ISO 27001, Information Security Management Standard Simplified

What is it, Why You Should Follow it and What’s Involved

What is ISO 27001?

ISO/IEC 27001, is an information security management standard jointly-published by the International Organization for Standardisation, and the International Electrotechnical Commission. ISO 27001, structures how businesses should manage risk associated with information security threats; including policies, procedures and staff training.

Defined within the ISO 27001 standard are information security guidelines, requirements intended to protect an organisation’s data assets from loss or unauthorised access and recognised means of demonstrating their commitment to information security management through certification.

ISO 27001, includes a risk assessment process, organisational structure, Information classification, Access control mechanisms, physical and technical safeguards, Information security policies, procedures, monitoring and reporting guidelines.

Achieve your first ISO 27001

Achieve your first ISO 27001

Download your free guide to fast and sustainable certification

Interested in ISO/IEC 27001 as a differentiator for your business?

Here we will take you through the ISO 27001 standard, the benefits, and what might be involved for you and your organisation’s information security. The International Organization for Standardisation created the management system standard in response to growing concerns about data breaches, identity theft, and other cyber-attacks.

Whether you are looking for a way to improve your company’s cybersecurity posture or need guidance on how to build an Information Security Management System (ISMS), we will explain what ISO 27001 entails so you can make an informed decision about whether it’s suitable for your organisation. Lastly, we’ll explore me how to manage information security and the benefits of using ISO 27001, including operations security, asset management, human resource security, security controls, access control, improved customer trust and reduced risk exposure.

ISO 27001 is the recognised international management system standard that others build from, whether they’re dealing with:

  • Information security
  • Information privacy
  • Computer security
  • Physical security
  • Broader cybersecurity
  • Building best practices
  • Business improvement
  • Business development

Why you need ISO/IEC 27001?

ISO 27001 is the internationally recognised best practice framework for an ISMS and one of the most popular information security management standards worldwide. ISO 27001 certification assures customers, partners and other stakeholders that your company’s information security infrastructure meets their expectations.

The cost of not having an effective Information Security Management System can be high – both financially and reputationally. The standard is a critical component in any organisation’s risk management strategy, and it has become an essential part of many organisations’ IT governance, risk and compliance (GRC) programmes.

About the ISO and IEC

Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organisation for Standardisation. This means that all organisations that achieve an ISO 27001 are all working to the same high standards.

IEC stands for the International Electrotechnical Commission, which is a not-for-profit organisation that works independently of any government.

Together the ISO and the IEC form a joint technical committee, developing and maintaining multiple standards in IT, as well as Information and Communications Technology (ICT), and related technologies.

When you achieve ISO 27001: 2013 certification you are demonstrating that:

  • Your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement
  • You’re managing information security in accordance with ISO 27001’s requirements, regardless of the size or type of your organisation

There’s a detailed explanation of what an ISMS does on our New to Information Security page.

We’ve helped hundreds of companies achieve ISO 27001

ISO/IEC 27001 History

The latest version of ISO 27001 can be traced back to the British Standard Institution BSI-7799, published in 1995. It was originally written by the DTI and, after many revisions, ISO turned it into an internationally recognised, best-practice information security standard in the ISO 27000 series to help organisations keep intellectual property and information assets secure.

ISO/IEC 27001:2013 is the most current version of the international standard and incorporates changes made in 2017 (see more about 2013 versus 2017 at the bottom of the page).

Achieve ISO 27001 first time with

ISO 27001 will help you reduce information security and privacy risks

Information security threats are constantly growing. New data breaches make the headlines every day. So more and more organisations are realising that poor infosec can be costly, whether it leads to breaches of their own or their customers’ confidential information.

That’s why so many organisations are creating ISO 27001-certified information security management systems or ISMSs. An effective ISMS will help you meet all your information security objectives and deliver other benefits too. And any scale and type of organisation, from government agencies to commercial companies, can use ISO 27001 to create an ISMS.

Several of the ISO 27001 requirements also fulfil those of GDPR and Data Protection Act compliance, legal and regulatory obligations; giving much greater information assurance overall. Implementing ISO 27001 will show regulatory authorities that your organisation takes the security of information it holds seriously and, having identified the risks, done as much as is reasonably possible to address them. Your risk management process will be both robust and easy to demonstrate. And it’s an excellent gateway to other ISO management system standards too.


ISO 27001 means saving time and money

Why spend lots of money solving a problem (for example, loss of customer information, risk assessment, business continuity management) in a time of crisis when it costs a fraction of that to prepare for it in advance? With an ISO 27001-certified information security management system, you’ll have all your information security incident management plans and systems set up and ready to go. It’s the most cost-effective way of protecting/keeping your information assets secure.

You’ll base your risk management plans on a robust, thorough risk assessment. Ongoing internal audits will make sure your ISMS meets the ever-evolving threat of digital crime with new security techniques and information security controls. And with our help you can measure the ROI on your information security risk management investment.

You’ll also cut your cost of sales. Customers are increasingly seeking assurance of their supplier relationships’ information security management and data protection capabilities. Your sales department will probably testify to the amount and the length of the ‘requests for information’ they regularly have to deal with as part of the sales process and how that is growing all the time. Holding ISO 27001 certification will minimise the detail you need to provide, simplifying and accelerating your sales process.


ISO 27001 boosts a reputation and builds trust in the organisation

It’s bad enough having your systems hacked and your customer data exposed and exploited. What’s worse is when news of that kind of breach starts spreading. It can do severe damage to your reputation and with it your bottom line. With an ISO 27001 ISMS, you’ll have carried out a robust risk assessment and created a thorough, practical risk treatment plan. So you’ll be in a better position to identify breach risks and prevent them before they happen.

Like many things in business, trust is important. But demonstrating that your Information Security Management Systems (ISMS) has been independently audited by an accredited certification body solidifies that trust. Your customers will quickly and easily see that it’s based on secure system engineering principles. They won’t need to take the security of your operations on trust, because you’ll be able to prove you’ve met the relevant ISO management system standards.

And managing information security with ISO 27001 is about more than just protecting your information technology and minimising data breaches.

The standard can help you:

  • Protect everything from your organization’s intellectual property to its confidential financial information
  • Put defined information security policies in place to help you manage processes including your access control policy, communications security, system acquisition, information security aspects of business continuity planning and many others
  • Make sure your information security incident management is carefully planned and demonstrably effective if and when a compromise happen
  • Perform risk assessment and management activities in a clear, practical and transparent way
  • Make sure key stakeholders and other third parties are aware of, in agreement with and where necessary fully compliant with your infosec measures
  • Meet specific industry regulations or operating procedures, as set by any relevant regulatory bodies
  • Secure your employees’ and customers’ personal data

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  
Achieve your first ISO 27001

Achieve your first ISO 27001

Download your free guide to fast and sustainable certification

What needs to be done for achieving ISO 27001?

The core requirements of the information security standard are addressed in clause 4.1 through to 10.2 and the Annex A controls you may choose to implement, subject to your risk assessment, risk treatment plan and work, are covered in A.5 through to A.18 (both found at the bottom of this page).

If you are looking to achieve ISO 27001  you will be expected to meet all the core ISO 27001 requirements. One of the fundamental core requirements in that (6.1) is to identify, assess, evaluate and treat information security risks. Out of that risk assessment and management process, the ISMS will help determine which of the ISO 27001 Annex A reference control objectives (information security controls) may need to be applied in the management of those information security-oriented risks.

Some organisations may choose not to take their Information Security Management System to certification but simply align to the ISO 27001 standard. This might be okay to meet internal pressures however delivers less value to key stakeholders externally who increasingly look for the assurances a UKAS (or similar accredited certification body) independently certified ISO 27001 delivers.


Where do I start with ISO 27001 Certification?

Achieving ISO 27001 Certification can be complex and overwhelming but our software changes all that. Now you have pre-configured information security frameworks, tools, and content to help you achieve ISO 27001 success quickly and simply.

Imagine too, if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees? Our ISO 27001 Virtual Coach package does just that.

You will find helpful videos from those that are ‘living’ ISO 27001, together with an information security specialist, as well as lots of hints and tips for success.

All delivered right where you need it most, inside the platform allowing you to work where and when you want, at your own pace towards achieving your goals.

Achieve your first ISO 27001

Achieve your first ISO 27001

Download your free guide to fast and sustainable certification

ISO 27001:2013 and ISO 27001:2017. what’s the Difference?

In practical terms, very little has changed between the 2013 and 2017 ISO 27001 information security standards except for a few minor cosmetic points and a small name change.

The latest published version of the Information Security Management System standard is: BS EN ISO/IEC 27001: 2017.

The ISO version of the standard (2013) was not affected by the 2017 publication and the changes do not introduce any new requirements.

For those seeking a UKAS accredited ISO 27001 certification, UKAS accredited to the ISO standard. So there are no modifications affecting your certification status and therefore no additional transition activities are introduced by this revision.

The 2017 change was introduced to indicate approval by CEN/CENELEC for the EN designation (“European Standard”).

The updated BS does, however, incorporate two previously issued Corrigenda/Amendments to ISO 27001:2013, specifically in Clause 6.1.3 and Annex A clause 8.1.


Let’s take a look at what those Corrigenda covered

Corrigendum 1: ISO/IEC 27001:2013 Cor.1:2014(en) – published 2014

A.8.1.1 (Inventory of Information Assets), replaces the control’s objective text from:

“Assets associated with information and information processing facilities shall be identified and an inventory of these information assets shall be drawn up and maintained.”


“Information, other assets associated with information and information processing facilities shall be identified and an inventory of these information assets shall be drawn up and maintained.”

The change made it explicit that information itself must also be considered as an asset and be included in the inventory.

For those using, the guidance notes provided in Subclause A.8.1.1, along with our ISO 27001 Virtual Coach, fully take this into consideration.

Unlike some of the older tools on the market, uses an information asset-based approach to risk management so you can be sure this important amendment has been addressed. Read more about How to develop an Asset Inventory.

Corrigendum 2: ISO/IEC 27001:2013 Cor.2:2015(en) – published 1/12/2015

This involved changes to Subclause. 6.1.3 (Information Security Risk Treatment), and specifically to item d), about the Statement of Applicability (SoA). It was just a cosmetic adjustment, separating the required content for an SoA from the main paragraph into separated bullets, making it clearer that an SoA must contain at least four elements:

  • The necessary security controls to implement a robust approach for information security risk treatment, considering not only those in Annex A but also information security controls designed by the organization as required, as well as others identified from any source (e.g., controls from NIST SP 800 series of documents)
  • Justification for inclusion of these informsecurity controls
  • The controls status (e.g. implemented or not)
  • The justification for excluding any of the Annex A controls

The ISO 27001 Statement of Applicability is often considered one of the more onerous tasks in the Standard, both to create and keep up-to-date. You can read our article, Statement of Applicability: The Complete Guide to learn more.

How to tackle the changes between ISO 27001: 2013 and ISO 27001: 2017

We’ve incorporated the Corrigendum items in, both responding to the guidance and creating tools to help you with it. They’ll help you fast track your ISO 27001 implementation and reduce the ongoing management time of your Information Security Management System.

Frequently asked questions

Why Choose for ISO 27001?

It can be challenging and daunting to achieve ISO 27001 certification, but with, it couldn’t be simpler. As well as preconfigured frameworks, tools, security controls and other content to help you quickly and easily achieve ISO 27001,’s features include:
  • Simple, secure, all-in-one online ISMS environment that makes management easier, faster and more efficient
  • Preloaded Adopt / Adapt / Add ISO 27001 policies and controls that start you off with 77% of your ISMS documentation already completed
  • An optional Virtual Coach to give you confidence and share 24/7, context-specific ISO 27001 help
  • Optional tools to keep your colleagues aware of and engaged with your ISMS
  • Integrated supply chain management creating end-to-end information security assurance, strengthening your supplier relationships too
And ISO 27001's not the only international standard we can help you with. Our platform can help you achieve certification in or compliance with a wide range of other standards and regulations too.

What is an Information Security Management System?

An Information Security Management System (ISMS) outlines and demonstrates an organisation’s approach to infosec. It defines how an organisation identifies and overcomes risks and opportunities that relate to its valuable information and associated assets. That begins with sensitive data and personal data, but covers much else too.

Why is ISO 27001 Important?

Implementing ISO 27001 shows all interested parties that your organisation takes infosec seriously and does as much as possible to:
  • Carry out practical, comprehensive risk assessments
  • Reduce identified risks to an acceptable level
  • Manage those risks effectively
ISO 27001's benefits include:
  • Reducing your organisation’s information security and data protection risks
  • Helping it attract new customers and retain existing clients, saving time and resources
  • Improving the reputation of and strengthening trust in your organisation
ISO 27001 will also help your organisation comply with other regulations and standards, such as privacy regulation GDPR, infosec standards Cyber Essentials and PCI DSS, and ISO 22301 which focusses on business continuity management. Overall it provides greater information security assurance. That's why so many organisations are investing in and working with certification bodies to achieve ISO 27001-certified information security management systems.

What is ISO 27001?

ISO 27001:2013 is the internationally recognised specification for an Information Security Management System (ISMS), and it is one of the most popular standards for information security. The most recent version of the standard is ISO / IEC 27001:2013 and implements improvements made in 2017 as well.

What’s the difference between ISO 27001 compliance and certification?

To achieve ISO 27001 compliance, you just need to meet the requirements of ISO 27001. You show that you're doing so by carrying out your own audits. To achieve ISO 27001 certification, you need to find an external certification body. They'll confirm that your ISMS is ISO 27001 compliant and recommend certification. ISO 27001 certification is generally seen as being more impressive than compliance because it involves that external certification process.

How long will your ISO 27001 certification last?

Your ISO 27001 certification will last for three years after your successful certification audits. During that time you'll carry out regular performance evaluation of your ISMS. You'll make sure that your senior management review it regularly. And it'll undergo external audits as well. That'll ensure your organisation's ongoing data security as it grows and cyberthreats evolve and change. Continual improvement of your ISMS is key to maintaining your certification.

Our pre-configured (ISO 27001) ISMS will help you

  • Achieve ISO 27001 first time
  • Maintain Your ISO 27001 certification
  • Reduce the likelihood of infosec breaches
  • React to them more quickly if and when they do happen
  • Quickly and easily demonstrate the controls you have in place

That will reduce the potential impacts of these information security risks. And because it’s the internationally recognised ‘best-practice standard, achieving ISO 27001 will help win your organisation new customers and retain existing business.

The people you want to work with will feel confident that you’ll look after their valuable assets and information security. It will also help you show them that you’re serious about their physical and environmental security.

Build your business case for an ISMS

Download our free white paper

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.