ISO27001 (referred to as ‘the standard’ or ‘ISO’ in this article) is an information security standard, part of the larger ISO27000 family of standards, which provide best practice advice and guidance on the implementation and maintenance of an information security management systems (ISMS). An ISMS is a risk-based methodology for businesses to apply to protect the confidentiality, availability, and integrity (CIA) of its information assets and systems.

The standard is divided into sections that detail the requirements a business must implement to form a robust ISMS. The standard also lays out a list of controls, in its ‘Annex A,’ that companies should apply to reduce the information security risk to the organization. In addition to Annex A, ISO27001 also has a complimentary second standard, known as ISO27002, which provides further advice and guidance on the implementation of information security controls.

What are the benefits?

The first and most important benefit of implementing ISO27001 is improved risk management and information security. ISO standardizes the way information security is managed within an organization. Based upon a robust risk management framework, ISO implements a top-down approach, which requires that everyone from the board room to the post room has appropriate information security knowledge.

ISO also insists on a set of standard information security policies that set out the organization's approach to the implementation of controls. These policies and controls provide unification and standardization of the behaviors and procedures that the business wishes to promote in association with ensuring good information security. For example, ISO insists on a robust access management strategy, there must be a policy in place which details how an organization approaches access management, this must be made available to all employees, and it should also be included within any training provided.

Access management also requires organizations to keep up-to-date and accurate lists of the individuals who are allowed access to certain information assets, there must be a process in place for managing this, and there must be a valid justification (agreed by the company) as to whom is allowed access. To ensure that this process is followed, it must also be monitored and audited, and any irregularities dealt with promptly. To ensure that this all happens effectively and efficiently, it is often necessary for large enterprises to employ technological solutions such as Microsoft Active Directory.

Another benefit of ISO certification is that it is an internationally recognized best practice standard; this means that businesses can easily demonstrate to customers and clients their security status. Organizations can include ISO certification as a prerequisite part of their third-party management and procurement process, providing confidence in the security of a business's supply chain.

ISO is often a requirement for businesses tendering for contracts, especially if those contracts involve the handling and processing of data and information. Many large commercial and government contracts now require ISO27001 certification as a standard, so businesses who have achieved this certification have a distinct competitive advantage.

What does ISO require?

How to achieve ISO27001 compliance is covered in a little more detail later on in this article, but to begin, it is essential to understand some of the main concepts of ISO and what they may mean for a business who is seeking to implement them.

ISO 27001 contains 12 main sections, let’s start by examining the first four sections; risk assessment, security policy, organization of information security, and asset management. These sections make up the core of the Information Security Management System, or ISMS, which is the very heart of the ISO27001 standard and framework.

ISO27001 Main Sections

Risk assessment is at the very centre of ISO27001; it is a standard that is based upon an organization's understanding and management of its risk profile. The risk management element of ISO seeks to quantify the threats and vulnerabilities to an organization's information assets and understand the risk to the confidentiality, integrity, and availability of those assets. Once a risk is quantified, an organization can apply controls to reduce the level of risk to one which is acceptable to the businesses' risk appetite.

As mentioned above an organization defines its approach to information security and details the controls, procedures, and behaviors it wishes to implement through the development and publication of its security policies (section two.)  These security policies will help ensure that the right level of control is applied consistently across the whole organization. These policies vary business to business, but as a minimum, you would expect to see policies that address the main controls listed in ISO27001.

Section three of the standard, ‘Organization of Information Security’, requires that information security roles and responsibilities are defined and assigned, and that management commits to an investment in resources to manage and maintain the ISMS. This would also include ensuring that adequate training is provided to employees and that a management commitment to information security is demonstrated through activities such as regular information risk reviews and steering committees.

The final component of the ISMS is section four. ‘Asset Management.’ This section requires that organizations maintain a list or ‘Asset Register’ of all information assets within the organization (such as employee records, sales data, intellectual property, etc.) primarily any data or information which is of ‘value’ and would adversely affect the business if the confidentiality, integrity or availability of that data was compromised.

ISO27001 requires that those information assets are subject to risk assessment and risk treatment, as mentioned above, this means that vulnerabilities associated with those assets are identified, and the likelihood of those vulnerabilities being realized is quantified. Once this process is complete, the organization must then ‘treat’ those risks through the application of controls to reduce the risk level to one which is acceptable to the business.

The other sections of the standard defined the core concepts which must be in place to ensure that a business can manage its information security. These sections include providing that business continuity plans are in place (section 11.), a process for the identification, reporting, and management of security incidents exists (section 10.) and the ability to provide adequate control over physical access to the scope of the organizations ISMS.

In addition to the sections listed above, the standard also provides additional guidance in the form of its Annex A controls and through ISO27002. ISO27002 is the complementary standard containing advice on how to implement the controls listed within ISO27001.

How to achieve ISO27001?

The first step in achieving ISO27001 is to engage an individual or organization who understands the standard and can help a business to navigate its processes and requirements. Once understood, the standard is quite logical to follow, but it’s very procedural and does require that some actions are performed in a particular order.

Once a business has the right personnel in place, the next important decision in the ISO27001 journey is your scope. The scope of your Information Security Management System can be logical or physical. It could be a specific business process or a product; determining the boundaries helps to define the assets in scope and the appropriate controls.

The next step is to perform a gap analysis; this provides a measure of where the organization currently is against where it needs to be to achieve certification. Gap analysis provides an organization with a prioritized roadmap to achieving compliance, helps to identify investment and resources required, and manages expectations. If certification is being driven by the requirement to fulfill a customer's demands, then a gap analysis and the resulting roadmap can help assure a client that the project is underway and is making progress.

The next phase is often the longest, this is implementation, during this phase of an ISO27001 a project team works will all departments in scope for the certification to roll out the prioritized road map identified in the gap analysis phase and implement all the necessary people, technical and procedural controls.

During this phase, the organization performs its risk assessments, writes and communicates its information security policies, provides training and education to its employees, and puts in place relevant technical measures. On completion of this phase of the project, the organization will have most, if not all, of the required documentation in place, including ISO specific documentation requirements such as a Statement of Applicability (SoA), which lists all of the controls which apply to the in-scope ISMS.

Finally, after the implementation phase has concluded a business is ready to begin its audit and certification phase, this should start with a series of internal audits that measure the success of the implementation phase. After the conclusion of internal audits, the organization will be in the position to submit itself to external scrutiny and achieve it's much worked for certification.

It can be a long process to achieve ISO27001, but it need not be a complex or necessarily costly one. ISO certification requires a well thought out, logical, and measured approach to the implementation of information security controls. If led by an experienced consultant or information security manager ISO can provide efficiencies across the business, in the unification of different processes and procedures, it can bring clarity and assurance to a supplier management process and, more importantly, it can help your organization understand and reduce the threat posed to its information security. Get in touch with us to start your ISO journey.


Stephanie Perry

Written by Stephanie Perry

I have over 15 years experience in the area of Information Security, Governance, Risk and Compliance. Helping organizations run risk management, compliance programs and implementing information security standards. I have worked with a variety of industries including public sector, government, MoD and large multinational corporations. Her specialism lies in helping organizations to develop a strategic compliance program and designing their communication and training plans.