ISO 27001: 2013/17

Information Security Management System (ISMS)

Are you serious about information security and want to use ISO 27001 as a business differentiator?

Whatever your reasoning, here we will take you through what the standard is, as well as the benefits and what might be involved for you and your organisation.

The ISO 27001:2013/17 Annex A Controls

Feeling overwhelmed?

 Imagine if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees.

Our Virtual Coach package does just that. Helpful videos from those that have lived ISO 27001, and an information security specialist, as well as lots of hints and tips for success – Right where you need it, inside the platform.

What is the ISO / IEC 27001:2013 standard?

Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organisation for Standardisation. This means that all organisations that achieve an ISO accreditation are all working to the same high standards.

IEC stands for the International Electrotechnical Commission, who is a not-for-profit organisation, that works independently of any government.

Together the ISO and the IEC form a joint technical committee, developing and maintaining standards in IT, as well as Information and Communications Technology (ICT).

Read our article ISO 27001:2013 and ISO 27001:2017 what’s the difference?’.

When you achieve ISO 27001: 2013 you are demonstrating that your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement. You can read more about what an ISMS does on our New to Information Security page.

The ISO 27001 code of practice uses a risk-based approach to planning an ISMS, which process includes the following.

Let’s take a look at each of those in a little more detail

Define your organisation’s security policy

In a nutshell, this means that you need to write an information security policy. Sect. 5.2 of ISO 27001 does not give a great deal of guidance on what should be contained within your policy, but it does state what the policy should achieve and how you should define the scope of the ISMS.

Firstly, the information security policy must be adapted to your organisation. Using somebody else’s policy or one that you have purchased is no good without first ensuring that it applies directly to your organisation. If it doesn’t, then you must adapt it, then adopt the contents within.

One of the main factors of retaining the ISO 27001 after achieving it is to continually improve your ISMS. This means that your information security policy should also be reviewed on a regular basis to ensure you are meeting the stated objectives.

Need a set of ISO 27001 policies for your ISMS? includes practical policies and controls for your organisation to easily adapt, adopt and add to, giving you a 77% head start with ISO 27001

Conduct your risk assessment and manage the risks that have been identified


A risk assessment is an exercise which helps you to identify any potential or current risks within your ISMS. Mainly theoretical, the ISMS risk assessment is lead by internal stakeholders, staff and anyone involved with the ISMS.

Identifying where any possible harm could come to your organisation in relation to information security is the first step. Then the risk should be evaluated in terms of its impact on the organisation and the likelihood of it occurring. This requires a documented methodology to ensure all risks are evaluated using the same criteria. Once evaluated under the process defined in 6.1 of ISO 27001, you must then decide which of the ISO 27001 Annexe A controls will be used in the management of the risk.  Treating the risk is next. This is where you mitigate, share or simply accept the risk.

Recording evidence and clear audit trails of risk treatment will be something your auditors will look for.


Choose control objectives, controls that are to be implemented and preparing your Statement of Applicability


The Statement of Applicability (SoA) documents the controls and objectives that you choose to implement based on your risk assessment. It will be something your auditor refers to extensively when he conducts stage 2 and surveillance audits.

Whilst this doesn’t need to go into great detail, it can become a laborious spreadsheet task without the help of a software tool like that produces it dynamically.


What are the benefits of achieving ISO 27001: 2013?


So we mentioned potential scenarios where you would be looking to achieve ISO 27001. Quite often having ISO 27001 under their belt is not, in fact, the idea of the organisation itself. Why? Because it can be seen as a complex project that takes time and costs money. And, by the way, if you’re looking for a quick fix for achieving the standard, you’ll be out of luck. UKAS accredited certification bodies will be looking for evidence that you are ‘living and breathing’ your ISMS and it’s not just a dusty set of policies and controls. And, if you choose a non-UKAS accredited auditor, beware the differences between compliance and certification, and the savvy buyers who will not recognise your certification!

You’ll reduce information security and data protection risks to your organisation

Whether it is your own valuable information or that of your customers, poor information security can be costly. Several of the ISO 27001 requirements also fulfill those of GDPR. Implementing ISO 27001 will demonstrate to regulatory authorities that you take managing the security of information you hold seriously and, having identified the risks done as much as is reasonably possible to mitigate them. There has been much scaremongering surrounding the potential fines for GDPR non-compliance, however, an ISMS will help reduce the likelihood of breaches, enable you to react to hem more quickly, and allow you to describe and demonstrate the controls you have in place.

You’ll win new and retain existing business

Because this is the internationally recognise ‘best-practice’ standard, it makes the people you want to work with feel safe and secure and that you (holding ISO 27001) will look after their valuable assets and information security.


Like many things in business, trust is important. But demonstrating that you have been independently audited, solidifies that trust.


You’ll give your reputation a boost

It doesn’t get much worse for an organisation when the news hits that their systems have been hacked and customer data has been exposed an exploited. If you are managing our information security management system you will be in a better position to identify breach risks before they happen.

Need help in building the business case for an ISMS in your organisation? Download our whitepaper.

Want to see the platform in action?

Get a guided tour just for you and your organisation

ISMS Online Rating: 5 out of 5
Share This