ISO 27001: 2013
Maybe you have been told by a supplier or customer that you need to hold an ISO 27001 certificate to be able to work with them. Or perhaps you want to use ISO 27001 as a business differentiator. You may even have correctly identified how it will help you meet some of the requirements of GDPR.
Whatever your reasoning, here we will take you through what the standard is, as well as the benefits and what might be involved for you and your organisation.
The contents of ISO 27001
Requirement 4 – Context of the organization
- 4.1 Understanding the organization and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
Requirement 5 – Leadership
- 5.1 Leadership and commitment
- 5.2 Policy
- 5.3 Organizational roles, responsibilities and authorities
Requirement 6 – Planning
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
Requirement 7 – Support
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
Requirement 8 – Operation
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
Requirement 9 – Performance evaluation
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
Requirement 10 – Improvement
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
Annex A (normative) Reference control objectives and controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Virtual Coach for ISO 27001
Feeling overwhelmed? Imagine if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees.
Our Virtual Coach package does just that. Helpful videos from those that have lived ISO 27001, and an information security specialist, as well as lots of hints and tips for success – Right where you need it, inside the ISMS.online platform.
What is the ISO IEC 27001 standard?
Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organisation for Standardisation. This means that all organisations that achieve an ISO accreditation are all working to the same high standards.
IEC stands for the International Electrotechnical Commission, who is a not-for-profit organisation, that works independently of any government.
Together the ISO and the IEC form a joint technical committee, developing and maintaining standards in IT, as well as Information and Communications Technology (ICT).
When you achieve ISO 27001: 2013 you are demonstrating that your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement. You can read more about what an ISMS does on our New to Information Security page.
The ISO 27001 code of practice uses a risk-based approach to planning an ISMS, which process includes the following.
- Define your organisation’s security policy
- Define the scope of the ISMS
- Conduct your risk assessment
- Manage the risks that have been identified
- Choose control objectives and controls that are to be implemented
- Prepare your Statement of Applicability
Let’s take a look at each of those in a little more detail
Define your organisation’s security policy
In a nutshell, this means that you need to write an information security policy. Sect. 5.2 of ISO 27001 does not give a great deal of guidance on what should be contained within your policy, but it does state what the policy should achieve and how you should define the scope of the ISMS.
Firstly, the information security policy must be adapted to your organisation. Using somebody else’s policy or one that you have purchased is no good without first ensuring that it applies directly to your organisation. If it doesn’t, then you must adapt it, then adopt the contents within.
One of the main factors of retaining the ISO 27001 after achieving it is to continually improve your ISMS. This means that your information security policy should also be reviewed on a regular basis to ensure you are meeting the stated objectives.
Need a set of policies for your ISMS?
We have relevant policies and controls for your organisation to easily adapt, adopt and add to, giving you a 77% head start with ISO 27001
Conduct your risk assessment and manage the risks that have been identified
A risk assessment is an exercise which helps you to identify any potential or current risks within your ISMS. Mainly theoretical, the ISMS risk assessment is lead by internal stakeholders, staff and anyone involved with the ISMS.
Identifying where any possible harm could come to your organisation in relation to information security is the first step. Then the risk should be evaluated in terms of its impact on the organisation and the likelihood of it occurring. This requires a documented methodology to ensure all risks are evaluated using the same criteria. Once evaluated under the process defined in 6.1 of ISO 27001, you must then decide which of the ISO 27001 Annexe A controls will be used in the management of the risk. Treating the risk is next. This is where you mitigate, share or simply accept the risk.
Recording evidence and clear audit trails of risk treatment will be something your auditors will look for.
Choose control objectives, controls that are to be implemented and preparing your Statement of Applicability
The Statement of Applicability (SoA) documents the controls and objectives that you choose to implement based on your risk assessment. It will be something your auditor refers to extensively when he conducts stage 2 and surveillance audits.
Whilst this doesn’t need to go into great detail, it can become a laborious spreadsheet task without the help of a software tool like ISMS.online that produces it dynamically.
What are the benefits of achieving ISO 27001: 2013?
So we mentioned potential scenarios where you would be looking to achieve ISO 27001. Quite often having ISO 27001 under their belt is not, in fact, the idea of the organisation itself. Why? Because it can be seen as a complex project that takes time and costs money. And, by the way, if you’re looking for a quick fix for achieving the standard, you’ll be out of luck. UKAS accredited certification bodies will be looking for evidence that you are ‘living and breathing’ your ISMS and it’s not just a dusty set of policies and controls. And, if you choose a non-UKAS accredited auditor, beware the savvy buyers who will not recognise your certification!
You’ll reduce information security and data protection risks to your organisation
Whether it is your own valuable information or that of your customers, poor information security can be costly. Several of the ISO 27001 requirements also fulfill those of GDPR. Implementing ISO 27001 will demonstrate to regulatory authorities that you take managing the security of information you hold seriously and, having identified the risks done as much as is reasonably possible to mitigate them. There has been much scaremongering surrounding the potential fines for GDPR non-compliance, however, an ISMS will help reduce the likelihood of breaches, enable you to react to hem more quickly, and allow you to describe and demonstrate the controls you have in place.
You’ll win new and retain existing business
Because this is the internationally recognise ‘best-practice’ standard, it makes the people you want to work with feel safe and secure and that you (holding ISO 27001) will look after their valuable assets and information security.
Like many things in business, trust is important. But demonstrating that you have been independently audited, solidifies that trust.
You’ll give your reputation a boost
It doesn’t get much worse for an organisation when the news hits that their systems have been hacked and customer data has been exposed an exploited. If you are managing our information security management system you will be in a better position to identify breach risks before they happen.