ISO 27001 the International Standard for Information Security

Are you serious about information security and want to use ISO 27001 as a business differentiator?

Whatever your reasoning, here we will take you through what the standard is, as well as the benefits and what might be involved for you and your organisation.

What is ISO 27001 and why do I need it?

ISO 27001:2013 is the internationally recognised best practice framework for an Information Security Management System (ISMS).

About the ISO and IEC

Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organisation for Standardisation. This means that all organisations that achieve an ISO 27001 certification are all working to the same high standards.

IEC stands for the International Electrotechnical Commission, which is a not-for-profit organisation that works independently of any government.

Together the ISO and the IEC form a joint technical committee, developing and maintaining standards in IT, as well as Information and Communications Technology (ICT), and related technologies.

When you achieve ISO 27001: 2013 certification you are demonstrating that your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement. You can read more about what an ISMS does on our New to Information Security page.

ISO 27001 History

ISO 27001 can be traced back to the British Standard 7799, published in 1995. It was originally written by the DTI and, after many revisions, ISO turned it into an internationally recognised, best practice standard in the ISO 27000 series to help organistions keep information assets secure.

ISO/IEC 27001:2013 is the most current version of the standard and incorporates changes made in 2017. You can read more about those changes in our article ‘ISO 27001:2013 and ISO 27001:2017 what’s the difference?’.

What are the benefits ISO 27001: 2013?

You’ll reduce information security and data protection risks to your organisation

Whether it is your own valuable information or that of your customers, poor information security can be costly. Several of the ISO 27001 requirements also fulfill those of GDPR. Implementing ISO 27001 will demonstrate to regulatory authorities that you take managing the security of information you hold seriously and, having identified the risks done as much as is reasonably possible to mitigate them. There has been much scaremongering surrounding the potential fines for GDPR non-compliance, however, an ISMS will help reduce the likelihood of breaches, enable you to react to hem more quickly, and allow you to describe and demonstrate the controls you have in place.

You’ll win new and retain existing business

Because this is the internationally recognised ‘best-practice’ standard, it makes the people you want to work with feel safe and secure and that you (holding ISO 27001 certification) will look after their valuable assets and information security.


Like many things in business, trust is important. But demonstrating that you have been independently audited, solidifies that trust.


You’ll save time and money

Increasingly customers are seeking assurance of your information security and data protection capabilities. Your IT department will testify to the amount and the length of ‘requests for information’ they have to regularly deal with. This all adds unnecessarily to the ‘cost-of-sale’ for your organisation. Holding ISO 27001 certification will minimise the detail you need to provide.

You’ll give your reputation a boost

It doesn’t get much worse for an organisation when the news hits that their systems have been hacked and customer data has been exposed an exploited. If you are managing our information security management system you will be in a better position to identify breach risks before they happen.

Need help in building the business case for an ISMS in your organisation? Download our whitepaper.

What are the ISO 27001:2013 controls?

The ISO 27001:2013/17 Annex A Controls are listed below:

Need a set of ISO 27001 policies for your ISMS? includes practical policies and controls for your organisation to easily adapt, adopt and add to, giving you a 77% head start with ISO 27001

Where do I start with ISO 27001?

 Imagine if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees.

Our Virtual Coach package does just that. Helpful videos from those that have lived ISO 27001, and an information security specialist, as well as lots of hints and tips for success – Right where you need it, inside the platform.

What is involved in ISO 27001?

Define your organisation’s security policy

In a nutshell, this means that you need to write an information security policy. Sect. 5.2 of ISO 27001 does not give a great deal of guidance on what should be contained within your policy, but it does state what the policy should achieve and how you should define the scope of the ISMS.

Firstly, the information security policy must be adapted to your organisation. Using somebody else’s policy or one that you have purchased is no good without first ensuring that it applies directly to your organisation. If it doesn’t, then you must adapt it, then adopt the contents within.

One of the main factors of retaining the ISO 27001 after achieving it is to continually improve your ISMS. This means that your information security policy should also be reviewed on a regular basis to ensure you are meeting the stated objectives.

Conduct your risk assessment and manage the risks that have been identified

 A risk assessment is an exercise which helps you to identify any potential or current risks within your ISMS. Mainly theoretical, the ISMS risk assessment is lead by internal stakeholders, staff and anyone involved with the ISMS.

Identifying where any possible harm could come to your organisation in relation to information security is the first step. Then the risk should be evaluated in terms of its impact on the organisation and the likelihood of it occurring. This requires a documented methodology to ensure all risks are evaluated using the same criteria. Once evaluated under the process defined in 6.1 of ISO 27001, you must then decide which of the ISO 27001 Annexe A controls will be used in the management of the risk.  Treating the risk is next. This is where you mitigate, share or simply accept the risk.

Recording evidence and clear audit trails of risk treatment will be something your auditors will look for.


Choose control objectives, controls that are to be implemented and preparing your Statement of Applicability

The Statement of Applicability (SoA) documents the controls and objectives that you choose to implement based on your risk assessment. It will be something your auditor refers to extensively when he conducts stage 2 and surveillance audits.

Whilst this doesn’t need to go into great detail, it can become a laborious spreadsheet task without the help of a software tool like that produces it dynamically.

Want to see the platform in action?

Get a guided tour just for you and your organisation

ISMS Online Rating: 5 out of 5
Share This