What is ISO 27001?What it is, why you should follow it, and what's involved
Are you serious about information security and want to use ISO 27001 as a business differentiator?
Here we will take you through what the standard is, as well as the benefits and what might be involved for you and your organisation.
What is ISO 27001 and why do I need it?
ISO 27001:2013 is the internationally recognised best practice framework for an Information Security Management System (ISMS).
It is one of the most popular information security standards worldwide.
About the ISO and IEC
Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organisation for Standardisation. This means that all organisations that achieve an ISO 27001 certification are all working to the same high standards.
IEC stands for the International Electrotechnical Commission, which is a not-for-profit organisation that works independently of any government.
Together the ISO and the IEC form a joint technical committee, developing and maintaining standards in IT, as well as Information and Communications Technology (ICT), and related technologies.
When you achieve ISO 27001: 2013 certification you are demonstrating that your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement. You can read more about what an ISMS does on our New to Information Security page.
ISO 27001 History
ISO 27001 can be traced back to the British Standard 7799, published in 1995. It was originally written by the DTI and, after many revisions, ISO turned it into an internationally recognised, best practice standard in the ISO 27000 series to help organistions keep information assets secure.
ISO/IEC 27001:2013 is the most current version of the standard and incorporates changes made in 2017 (see more about 2013 versus 2017 at the bottom of the page).
What are the benefits of ISO 27001: 2013?
ISO 27001 will help reduce information security and data protection risks to your organisation
Whether it is your own valuable information or that of your customers, poor information security can be costly. Several of the ISO 27001 requirements also fulfill those of GDPR and Data Protection Act compliance and give much greater information assurance overall. Implementing ISO 27001 will demonstrate to regulatory authorities that your organisation takes the security of information it holds seriously and, having identified the risks, done as much as is reasonably possible to address them. Whether it is computer security, physical security, broader cyber security, other privacy or just getting towards best practices, ISO 27001 is the recognised standard that others build from.
There has been much scaremongering surrounding the potential fines for GDPR non-compliance, however, an Information Security Management System (ISMS) will help reduce the likelihood of breaches, enable you to react to them more quickly, and demonstrate the controls you have in place, in order to reduce the potential impacts of these security risks.
ISO 27001 will help win new customers and retain existing business
Because this is the internationally recognised ‘best-practice’ standard, it makes the people you want to work will feel safe and secure and that you ( holding ISO 27001 certification) will look after their valuable assets and information security.
ISO 27001 means saving time and money
Why spend much more money solving a problem (e.g. information loss for customers) especially in a crisis when it costs a fraction of that in advance to be better prepared anyway? In addition customers are increasingly seeking assurance of your information security management and data protection capabilities. Your sales department will probably testify to the amount and the length of the ‘requests for information’ they regularly have to deal with as part of the sales process and how that is growing all the time. This all adds unnecessarily to the ‘cost-of-sale’ for your organisation. Holding ISO 27001 certification will minimise the detail you need to provide.
ISO 27001 boosts a reputation and builds trust in the organisation
It doesn’t get much worse for an organisation when the news hits that their systems have been hacked and customer information security management system you will be in a better position to identify breach risks and prevent them before they happen. Like many things in business, trust is important. But demonstrating that you have been independently audited, solidifies that trust.
Looking for more benefits or need help in building the business case for an ISMS in your organisation?
What needs to be done for achieving ISO 27001:2013/17?
The core requirements of the standard are addressed in clause 4.1 through to 10.2 and the Annex A controls you may choose to implement, subject to your risk assessment and treatment work, are covered in A.5 through to A.18 (both found at the bottom of this page).
If you are looking to achieve ISO 27001 certification you will be expected to meet all the core ISO 27001 requirements. One of the fundamental core requirements in that (6.1) is to identify, assess, evaluate and treat information security risks. Out of that risk management process will help determine which of the ISO 27001 Annex A controls may need to be applied in the management of those security oriented risks.
Some organisations may choose not to take their Information Security Management System to certification but simply align to the ISO 27001 standard. This might be okay to meet internal pressures however delivers less value to key stakeholders externally who increasingly look for the assurances a UKAS (or similar certifying body) independently certified ISO 27001 delivers.
Where do I start with ISO 27001 Certification?
Achieving ISO 27001 Certification can be complex and overwhelming but our ISMS.online software changes all that. Now you have pre-configured frameworks, tools, and content to help you achieve ISO 27001 certification success quickly and simply.
Imagine too, if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees? Our ISO 27001Virtual Coach package does just that.
You will find helpful videos from those that are ‘living’ ISO 27001, together with an information security specialist, as well as lots of hints and tips for success.
All delivered right where you need it most, inside the ISMS.online platform allowing you to work where and when you want, at your own pace towards achieving your goals.
“Virtual Coach for ISO 27001 is a great addition … the team and I have access to expert guidance every step of the way and can access it where and when we want. It means we can work at our own pace to ensure we reach our goals as quickly as we can…and at a fraction of the cost of other solutions.”
ISO 27001:2013 and ISO 27001:2017 what’s the difference?
In practical terms, very little has changed between the 2013 and 2017 ISO 27001 standards except for a few minor cosmetic points and a small name change.
The latest published version of the Information Security Management System standard is – BS EN ISO/IEC 27001: 2017.
The ISO version of the standard (2013) was not affected by the 2017 publication and the changes do not introduce any new requirements.
For those seeking a UKAS accredited ISO 27001 certification, UKAS accredited to the ISO standard so there are no modifications affecting your certification status and therefore no additional transition activities are introduced by this revision.
The 2017 change was introduced to indicate approval by CEN/CENELEC for the EN designation (“European Standard”).
The updated BS does, however, incorporate two previously issued Corrigenda/Amendments to ISO 27001:2013, specifically in Clause 6.1.3 and Annex A clause 8.1.
Let’s take a look at what those Corrigenda covered:
Corrigendum 1: ISO/IEC 27001:2013/Cor.1:2014(en) – published 2014
A.8.1.1 (Inventory of Assets), replaces the control’s objective text from:
“Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”
“Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”
The change made it explicit that information itself must also be considered as an asset and be included in the inventory.
For those using ISMS.online, the guidance notes provided in Subclause A.8.1.1, along with our ISO 27001 Virtual Coach, take this into consideration fully.
Unlike some of the older tools on the market, ISMS.online uses an information asset-based approach to risk management so you can be sure this important amendment has been addressed.
Read more about How to develop an Asset Inventory.
Corrigendum 2: ISO/IEC 27001:2013/Cor.2:2015(en)– published 1/12/2015
This involved changes to Subclause. 6.1.3 (Information Security Risk Treatment), and specifically to item d), about the Statement of Applicability (SoA). It was just a cosmetic adjustment, separating the required content for a SoA from the main paragraph into separated bullets, making it clearer that an SoA must contain at least four elements:
The necessary controls to implement the information security risk treatment, considering not only those in Annex A but also controls designed by the organization as required, as well as others identified from any source (e.g., controls from NIST SP 800 series of documents)
Justification for inclusion of these controls
The controls status (e.g. implemented or not)
The justification for excluding any of the Annex A controls
The ISO 27001 Statement of Applicability is often considered one of the more onerous tasks in the Standard, both to create and keep up-to-date. You can read our article, Statement of Applicability Simplified to learn more.
How to tackle the changes between ISO 27001: 2013 and ISO 27001: 2017
With ISMS.online, the Corrigendum items have been incorporated, both in terms of the guidance and tools you will use to fast-track your ISO 27001 implementation and reduce the ongoing management time of your Information Security Management System.
Ready to get started on achieving ISO 27001:2013 success?
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance