What is ISO 27001?

ISO/IEC 27001:2013 (also known as ISO 27001) is the international standard for information security. It sets out the specification for an information security management system (ISMS).

The information security management system standard’s best-practice approach helps organisations manage their information security by addressing people, processes and technology.

Certification to the ISO 27001 Standard is recognised worldwide as an indication that your ISMS is aligned with information security best practice.

Part of the ISO 27000 series of information security standards, ISO 27001 is a framework that helps organisations “establish, implement, operate, monitor, review, maintain and continually improve an ISMS”.

The latest version of the ISO 27001 information security standard was published in September 2013, replacing the 2005 iteration.

 

What is an ISMS?

An ISMS is a holistic approach to securing the confidentiality, integrity and availability (CIA) of corporate information assets.

It consists of policies, procedures and other controls involving people, processes and technology.

Informed by regular information security risk assessments, an ISMS is an efficient, risk-based and technology-neutral approach to keeping your information assets secure.

 

ISO 27001 clauses and controls

The Standard has ten management system clauses. Together with Annex A, which lists 114 information security controls, they support the implementation and maintenance of an ISMS.

1.  Scope

2. Normative references

3. Terms and definitions

4. Context

5. Leadership

6. Planning and risk management

7. Support

8. Operations

9. Performance evaluation

10. Improvement

 

 

ISO 27001 benefits

ISO 27001 is one of the most popular information security standards in existence. Independent accredited certification to the Standard is recognised worldwide. The number of certifications has grown by more than 450% in the past ten years.

Implementing the Standard helps you meet the information security requirements of laws such as the EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations. This helps reduce the costs associated with data breaches.

ISO/IEC 27001:2013 controls

The Standard doesn’t mandate that all 114 Annex A controls be implemented. A risk assessment should determine which controls are required and a justification provided as to why other controls are excluded from the ISMS. 

Below is the list of control sets.

• A.5 Information security policies
• A.6 Organisation of information security
• A.7 Human resource security
• A.8 Asset management
• A.9 Access control
• A.10 Cryptography
• A.11 Physical and environmental security
• A.12 Operations security
• A.13 Communications security
• A.14 System acquisition, development and maintenance
• A.15 Supplier relationships
• A.16 Information security incident management
• A.17 Information security aspects of business continuity management
• A.18 Compliance

 

How to achieve ISO 27001 compliance

Implementing an ISMS involves:

• Scoping the project.
• Securing management commitment and budget.
• Identifying interested parties and legal, regulatory and contractual requirements.
• Conducting a risk assessment.
• Reviewing and implementing the required controls.
• Developing internal competence to manage the project.
• Developing the appropriate documentation.
• Conducting staff awareness training.
• Reporting (e.g. the Statement of Applicability and risk treatment plan).
• Continually measuring, monitoring, reviewing and auditing the ISMS.
• Implementing the necessary corrective and preventive actions.