ISO 27001 the International Standard for Information Security
Are you serious about information security and want to use ISO 27001 as a business differentiator?
Whatever your reasoning, here we will take you through what the standard is, as well as the benefits and what might be involved for you and your organisation.
About the ISO and IEC
Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organisation for Standardisation. This means that all organisations that achieve an ISO 27001 certification are all working to the same high standards.
IEC stands for the International Electrotechnical Commission, which is a not-for-profit organisation that works independently of any government.
Together the ISO and the IEC form a joint technical committee, developing and maintaining standards in IT, as well as Information and Communications Technology (ICT), and related technologies.
When you achieve ISO 27001: 2013 certification you are demonstrating that your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement. You can read more about what an ISMS does on our New to Information Security page.
ISO 27001 History
ISO 27001 can be traced back to the British Standard 7799, published in 1995. It was originally written by the DTI and, after many revisions, ISO turned it into an internationally recognised, best practice standard in the ISO 27000 series to help organistions keep information assets secure.
ISO/IEC 27001:2013 is the most current version of the standard and incorporates changes made in 2017. You can read more about those changes in our article ‘ISO 27001:2013 and ISO 27001:2017 what’s the difference?’.
What are the benefits ISO 27001: 2013?
You’ll reduce information security and data protection risks to your
Whether it is your own valuable information or that of your customers, poor information security can be costly. Several of the ISO 27001 requirements also fulfill those of GDPR. Implementing ISO 27001 will demonstrate to regulatory authorities that you take managing the security of information you hold seriously and, having identified the risks done as much as is reasonably possible to mitigate them. There has been much scaremongering surrounding the potential fines for GDPR non-compliance, however, an ISMS will help reduce the likelihood of breaches, enable you to react to hem more quickly, and allow you to describe and demonstrate the controls you have in place.
You’ll win new and retain existing business
Because this is the internationally
Like many things in business, trust is important. But demonstrating that you have been independently audited, solidifies that trust.
You’ll save time and money
Increasingly customers are seeking assurance of your information security and data protection capabilities. Your IT department will testify to the amount and the length of ‘requests for information’ they have to regularly deal with. This all adds unnecessarily to the ‘cost-of-sale’ for your
You’ll give your reputation a boost
It doesn’t get much worse for an organisation when the news hits that their systems have been hacked and customer information security management system you will be in a better position to identify breach risks before they happen.
Need help in building the business case for an ISMS in your organisation? Download our whitepaper.
What are the requirements of ISO 27001:2013/17?
What are the ISO 27001:2013 controls?
The ISO 27001:2013/17 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adapt, adopt and add to, giving you a 77% head start with ISO 27001
Where do I start with ISO 27001?
Imagine if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees.
Our Virtual Coach package does just that. Helpful videos from those that have lived ISO 27001, and an information security specialist, as well as lots of hints and tips for success – Right where you need it, inside the ISMS.online platform.
What is involved in ISO 27001?
organisation’s security policy
In a nutshell, this means that you need to write an information security policy. Sect. 5.2 of ISO 27001 does not give a great deal of guidance on what should be contained within your policy, but it does state what the policy should achieve and how you should define the scope of the ISMS.
Firstly, the information security policy must be adapted to your
One of the main factors of retaining the ISO 27001 after achieving it is to continually improve your ISMS. This means that your information security policy should also be reviewed on a regular basis to ensure you are meeting the stated objectives.
Conduct your risk assessment and manage the risks that have been identified
A risk assessment is an exercise which helps you to identify any potential or current risks within your ISMS. Mainly theoretical, the ISMS risk assessment is lead by internal stakeholders, staff and anyone involved with the ISMS.
Identifying where any possible harm could come to your
Recording evidence and clear audit trails of risk treatment will be something your auditors will look for.
Choose control objectives, controls that are to be implemented and preparing your Statement of Applicability
The Statement of Applicability (
Whilst this doesn’t need to go into great detail, it can become a laborious spreadsheet task without the help of a software tool like ISMS.online that produces it dynamically.
Want to see the ISMS.online platform in action?
Get a guided tour just for you and your organisation