top of page
Search

Introducing ISO 27001

  • Writer: Keith Sanks
    Keith Sanks
  • May 11, 2023
  • 7 min read


ISO 27001 is an internationally recognized standard for managing Information Security Management Systems (ISMS).

It is founded on the principle that effective management systems must have suitable controls in place to safeguard information assets against loss, damage, unauthorized disclosure, misuse, unauthorized access, modification, and destruction.

In essence, ISO 27001 provides a set of benchmarks for managing risks associated with information security, which encompasses policies, procedures, training, monitoring, auditing, incident response, and communications.

This guide aims to offer an introductory to ISO 27001, outlining what it is, why businesses use it, how to implement it, and how to maintain compliance.


Who is the Responsible party from your organization's for information assets?

Cyberattacks are on the rise, and many are unaware of the significant damage they can cause. The global cyber security market size is projected to grow from $172.32 billion in 2023 to $424.97 billion in 2030, at a CAGR of 13.8%


What is the purpose of ISO 27001?

The primary goal of ISO 27001 is to provide guidance on how to manage risks associated with information assets within organizations. This encompasses ensuring that organizations comply with their legal obligations, such as data protection, privacy, and the management of publications.

The ISO 27001 standard is intended to assist organizations in managing risk and enhancing information security across their entire enterprise. It includes guidelines for managing information about people, processes, technology, and physical assets, encompassing incident response, training, internal audits, management, and monitoring.

ISO 27001 provides guidance on how organizations should manage risks associated with information assets. The standard is intended to help businesses better understand what constitutes a threat to confidentiality, integrity, availability, and accountability. It defines these threats and outlines ways organizations can mitigate them.


How has ISO 27001 become a necessity?

The ISO 27001 international standard outlines requirements for implementing efficient information security and ensuring that it is properly utilized. This includes implementing access control, managing risk, monitoring activities, ensuring privacy, and maintaining confidentiality.

Organizations use ISO 27001 to evaluate whether they meet key criteria, purposes may include having a documented threat assessment process, implementing robust access control processes, providing adequate training and awareness programs, and maintaining accurate records of activities.

Businesses that comply with the ISO 27001 standard for information security will be viewed as more credible and trustworthy. Failure to comply could result in fines or even prosecution under UK law.

An effective ISMS helps ensure that an organization's information is confidential, integral, available, and authentic. Implementing an ISO 27001-compliant ISMS requires meticulous planning, but the benefits are well worth the investment. By complying with global best practices, your organization can distinguish itself from its competitors.


How does ISO 27001 prove its value? By obtaining ISO 27001 certification, your organization can demonstrate its compliance with international standards. The benefits of achieving certification include:

  • lower costs,

  • Reduced risk,

  • Improved visibility,

  • Greater brand awareness,

  • More business opportunities,

  • Enhanced employee satisfaction, and

  • Increased customer trust and confidence

Understanding 27002

For those exploring information security management systems, it's important to understand both ISO 27001 and ISO 27002. ISO 27002 offers guidance on controls found in ISO 27001, including physical and logical access control, authentication, authorization, encryption, and segregation of duties. While ISO 27001 is the primary standard in the 27000 family and companies can get certified against it, ISO 27002:2022 is a supporting standard/code of practice and cannot be certified against.

ISO 27001 Annex A provides a list of security controls, but it does not provide implementation guidance. ISO 27002, on the other hand, offers guidance on implementing the controls found in ISO 27001. The best thing about ISO 27002 is that companies can decide whether or not to use the controls, depending on their relevance to the organization.

What Does ISO 27001 Certification Entail?

The ISO 27001 certification is a crucial certification for businesses, as it outlines how organizations can safeguard sensitive customer data. This certification helps build credibility and trust within the industry and gives customers peace of mind when doing business with you.


Being ISO 27001 Certified provides a competitive edge in the market, as it shows that the company values data privacy and implements policies and procedures to prevent unauthorized access. In the event of a security breach, the company can quickly and efficiently notify affected individuals.


Obtaining ISO 27001 Certification

A company must invite an accreditation body to perform an audit. The auditors will issue a certificate if the company is compliant with the standards.

The certification process comprises three phases. During phase one, a self-assessment questionnaire is completed to determine if further action is needed. Phase two involves a full-scale audit of the organization's entire system. Finally, phase three is a yearly re-audit to ensure that everything is up to date and compliant.


Before the official certification audit, a gap analysis audit is conducted to identify potential problems. A team of experts reviews the organization's policies, procedures, processes, and practices to identify any gaps that could lead to future issues or data breaches.


To receive ISO 27001 certification, a company must demonstrate that it meets specific requirements, such as implementing policies and procedures to prevent unauthorized access, training employees on those policies and procedures, monitoring employee activity, documenting processes and strategies, and regularly testing systems to ensure they work correctly.


Here is a Step-by-Step implementation guide to ISO 27001 certification

Step 1 Establish a Team to Implement the ISMS:

The initial step is to establish a team that will oversee the implementation of the Information Security Management System (ISMS). The project leader should possess comprehensive knowledge of information security, along with the authority to lead and direct a team of managers (who will be responsible for reviewing their respective departments). The project leader will require a group of individuals to assist them. The senior management can either choose the team themselves or give the team leader the freedom to select their own team members. Once the team is in place, they should develop a project mandate, which is a document that outlines the objectives of the project, the time frame, the budget, and whether or not management supports the project.


Step 2: Create the Implementation Strategy

The next phase is to prepare for the actual implementation.

The implementation team will leverage the project mandate to design a more comprehensive framework for their information security goals, strategy and risk assessment.

This includes defining overarching policies for the ISMS that establish:

  • Responsibilities and duties

  • Guidelines for its ongoing development

  • Ways to promote the project through communication both internally and externally.

Step 3: Launch the ISMS

Now that the plan is in place, the next step is to choose the appropriate methodology for continuous improvement. ISO 27001 does not prescribe any specific approach but rather advocates a process-oriented method such as the Plan-Do-Check-Act (PDCA) model. As long as the prerequisites and processes are clearly defined, correctly implemented, and regularly reviewed and improved, any model can be employed. Additionally, an ISMS policy should be established. It need not be comprehensive but should clearly specify the objectives of the implementation team and their intended methods. Once completed, the board must approve it. At this point, the rest of the document structure can be developed using a four-tier approach:

  • Policies at the highest level, setting the organization's stance on specific issues such as password management and acceptable use.

  • Procedures to satisfy the policy's requirements.

  • Work instructions describing how staff should adhere to these policies.

  • Records that monitor the procedures and work instructions.

Step 4: Establish the ISMS Boundaries

The subsequent step involves gaining a comprehensive understanding of the framework of your ISMS. Clauses 4 and 5 of the ISO 27001 standard outline this process.


Defining the scope of your ISMS is crucial as it determines the extent of its coverage within your day-to-day operations.


To effectively meet your organization's requirements, it is essential to identify all relevant aspects.


The most critical aspect of this step is delineating the boundaries of your ISMS. This entails identifying the locations where information is stored, whether in physical or digital files, systems, or portable devices.


Accurately defining the scope is a pivotal component of your ISMS implementation project.


If the scope is too narrow, it leaves information vulnerable and compromises the security of your organization. Conversely, if the scope is too broad, the ISMS becomes overly intricate to manage effectively.


Step 5: Determining your security baseline is critical to establish a secure foundation for conducting your business.

This involves identifying the minimum level of security activities necessary to maintain your information security posture.

To identify your security baseline, you need to conduct a thorough risk assessment following the guidelines outlined in ISO 27001.


This assessment will help you identify the most critical security vulnerabilities within your organization and determine the appropriate ISO 27001 controls from Annex A to mitigate those risks.

Step 6: Establishing a Risk Management Process

Managing risks is a crucial part of implementing an ISMS. The risks identified and prioritized in your system are integral to almost every aspect of your security, making risk management a vital competency for ISO 27001 implementation.


Organizations can create their own risk management process, with common approaches focusing on risks to specific assets or presented in certain scenarios. Regardless of the method chosen, your decisions should be based on a five-step risk assessment process:

  1. Establish a framework for risk assessment

  2. Identify risks

  3. Analyze risks

  4. Evaluate risks

  5. Select risk management options

Once risks are assessed, you need to establish risk acceptance criteria - the damage threats could cause and the likelihood of their occurrence. Managers often score risks using a risk matrix, with higher scores indicating a greater threat. They then set a threshold for when a risk must be addressed.

When addressing a risk, organizations can take four approaches:

  1. Tolerate the risk

  2. Treat the risk by applying controls

  3. Terminate the risk by avoiding it entirely

  4. Transfer the risk through insurance policies or agreements with other parties.

Lastly, ISO 27001 requires a Statement of Applicability (SoA) documenting which controls in the standard were selected and omitted and why those choices were made.


Step 7: Execute a risk management strategy

The execution of a risk management strategy involves implementing the necessary security measures to safeguard your organization's information assets.


To ensure the effectiveness of these measures, it's essential to verify that personnel can competently operate and interact with the controls and are aware of their information security responsibilities.


You'll also need to establish a process for identifying, reviewing and maintaining the skills required to achieve your ISMS goals.


This process includes conducting a skills assessment and establishing the desired level of competency.


Step 8: Measure, monitor and review

To determine if your ISMS is effective, it’s important to review it periodically. We recommend conducting these reviews annually to stay on top of any changing risks.

During the review process, you’ll need to establish criteria that reflect the objectives outlined in your project mandate.

Quantitative analysis is often used to assign a numerical value to what’s being measured, particularly when it involves financial costs or time.

Alternatively, qualitative analysis is used when the assessment is better suited to categorization, such as ‘high’, ‘medium’, and ‘low’.

In addition to regular reviews, it’s important to carry out internal audits of your ISMS.

There’s no fixed way to conduct an ISO 27001 audit, so it’s possible to do it department by department to minimize the impact on productivity and focus the team’s efforts on specific tasks.

However, the process should be completed as quickly as possible to ensure results can be reviewed and used to plan for the next year’s audit.

The results of the internal audit feed into the management review, which is then used to improve the system continually.


 
 
 

Comments

Keith - 5Z5A8429 - 4x6.jpg

Hi, I'm Keith Sanks

I am a seasoned Cyber Security Professional with more than 16 years of industry experience. During my tenure in the Navy, I honed my skills in safeguarding National Security interests and assets against the constant threat of cyberattacks from hackers and foreign national advanced persistent threats.

  • LinkedIn

Effective. Secure. Protected

Creating a well-designed security program is essential for protecting an organization's critical assets and data from cyber threats. To achieve effectiveness, a security program must be designed with a risk-based approach that considers the organization's unique business requirements, regulatory compliance obligations, and the current threat landscape. The program must include policies, procedures, and controls that are tailored to mitigate the identified risks effectively. It is essential to establish a comprehensive security framework that includes technical solutions such as firewalls, intrusion detection systems, and endpoint protection, as well as employee training and awareness programs. A well-designed security program should also be regularly reviewed and tested to ensure that it remains effective and relevant as the threat landscape continues to evolve.

Subscribe

Thanks for submitting!

©2035 by Keith Sanks. Powered and secured by Wix

bottom of page