ISO/IEC 27001 •

The Ultimate Guide to ISO 27001

Get ISO 27001 certified 5 x faster with ISMS.online

See it in action
By Max Edwards | Updated 12 March 2024

ISO 27001 is an Information security management standard that provides organisations with a structured framework to safeguard their information assets and ISMS, covering risk assessment, risk management and continuous improvement. In this article we'll explore what it is, why you need it, and how to achieve certification.

Jump to topic

Why do you need ISO 27001?

ISO 27001:2022 certification assures customers, partners and other stakeholders that your company’s information security infrastructure meets their expectations.

ISO 27001 is an information security management system (ISMS) internationally recognised best practice framework and one of the most popular information security management standards worldwide.

The cost of not having an effective Information Security Management System can be high – both financially and reputationally. The Standard is a critical component in any organisation’s information security risk management process , and it has become an essential part of many organisations’ IT governance, risk and compliance (GRC) programmes.


The benefits of ISO 27001

1) ISO 27001 Will Help You Reduce Information Security and Privacy Risks

Information security risks are constantly growing. New data breaches make the headlines every day. So more and more organisations realise that poor infosec can be costly, whether it leads to breaches of their own or their customers’ confidential information.

That’s why many organisations are creating their own ISO 27001-certified information security management system or ISMS’s.

An effective ISMS will help you meet all your information security objectives and deliver other benefits.

And any scale and type of organisation, from government agencies to commercial companies, can use ISO 27001 to create an ISMS.

Several of the ISO 27001 requirements also fulfil those of GDPR and Data Protection Act compliance, and legal and regulatory obligations, giving much greater information assurance overall. Implementing ISO 27001 will show regulatory authorities that your organisation takes the security of information it holds seriously and, having identified the risks, done as much as is reasonably possible to address them.

Your risk management process will be both robust and easy to demonstrate. And it’s an excellent gateway to other ISO management system standards too.

2) ISO 27001 Means Saving Time and Money

Why spend lots of money solving a problem (for example, loss of customer information, risk assessments, business continuity management) in a crisis when it costs a fraction to prepare for it in advance? With an ISO 27001-certified information security management system, you’ll have all your information security incident management plans and systems ready. It’s the most cost-effective way of protecting/keeping your information assets secure.

You’ll base your risk management plans on a robust, thorough risk assessment. Ongoing internal audits will ensure your ISMS meets the ever-evolving threat of digital crime with new security techniques and information security controls. And with our help, you can measure the ROI on your information security risk management investment.

You’ll also cut your cost of sales. Customers increasingly seek assurance of their supplier relationships’ information security management and data protection capabilities. Your sales department will probably testify to the amount and the length of the ‘requests for information’ they regularly have to deal with as part of the sales process and how that is growing all the time. Holding ISO 27001 certification will minimise the detail you need to provide, simplifying and accelerating your sales process.

3) ISO 27001 Boosts a Reputation and Builds Trust in the Organisation

It’s bad enough having your information systems hacked and your customer data exposed and exploited. What’s worse is when news of that kind of breach starts spreading. It can severely damage your reputation and, with it, your bottom line. With an ISO 27001 ISMS, you’ll have conducted a robust risk assessment and created a thorough, practical risk treatment plan. So you’ll be better positioned to identify and prevent breach risks before they happen.

Like many things in business, trust is essential. But demonstrating that an accredited certification body has independently audited your Information Security Management Systems (ISMS) solidifies that trust. Your customers will quickly and easily see that it’s based on specific system engineering principles. They won’t need to take the security of your operations on trust because you’ll be able to prove you’ve met the relevant ISO management system standards.

And managing information security with ISO 27001 is about more than just protecting your information technology and minimising data breaches.

The Standard Can Help You:

  • Protect everything from your organisation’s intellectual property to its confidential financial information.
  • Put defined information security policies in place to help you manage processes, including your access control policy, communications security, system acquisition, information security aspects of business continuity planning and many others.
  • Ensure your information security incident management is carefully planned and demonstrably effective if and when a compromise happens.
  • Perform and information security risk assessment and management activities clearly, practically and transparently.
  • Ensure key stakeholders and other third parties are aware of, in agreement with and, where necessary, fully compliant with your infosec measures.
  • Meet specific industry regulations or operating procedures set by relevant regulatory bodies.
  • Secure your employees’ and customers’ personal data.
Free download

Get your guide to
ISO 27001 success

Everything you need to know about achieving ISO 27001 first time

Get your free guide

ISO 27001:2022 requirements & controls

Defined within the ISO 27001 standard are ten requirements, including information security guidelines, requirements intended to protect an organisation’s data assets from loss or unauthorised access and recognised means of demonstrating their commitment to information security management through certification.

Requirement 6.1.3 (Information Security Risk Treatment) defines Annex A, specifying controls derived from ISO 27002:2022.

ISO 27001 also includes a risk assessment process, organisational structure, Information classification, Access control mechanisms, physical and technical safeguards, Information security policies, procedures, monitoring and reporting guidelines.

ISO 27001 Requirements and Structure

Annex (S)L Explained

“Annex L” defines a generic management system’s core requirements and characteristics. This is a critical point. Your company’s management system extends beyond information security.

While the focus of ISO 27001 is information security, the standard integrates with other ISO standards based on ISO’s Annex L, allowing you to introduce these standards to develop further and improve your overall management system later. They include ISO 9001 for quality management, ISO 22301 for business continuity management, ISO 227701 for Privacy protection and up to 50 other ISO standards.

Whilst we are not suggesting that you look at these standards for now, the point is that it is possible. You have an ‘upgrade path’ within ISO and ISMS.online (Integrated Management System) that won’t require reinventing the wheel when stepping it up to another level.


ISO 27001:2013 & ISO 27001:2022 – What’s the difference?

In practical terms, very little has changed between the 2013 and 2022 ISO 27001 information security standards except for minor cosmetic points and additional requirements (9.3.1, 9.3.2, 9.3.3) and revised Annex A controls linked to ISO 27002:2022.

Transitioning to the New Standard

Organisations that have already achieved ISO 27001 certification must transition to the new version by October 31, 2025. This transition will require them to review and update their current ISMS to comply with the new requirements.

Overview of Changes Introduced in ISO 27001:2022

ISO 27001: 2022 brings with it several refinements and additional wording requirements. These changes ensure the standard remains applicable and updated with the latest security best practices.

The new version of the Standard requires organisations to ensure that their management systems comply with the updated requirements and to review any changes to the wording of the Standard to ensure they understand the implications for their security management systems. This includes changes to the language used, adjustments to the structure and content, and the addition of new clauses.

Restructuring of Annex A Controls in ISO 27001 2022

Following the release of ISO 27002:2022 on February 15, 2022, ISO 27001:2022 has aligned its Annex A controls.

The new version of the Standard draws upon a condensed set of 93 Annex A controls, including 11 new controls. A total of 24 controls were merged from two, three, or more security controls from the 2013 version, and 58 controls from the ISO 27002:2013 were revised to align with the current cyber security and information security environment.

Organisations must ensure that their information security management system meets the new requirements and that their existing controls are current.

To help with this, ISO 27002:2022 has made changes to the wording of some of the existing controls and added additional requirements for others. Additionally, the Standard now requires organisations to evaluate the performance of their information security management system and the effectiveness of the controls.


Control Categories and Attributes

Annex A controls have now been grouped into group categories:

Organisational
People
Physical
Technological

Each control has additionally assigned an attribution taxonomy. Each control now has a table with a set of suggested attributes, and Annex A of ISO 27002:2022 provides a set of recommended associations.

These allow you to quickly align your control selection with common industry language and international standards. The use of attributes supports work many companies already do within their risk assessment and Statement of Applicability (SOA).

For example, Cybersecurity concepts similar to NIST and CIS controls can be distinguished, and the operational capabilities relating to other standards can be recognised.

11 New Annex A Controls

The 11 new controls focus on cloud services, ICT readiness for business continuity, threat intelligence, physical security monitoring, data masking, information deletion, data leakage prevention, monitoring activities, web filtering and secure coding.

The eleven new controls for ISO 27001:2022

New Focus on Risk Treatment Processes

ISO 27001 2022 has placed a greater emphasis on risk treatment processes and the use of Annex A controls. The updated Standard now requires organisations to consider the four options for treating risks: modification, retention, avoidance and sharing. Two additional options for treating opportunities have been added: enhancement and exploitation. The Standard also outlines the need for organisations to consider risk sharing and acceptance in handling opportunities.

Organisations are now required to consider the consequences and likelihood of information security risks and the potential rewards of opportunities when assessing risk. The International Standard also encourages organisations to take risks if the potential rewards are more significant than the potential losses.

Overall, the new focus on risk treatment processes in ISO 27001 2022 provides organisations with a greater understanding of assessing and treating risks to minimise the potential for harm.

Evaluation of Third Parties

Organisations must ensure that third parties can provide adequate risk management measures, including but not limited to security, privacy, compliance and availability. Third parties must be aware of the organisation’s policies, procedures and standards and comply with them.

Organisations should perform periodic reviews and audits to ensure third-party compliance with security policies. They should also have a process for reporting and responding to security incidents resulting from the activities of third parties.

Organisations must ensure that all data and information assets under their control are securely returned or disposed of when terminating contracts or relationships with third parties.

Incident Logging Investigation and Recording

ISO 27001 2022 sets out specific requirements for logging, investigating and recording incidents. This includes organisations needing a process for logging security incidents and a procedure for investigating and documenting the investigation results. It is important for organisations to have a clear policy for logging and investigating incidents, as well as a process for recording the results of the investigation.

The policy should also cover the handling of evidence, the escalation of incidents and the communication of the incident to relevant stakeholders. The policy should also ensure that the organisation can quantify and monitor incidents’ types, volumes and costs and identify any severe or recurring incidents and their causes.

This will enable the organisation to update its risk assessment and implement additional controls to reduce the likelihood or consequences of future similar incidents.

Supplier Relationships Requirements

ISO 27001:2022 has introduced new requirements to ensure that organisations have a robust supplier and third-party management programme. This includes identifying and analysing all third parties that may impact customer data and services security and conducting a risk assessment for each supplier. The agreement between the supplier and service provider must also establish the relationship between them, and regular monitoring and reviews must be conducted to assess compliance.

Organisations must also ensure that supplier security controls are maintained and updated regularly and that customer service levels and experience are not adversely affected. In addition, personal data must be processed per data privacy regulations, and an audit of the supplier’s systems, processes, and controls must be conducted. By implementing these supplier management procedures, organisations can ensure they comply with ISO 27001:2022.

Clarification of Control Requirements for Externally Provided Processes and Products

Organisations must ensure that external services, products, and processes are appropriately managed and controlled. The 2022 version of ISO 27001 clarifies the requirements for externally provided processes and products.

Organisations must establish documented agreements with external providers and ensure that these agreements are regularly monitored and reviewed. Additionally, organisations must have a plan for responding to any inaccurate or incomplete information provided by external services or products and a procedure for handling any identified vulnerabilities in externally offered services or products.

Organisations must also ensure that the associated risks are appropriately managed and that the control of externally provided processes and products includes appropriate measures for security assurance and management of changes to documents, agreements, and procedures.

Supplier Management Procedures

ISO 27001 2022 introduces several changes to how organisations manage their supplier relationships. The revised Standard requires organisations to develop a formal supplier management policy and procedures, segment their supply chain into categories based on the value and risk of the relationship, and develop close working relationships with high-value suppliers:

Organisations must also take a risk-based approach to supplier selection and management, wrap information security policy for suppliers into a broader relationship framework. ISO 27001 2022 emphasises managing ICT suppliers who may need something additional instead of the standard approach.
Organisations must ensure supplier staff are educated, aware of security, and trained on organisation policies. Records of supplier management, including contracts, contact, incidents, relationship activity and risk management, must also be kept. All of this must be done to ensure an agreed level of information security and service delivery is maintained in line with supplier agreements.

Employee Cybersecurity Awareness

Organisations must take action to ensure that employees are aware of their responsibilities when it comes to cyber security.

Companies should focus on preventing human error by empowering staff to understand the importance of cyber security. Businesses should also invest in appropriate cybersecurity training programs and develop clear policies and procedures that detail what is expected from employees.

Furthermore, companies should incorporate cyber security into everyday operations and establish a culture of cyber security where staff feel comfortable and empowered to raise cyber security issues. By taking these steps, organisations can ensure that their employees know their responsibilities and are better prepared to protect their data and networks from cyber threats.

Establishing Controls for Human Resource Security in ISO 27001:2022

ISO 27001 2022 has introduced several new and refined controls for Human Resource Security. This includes the need to establish clear guidelines for personnel screening, terms and conditions of employment, information security awareness, education and training, and disciplinary processes. It also requires organisations to have a policy on using cryptographic controls and a formal starter, leaver, and mover process.

These controls are essential for protecting the organisation’s interests, as they help to ensure that all personnel have the necessary security clearance and are aware of their responsibilities. Furthermore, they help to ensure that confidential information is protected from unauthorised access and that any information security events are reported and dealt with appropriately. Implementing these information security controls is essential for any organisation seeking certification from an accredited certification body.

Understanding the Requirements of Interested Parties

ISO 27001:2022 has a specific focus on understanding the needs and expectations of interested parties. Interested parties are stakeholders, such as employees, shareholders, government agencies, clients, media, suppliers and partners interested in the organisation’s information security and business continuity. Identifying these stakeholders and their requirements is essential to develop an effective ISMS or BCMS.

A procedure should be written to clearly define who is responsible for identifying all interested parties and their legal, regulatory, contractual and other requirements and interests, as well as who is responsible for updating this information and how often it should be done. Once the requirements are identified, assigning responsibility for meeting them is essential.

How to Tackle the Changes Between ISO 27001:2013 and ISO 27001:2022

We’ve incorporated the updated ISO 27001 requirements and ISO 27002 controls into ISMS. online, both responding to the guidance and creating tools to help you. They’ll help you fast-track your ISO 27001 implementation and reduce the ongoing management time of your Information Security Management System.

Book a platform demo

Where do I start with ISO 27001 Certification?

Achieving ISO 27001 Certification can be complex and overwhelming but our ISMS.online software changes all that. Now you have pre-configured information security frameworks, tools, and content to help you achieve ISO 27001 success quickly and simply.

Imagine too, if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees? Our ISO 27001 Virtual Coach package does just that.

You will find helpful videos from those that are ‘living’ ISO 27001, together with an information security specialist, as well as lots of hints and tips for success.

All delivered right where you need it most, inside the ISMS.online platform allowing you to work where and when you want, at your own pace towards achieving your goals.

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

How do I achieve ISO 27001?

The core requirements of the information security standard are addressed in clauses 4.1 through 10.2, and Annex A controls you may choose to implement, subject to your risk assessment, risk treatment plan and work, are covered in A.5.1, and 5.31 through 5.36 and A. 8.8 (found at the bottom of this page).

If you want to achieve ISO 27001, you will be expected to meet all the core ISO 27001 requirements. One of the fundamental core requirements (6.1) is to identify, assess, evaluate and treat information security risks. Out of that risk assessment and management process, the ISMS will help determine which of the ISO 27001 Annex A reference control objectives (information security controls) may need to be applied to manage those information security-oriented risks.

Some organisations may not take their Information Security Management System to certification but align to the ISO 27001 standard. This might be okay to meet internal pressures however delivers less value to key stakeholders externally, who increasingly look for the assurances a UKAS (or similar accredited certification body) independently certified ISO 27001 delivers.

For organisations looking to demonstrate their commitment to information security, certification from an accredited body is the way to go. The process of seeking certification requires a thorough review of the organisation’s ISMS and its ability to comply with the requirements of ISO 27001:2022.

An accredited third-party auditor should conduct the certification process, who will review the organisation’s ISMS and assess its compliance with the Standard. The auditor will also provide recommendations for improvements and ensure the organisation can meet the new requirements of the Standard.

Once the certification process is complete, the organisation will receive an official certificate from the accredited body.


FAQs

Why Choose ISMS.online for ISO 27001?

Selecting ISMS.online for your ISO 27001 implementation offers numerous advantages for organisations seeking certification and maintaining a robust Information Security Management System (ISMS). Here are the key reasons why you should choose ISMS.online:

  • All-in-one online ISMS environment – We provide a simple and secure online platform that streamlines the management of your ISMS, making it easier, faster, and more efficient.
  • Preloaded ISO 27001 policies and controls – Our platform features pre-configured information security frameworks, tools, and content, starting you off with 81% of your ISMS documentation already completed. This significantly reduces the time and effort required to achieve compliance.
  • Virtual Coach – Our optional Virtual Coach package offers context-specific ISO 27001 guidance, hints, and tips for success, eliminating the need for costly consultancy fees. This enables you to work at your own pace and achieve your certification goals.
  • Integrated supply chain management – ISMS.online includes tools for managing your supply chain, ensuring end-to-end information security assurance and strengthening supplier relationships.
  • Support for multiple standards – Our platform supports over 50 of the most sought-after standards, such as ISO 27001, ISO 27701, GDPR, NIST, and SOC 2. This makes ISMS.online a comprehensive solution for organisations aiming to achieve and maintain compliance with multiple standards.


What is an Information Security Management System?

An Information Security Management System (ISMS) is a comprehensive set of policies and procedures that ensures, manages, controls, and continuously improves information security within an organisation.

At ISMS.online, we provide a robust ISMS framework for information security professionals like you, aiming to safeguard your company’s sensitive data.

Our systematic approach to managing sensitive company information includes people, processes, and IT systems, applying a risk management process to minimise risk and ensure business continuity by proactively limiting the impact of security breaches.


Why is ISO 27001 Important?

ISO 27001 plays a crucial role in organisations by helping them identify and manage risks effectively, consistently, and measurably. At ISMS.online, we understand the significance of ISO 27001 certification for businesses of all sizes.

Here are a few reasons why ISO 27001 is essential for your organisation:

  • Risk Reduction: ISO 27001 minimises your organisation’s information security and data protection risks, ensuring the safety of sensitive information.
  • Customer Trust: As a certified organisation, you demonstrate a commitment to security, giving you a competitive advantage in the eyes of customers and potential stakeholders. At ISMS.online, we recognise the importance of building customer trust and confidence in your services.
  • Streamlined Processes: Implementing ISO 27001 allows companies to document their main processes, reducing ambiguity and increasing productivity. Our platform at ISMS.online simplifies the management of your ISMS, making it more efficient for your staff.


What is ISO 27001?

ISO 27001 is the premier international standard for information security, published by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC).

It belongs to the ISO/IEC 27000 series and offers a framework for organisations of any size or industry to safeguard their information through an Information Security Management System (ISMS).

The latest version, ISO 27001:2022, includes updates to address the evolving landscape of technology and information security.


What’s the difference between ISO 27001 compliance and certification?

The primary distinction between ISO 27001 compliance and certification lies in the level of external validation and recognition:

ISO 27001 Compliance

  • Refers to an organisation adhering to the requirements of the ISO 27001 standard, which focuses on Information Security Management Systems (ISMS).
  • In simple terms, compliance might mean that your organisation is following the ISO 27001 standard (or parts of it) without undergoing any formal certification process.

ISO 27001 Certification

  • The process where a third-party, independent organisation called a certification body audits your organisation’s ISMS.
  • Determines if your processes, as well as your products and services, meet the ISO criteria.


How long will your ISO 27001 certification last?

Your ISO 27001:2022 certification is valid for three years following successful certification audits.

During this period, as information security professionals, you are expected to:

  • Conduct regular performance evaluations of your ISMS.
  • Ensure that senior management reviews your ISMS consistently.

At the end of the three-year cycle, a recertification audit is conducted, and upon successful completion, the certification is renewed for another three years.

At ISMS.online, we understand the importance of maintaining your ISO 27001 certification. Our platform offers a comprehensive solution to help you and your organisation achieve and maintain compliance with multiple standards, including ISO 27001.

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more