This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

ISO 27001 & Information Security

ISO27001 is the international standard describing best practice for an Information Security Management System, often shortened to 'ISMS'.

This page describes in detail what ISO27001 is, its history and the products that are available to help your organisation when approaching an ISO27001 project.

The Joint ISO/IEC committee (JTC 1/SC 27) responsible for the ISO27000 family of standards published the revised ISO/IEC 27001:2013 standard, alongside the code of practice ISO/IEC 27002:2013, on 25 September 2013. For the latest information, guidance, resources and offerings concerning the implications of ISO27001:2013, as well as certification pathways and transition options, please visit ISO27001:2013.

On this page

What is an ISMS?
ISO27001 Explained
IT Governance Products & Services
ISO27001 – A Framework For Compliance
ISO27001 – Best Practice For ISMS
ISO27001 & BS7799 History

What is an Information Security Management System?

An Information Security Management System (ISMS) is “part of the overall management system, based on a business risk approach, to establish, implement, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, processes and resources” (ISO/IEC 27000:2012). An ISMS is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (i.e. available, confidential and with its integrity intact). It encompasses people, processes and IT systems, in recognition that information security is not just about anti-virus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.

An Information Security Management System (ISMS) helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.

ISO27001 Explained

ISO/IEC 27001:2013, usually referred to just as ISO27001, is the best-practice specification that helps businesses and organisations throughout the world to develop an Information Security Management System (ISMS).

The standard was published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). ISO27001:2013 supersedes ISO/ IEC 27001:2005.

The transition process to ISO27001:2013 commenced in early 2014. It is important to note that organisations that have been certified against ISO27001:2005 will be required to transition to the new version of the standard once their Certification Bodies (CBs) have themselves transitioned. It is anticipated that once the CB has transitioned its clients will be expected to transition within a year.

Those currently in the process of certification, or who are considering certification, will find it useful to visit ISO27001:2013 for an up-to-date explanation of the latest ISO27001 certification changes as well as certification options and pathways.

For all new product and service offerings related to the latest version ISO27001:2013, please visit the ISO27001:2013 shop.

Information and information systems are vital to all organisations. ISO27001 sets out specific requirements, all of which must be followed, against which an organisation's ISMS can be audited and certified.

ISO27001:2013 presents certain key changes to the former version, ISO27001:2005, the most prominent of which are listed below.

  • The Plan-Do-Check-Act (PDCA) model is no longer a requirement for ISO27001:2013 and organisations can apply any form of continual improvement method.
  • Organisations required to use specific process models (e.g. COBIT®, ITIL® etc.) have reduced barriers to entry.
  • There are changes to the structure of the standard.
  • ISO27001:2013 is designed to better integrate with other ISO/IEC standards.
  • Terms and definitions are standardised across the ISO 27000 family.
  • The standard is more flexible in general.
  • The ISO3100 risk assessment link ties information security risk management into corporate risk management approaches.
  • The roles of board and management/leadership are clearly delineated.
  • The clauses and controls in Annex A have been restructured.

The downloadable Comparing ISO 27001:2005 to ISO 27001:2013 and Preparing for ISO27001:2013 green papers are two useful free resources which provide a summary of the major changes.

HMG Cyber Essentials Scheme and ISO27001

The Cyber Essentials Scheme is a key deliverable of the UK Government’s National Cyber Security Strategy / Cyber Programme, and was released on 7 April 2014. The purpose of the profile is to provide reassurances about cyber risk management to UK-based organisations, clients and partners, and to ensure that risk management practices have been independently tested and verified, where relevant. The scheme provides a set of controls that organisations can implement to achieve a basic level of cyber security. Compliance with the scheme will be required in certain government procurement contracts. The controls have been based on ISO27001 because ISO27001 is an internationally recognised and comprehensive standard for information security. Visit our Cyber Essentials information page to read more about the scheme.

IT Governance Products & Services

At IT Governance we provide products and services to assist individuals and organisations who are interested in ISO27001, including books, toolkits, consultancy and training courses that cover every aspect of an ISO27001 project.

Our key product areas are:

  • ISO27001 Books: An introduction to the standard, how to sell your ISO27001 project to the board, how to achieve certification, and what ISO27001 can do for your business.
  • ISO27001 Training: Foundation & advanced-level courses for those embarking on an ISO27001 project.
  • ISO27001 Toolkits: Save time and money with our pre-prepared ISO27001 project documentation.
  • ISO27001 Consultancy: A tailor-made service for your organisation from consultants with over 10 years' experience. Take advantage of our free trial assessment.

For those new to ISO27001, IT Governance recommends the following products to develop their understanding of the standard and how it can benefit their business.

For all our latest product and service offerings related to the latest version ISO27001:2013, please visit the ISO27001:2013 shop.

ISO27001 – A Framework For Compliance

ISO27001 can help organisations create a framework for compliance with many regulatory standards, including the following in the UK:

  • Telecommunications Regulations Act 1998
  • Data Protection Act 1998
  • Computer Misuse Act 1990
  • The Human Rights Act 1998
  • The Regulation of Investigatory Powers Act 2000
  • The Copyright, Designs and Patent Act 1998
  • The Freedom of Information Act 2000 (public sector).

ISO27001 assists organisations in the development of an information security management system that is integrated, comprehensive, and incorporates globally-recognised best practices. For example, this global standard has assisted organisations in the US comply with such regulatory acts as:

  • The Gramm-Leach-Bliley Act (GLBA)
  • The Health Insurance Portability and Availability Act (HIPAA)
  • The Californian Senate Bill 1386
  • Online Personal Protection Act
  • The Sarbanes-Oxley Act (SOX)
  • Federal Information Security Management Act

ISO27001 & Best Practice For ISMS

IT Governance specialises in helping organisations from all sectors all over the world to design and implement best practice information security management systems that deliver returns on investment and which are capable of certification to ISO27001.

We recognise that in many organisations expenditure on information security is already substantial, that it often impedes business effectiveness, and that its value for money is not clear. We can help organisations reduce their total information security expenditure while increasing its effectiveness.

Please email us or call +44 (0) 845 070 1750 to find out how we can help you use ISO27001.

ISO27001 & BS7799 History

It is important to recognise that ISO standards are international, whereas BS standards are British. BS7799 was the precursor to ISO27001.

Certifications before the publication of ISO/IEC 27001 were certified against BS7799-2:2002.

  • BS7799 was published with the status of “Code of Practice”. In April 1999 it became a formal two-part standard.
  • BS7799 Part 1 was “Code of Practice for Information security Management” and Part 2 was “Specification for Information Security Management Systems”. Part 1 provided best practice guidance, and Part 2 formed the standard against which an organisation's security management systems could be assessed.
  • BS7799 Part 1 was internationalised as ISO17999, and then ISO27002.
  • The BS7799 Code of Practice, Part 1, took the form of guidance and recommendations. Its foreword clearly stated that it was not to be treated as a specification. It became internationalised as ISO17799 in December 2000 and a revised version was issued in early 2005. In 2007 it was renamed ISO27002.
  • ISO27002:2013 is the international code of best practice that is increasingly applied by organisations who are seeking a method of implementing an information security management system that will ensure they effectively meet the wide range of regulatory and compliance demands they face today.
  • In 2005, BS7799 Part 2 Internationalised as ISO27001:2005.
  • BS7799 Part 2 was revised in 2002, with significant re-ordering of the controls. The British Standard then underwent fast track internationalisation in 2005 and ISO27001:2005 was published.
  • ISO27001:2005 was replaced by ISO27001:2013 in 2013.

About the author:

Alan Calder is the Founder and Executive Chairman of IT Governance Ltd. Read his blog, follow him at Google+ and connect with him on LinkedIn.


+44 (0) 845 070 1750
live chat support software