This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Hide
Jump to navigation

ISO 27001 and Information Security

ISO/IEC 27001 (ISO 27001) is the international Standard that describes best practice for an Information Security Management System (ISMS). Accredited certification to ISO 27001 demonstrates that an organisation is following international information security best practices.

This page explains what ISO 27001 is and links to the products that will help your organisation when approaching an ISO 27001 implementation project, including our four packaged solutions >>

On this page

What is an Information Security Management System (ISMS)?
ISO 27001 explained
Changes introduced by ISO 27001:2013
Free ISO27001 green papers
ISO 27001 and the UK Government’s Cyber Essentials scheme
ISO 27001 – a framework for compliance
ISO 27001 solutions

What is an Information Security Management System (ISMS)?

An Information Security Management System (ISMS) is ‘part of the overall management system, based on a business risk approach, to establish, implement, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, processes and resources’ (ISO/IEC 27000:2012).

An ISMS is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (i.e. available, confidential and with its integrity intact). It encompasses people, processes and IT systems, in recognition that information security is not just about anti-virus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.

An ISMS helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.

ISO 27001 explained

The ISO/IEC Joint Technical Committee (JTC 1/SC 27) responsible for the ISO 27000 family of standards published the revised ISO/IEC 27001:2013 Standard, alongside its companion code of practice, ISO/IEC 27002:2013, on 25 September 2013. ISO/IEC 27001:2013 supersedes ISO/IEC 27001:2005.

The transition process to ISO 27001:2013 from ISO 27001:2005 commenced in early 2014. It is important to note that organisations that have been certified against ISO 27001:2005 will be required to transition to the new version of the Standard once their Certification Bodies (CBs) have themselves transitioned. It is anticipated that once a CB has transitioned its clients will be expected to transition within a year. See our Transition Resources information page for further guidance >>

Those currently in the process of certification, or who are considering certification, will find an up-to-date explanation of the latest ISO 27001 certification changes as well as certification pathways and transition options on our ISO 27001:2013 information page >>

For all new product and service offerings related to ISO 27001:2013, please visit the ISO 27001:2013 shop >>

Changes introduced by ISO 27001:2013

Information and information systems are vital to all organisations. ISO 27001 sets out specific requirements, all of which must be followed, against which an organisation's ISMS can be audited and certified.

ISO 27001:2013 presents certain key changes to the previous version of the Standard, ISO 27001:2005, the most prominent of which are listed below.

  • The Plan-Do-Check-Act (PDCA) model is no longer a requirement for ISO 27001:2013 and organisations can apply any form of continual improvement method.
  • Organisations required to use specific process models (e.g. COBIT®, ITIL® etc.) have reduced barriers to entry.
  • There are changes to the structure of the Standard.
  • ISO 27001:2013 is designed to integrate better with other ISO/IEC standards.
  • Terms and definitions are standardised across the ISO 27000 family.
  • The Standard is more flexible in general.
  • The ISO 3100 risk assessment link ties information security risk management into corporate risk management approaches.
  • The roles of board and management/leadership are clearly delineated.
  • The clauses and controls in Annex A have been restructured.

Free ISO27001 green papers

Our free green papers, Comparing ISO 27001:2005 to ISO 27001:2013 and Preparing for ISO27001:2013 are useful free resources which provide a summary of the major changes. Download now >>

ISO 27001 and the UK Government’s Cyber Essentials scheme

The Cyber Essentials scheme is a key deliverable of the UK Government’s National Cyber Security Strategy/Cyber Programme, and was released on 7 April 2014. It aims to provide reassurances about cyber risk management to UK-based organisations, clients and partners, and to ensure that risk management practices have been independently tested and verified, where relevant.

The scheme provides a set of controls, based on ISO 27001, that organisations can implement to achieve a basic level of cyber security. Organisations can attain certification to two levels: Cyber Essentials and Cyber Essentials Plus. Certified compliance with the scheme will be required in certain government procurement contracts. Read more about ISO27001 and the Cyber Essentials scheme >>

ISO 27001 – a framework for compliance

ISO 27001 can help organisations create a framework for compliance with many regulatory standards, including:

  • Telecommunications Regulations Act 1998
  • Data Protection Act 1998
  • Computer Misuse Act 1990
  • The Human Rights Act 1998
  • The Regulation of Investigatory Powers Act 2000
  • The Copyright, Designs and Patent Act 1998
  • The Freedom of Information Act 2000 (public sector).

For more information on the benefits of ISO 27001, click here >>

ISO 27001 Implementation Solutions

ISO 27001 solutions

We have created four packaged solutions that will enable you to implement ISO 27001 at a speed and budget that is appropriate for your individual needs and preferred project approach.

Each fixed-price solution is a combination of products and services that can be accessed online and deployed by any company in the world.

Find out more about our ISO 27001 packaged solutions and which one is right for you.

ISO27001 Solutions

+44 (0) 845 070 1750
live chat support software