Your simple introduction to the basic facts
ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it describes how to manage information security in a company. The latest revision of this standard was published in 2013, and its full title is now ISO/IEC 27001:2013. The first revision of the standard was published in 2005, and it was developed based on the British standard BS 7799-2.
ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. It was written by the world’s best experts in the field of information security and provides methodology for the implementation of information security management in an organization. It also enables companies to become certified, which means that an independent certification body has confirmed that an organization has implemented information security compliant with ISO 27001.
ISO 27001 has become the most popular information security standard worldwide and many companies have certified against it – here you can see the number of certificates in the last couple of years:
Source: The ISO Survey of Management System Standard Certifications
How does ISO 27001 work
The focus of ISO 27001 is to protect the confidentiality, integrity and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 27001 is based on managing risks: find out where the risks are, and then systematically treat them.
The safeguards (or controls) that are to be implemented are usually in the form of policies, procedures and technical implementation (e.g., software and equipment). However, in most cases companies already have all the hardware and software in place, but they are using them in an unsecure way – therefore, the majority of the ISO 27001 implementation will be about setting the organizational rules (i.e., writing documents) that are needed in order to prevent security breaches. Since such implementation will require multiple policies, procedures, people, assets, etc. to be managed, ISO 27001 has described how to fit all these elements together in the information security management system (ISMS).
So, managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.) – it is also about managing processes, legal protection, managing human resources, physical protection, etc.
See also The basic logic of ISO 27001: How does information security work?
Why is ISO 27001 good for your company?
There are 4 essential business benefits that a company can achieve with the implementation of this information security standard:
Comply with legal requirements – there are more and more laws, regulations and contractual requirements related to information security, and the good news is that most of them can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to comply with them all.
Achieve marketing advantage – if your company gets certified and your competitors do not, you may have an advantage over them in the eyes of the customers who are sensitive about keeping their information safe.
Lower costs – the main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.
Better organization – typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce the lost time of their employees.
See also Free Return on Security Investment Calculator.
Where does information security management fit in a company
Essentially, information security is part of overall risk management in a company, with areas that overlap with cybersecurity, business continuity management and IT management:
What does ISO 27001 actually look like?
ISO/IEC 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.
According to Annex SL of the International Organization for Standardization ISO/IEC Directives, the section titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO 9001:2015, and other management standards, enabling easier integration of these standards.
Section 0: Introduction – explains the purpose of ISO 27001 and its compatibility with other management standards.
Section 1: Scope – explains that this standard is applicable to any type of organization.
Section 2: Normative references – refers to ISO/IEC 27000 as a standard where terms and definitions are given.
Section 3: Terms and definitions – again, refers to ISO/IEC 27000.
Section 4: Context of the organization – this section is part of the Plan phase in the PDCA cycle and defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
Section 5: Leadership – this section is part of the Plan phase in the PDCA cycle and defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information security policy.
Section 6: Planning – this section is part of the Plan phase in the PDCA cycle and defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
Section 7: Support – this section is part of the Plan phase in the PDCA cycle and defines requirements for availability of resources, competences, awareness, communication, and control of documents and records.
Section 8: Operation – this section is part of the Do phase in the PDCA cycle and defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
Section 9: Performance evaluation – this section is part of the Check phase in the PDCA cycle and defines requirements for monitoring, measurement, analysis, evaluation, internal audit and management review.
Section 10: Improvement – this section is part of the Act phase in the PDCA cycle and defines requirements for nonconformities, corrections, corrective actions and continual improvement.
Annex A – this annex provides a catalogue of 114 controls (safeguards) placed in 14 sections (sections A.5 to A.18).
See also: Has the PDCA Cycle been removed from the new ISO standards?
How to implement ISO 27001
To implement ISO 27001 in your company, you have to follow these 16 steps:
1) Get top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
For more detailed explanation of these steps, see ISO 27001 implementation checklist.
ISO 27001 requires the following documentation to be written:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And these are the mandatory records:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Of course, a company may decide to write additional security documents if it finds it necessary.
To see more detailed explanation of each of these documents, download the free white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).
How to get certified
Two types of ISO 27001 certificates exist: (a) for organizations, and (b) for individuals. Organizations can get certified to prove that they are compliant with all the mandatory clauses of the standard; individuals can attend the course and pass the exam in order to get the certificate.
For an organization to become certified, it must implement the standard as explained in previous sections, and then go through the certification audit performed by the certification body. The certification audit is performed in the following steps:
- Stage 1 audit (Documentation review) – the auditors will review all the documentation.
- Stage 2 audit (Main audit) – the auditors will perform an on-site audit to check whether all the activities in a company are compliant with ISO 27001 and with ISMS documentation.
- Surveillance visits – after the certificate is issued, during its 3-year validity, the auditors will check whether the company maintains its ISMS.
See also Becoming ISO 27001 certified – How to prepare for certification audit.
Individuals can go for several courses in order to obtain certificates – the most popular are:
- ISO 27001 Lead Auditor Course – this 5-day course will teach you how to perform certification audits and it is intended for auditors and consultants.
- ISO 27001 Lead Implementer Course – this 5-day course will teach you how to implement the standard and is intended for information security practitioners and for consultants.
- ISO 27001 Internal Auditor Course – this 2- or 3-day course will teach you the basics of the standard and how to perform an internal audit – it is intended for beginners in this topic and for internal auditors.
See also: How to learn about ISO 27001.
2005 and 2013 revisions of ISO 27001
As mentioned before, ISO 27001 was first published in 2005 and was revised in 2013 – therefore, the current valid version is ISO/IEC 27001:2013.
The most important changes in the 2013 revision are related to the structure of the main part of the standard, interested parties, objectives, monitoring and measurement; also, Annex A has reduced the number of controls from 133 to 114 and increased the number of sections from 11 to 14. Some requirements were deleted from the 2013 revision, like preventive actions and the requirement to document certain procedures.
See also Infographic: New ISO 27001 2013 revision – What has changed?
However, all these changes actually did not change the standard much as a whole – its main philosophy is still based on risk assessment and treatment, and the same phases in the Plan-Do-Check-Act cycle remain. This new revision of the standard is easier to read and understand, and it is much easier to integrate it with other management standards like ISO 9001, ISO 22301, etc.
The companies that have been certified against ISO/IEC 27001:2005 must transition to the new 2013 revision by September 2015 if they want to keep their certificate valid. See here how to do it: How to make a transition from ISO 27001 2005 revision to 2013 revision.
Related information security and other standards
ISO/IEC 27002 provides guidelines for the implementation of controls listed in ISO 27001. ISO 27001 specifies 114 controls that can be used to reduce security risks, and ISO 27002 can be quite useful because it provides details on how to implement these controls. ISO 27002 was previously referred to as ISO/IEC 17799, and emerged from the British standard BS 7799-1.
ISO/IEC 27004 provides guidelines for the measurement of information security – it fits well with ISO 27001 because it explains how to determine whether the ISMS has achieved its objectives.
ISO/IEC 27005 provides guidelines for information security risk management. It is a very good supplement to ISO 27001 because it gives details on how to perform risk assessment and risk treatment, probably the most difficult stage in the implementation. ISO 27005 emerged from the British standard BS 7799-3.
ISO 22301 defines the requirements for business continuity management systems – it fits very well with ISO 27001 because A.17 of ISO 27001 requires business continuity to be implemented; however, it doesn’t provide too many details. Learn more about ISO 22301 here…
ISO 9001 defines the requirements for quality management systems – although at first glance, quality management and information security management do not have much in common, the fact is that about 25% of the ISO 27001 and ISO 9001 requirements are the same: document control, internal audit, management review, corrective actions, setting the objectives, and managing competences. This means if a company has implemented ISO 9001, it will have a much easier job implementing ISO 27001. Learn more about ISO 9001 here…