, integrity and availability (CIA) of corporate information assets. It consists of policies, procedures and other controls involving people, processes and technology.
Informed by regular information security risk assessments, an ISMS is an efficient, risk-based and technology-neutral approach to keeping your information assets secure.

ISO 27001 clauses and controls

The Standard has ten management system clauses. Together with Annex A, which lists 114 information security controls, they support the implementation and maintenance of an ISMS, as shown in the infographic below.

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context
  5. Leadership
  1. Planning and risk management
  2. Support
  3. Operations
  4. Performance evaluation
  5. Improvement

ISO 27001 benefits

ISO 27001 is one of the most popular information security standards in existence. Independent accredited certification to the Standard is recognised worldwide. The number of certifications has grown by more than 450% in the past ten years.

Implementing the Standard helps you meet the information security requirements of laws such as the EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations. This helps reduce the costs associated with data breaches.

Protect all forms of information, whether digital, hard copy or in the Cloud.

Increase your organisation’s resilience to cyber-attacks.

Implement only the security controls you need, helping you get the most from your budget.

Constantly adapt to changes both in the environment and inside.

An ISMS encompasses people, processes and technology, ensuring staff understand risks and embrace security as part of data security and provides a valuable credential when tendering their everyday working practices.

Certification demonstrates your organisation’s commitment to for new business.

ISO/IEC 27001:2013 controls

The Standard doesn’t mandate that all 114 Annex A controls be implemented. A risk assessment should determine which controls are required and a justification provided as to why other controls are excluded from the ISMS.

Below is the list of control sets.

  • A.5 Information security policies
  • A.6 Organisation of information security
  • A.7 Human resource security
  • A.8 Asset management
  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operations security
  • A.13 Communications security
  • A.14 System acquisition, development and maintenance
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

How to achieve ISO 27001 compliance

  • Implementing an ISMS involves:
  • Scoping the project.
  • Securing management commitment and budget.
  • Identifying interested parties and legal, regulatory and contractual requirements.
  • Conducting a risk assessment.
  • Reviewing and implementing the required controls.
  • Developing internal competence to manage the project.
  • Developing the appropriate documentation.
  • Conducting staff awareness training.
  • Reporting (e.g. the Statement of Applicability and risk treatment plan).
  • Continually measuring, monitoring, reviewing and auditing the ISMS.
  • Implementing the necessary corrective and preventive actions.

Demonstrating GDPR compliance with ISO 27001 and ISO 27701

Like all ISO management system standards, ISO 27001 follows Annex SL. This common high-level structure makes it easier to implement integrated management systems that conform to multiple standards.

For instance, an ISO 22301-compliant BCMS (business continuity management system) could share components with an ISO 27001-compliant ISMS.

ISO/IEC 27701:2019 (ISO 27701) is an extension to ISO 27001 which expands its requirements to cover privacy management — including the processing of personal data/PII (personally identifiable information).

Implementing an integrated management system that combines an ISMS and an ISO 27701-compliant PIMS (privacy information management system) will help you meet the GDPR’s requirements for managing, processing and protecting personal data.

ISO 27001 benefits

ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS). An ISMS is a set of policies, procedures, processes and systems that manage information risks, such as cyber-attacks, hacks, data leaks or theft.

Certification to ISO/IEC 27001 demonstrates that an organisation has defined and put in place best-practice information security processes. Not all organisations choose to get certified but use ISO 27001 as a framework for best practice.

How you will benefit from ISO 27001 certification

Not only does ISO 27001 certification help you demonstrate good security practices, thereby improving working relationships and retaining existing clients, but it also gives you a proven marketing edge against your competitors, putting you alongside the likes of Google, Microsoft and Amazon.

The global average cost of a data breach has skyrocketed to $3.86 million (a 6.4% increase from 2017), according to Ponemon.

As the accepted global benchmark for the effective management of information assets, ISO 27001 enables organisations to avoid the potentially devastating financial losses caused by data breaches.

Cyber attacks are increasing in volume and strength daily, and the financial and reputational damage caused by an ineffectual information security posture can be disastrous.

Implementing an ISO 27001-certified ISMS helps to protect your organisation against such threats and demonstrates that you have taken the necessary steps to protect your business.

The Standard is designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the EU General Data Protection Regulation (GDPR) and Directive on Security of Network and Information Systems (transposed into UK law as the NIS Regulations.)

When a business grows rapidly, it doesn’t take long before there is confusion about who is responsible for which information assets. The Standard helps businesses become more productive by clearly setting out information risk responsibilities.

ISO 27001 certification provides a globally accepted indication of security effectiveness, negating the need for repeated customer audits, which reduces the number of external customer audit days.

Certification to ISO 27001 involves undertaking regular reviews and internal audits of the ISMS to ensure its continual improvement. In addition, an external auditor will review the ISMS at specific intervals to establish whether the controls are working as intended. This independent assessment provides an expert opinion of whether the ISMS is functioning properly and provides the level of security needed to protect the organisation’s information.

inquire now