ISO 27001

Speak to an ISO 27001 expert

Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard. We can support you throughout your project, from implementation to certification.

Speak to one of our experts for more information on how we can help you certify. Simply call 01474 556685 or request a call back using the form below.

Share on social

What is ISO 27001 information security management?

ISO/IEC 27001 is the international standard for information security management.

Part of the ISO 27000 series, ISO 27001 sets out a framework for all organisations to establish, implement, operate, monitor, review, maintain and continually improve an ISMS (information security management system).

Certification to the ISO 27001 standard is recognised worldwide as proof that your organisation’s information security management is aligned with best practice.

Free guide: Information Security & ISO 27001 – An Introduction

Download our comprehensive guide to learn:

How ISO 27001 works in practice;
Key implementation requirements and challenges;
The business benefits of ISO 27001 certification; and
How an ISMS protects your critical information assets.

Download free guide

ISO 27001 benefits

ISO 27001 is one of the most popular information security standards in existence. Independent accredited certification to the Standard is recognised worldwide. The number of certifications has grown by more than 450% in the past ten years.

Implementing the Standard helps you meet the requirements of laws such as the UK and EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations. It also helps reduce the costs associated with data breaches.

Protect your data, wherever it is

Protect all forms of information, whether digital, hard copy or in the Cloud.

Increase your attack resilience

Increase your organisation’s resilience to cyber attacks.  

Reduce information security costs

Implement only the security controls you need, helping you get the most out of your budget.

Respond to evolving security threats

Constantly adapt to changes both in the wider environment and inside the organisation.

Improve company culture

An ISMS encompasses people, processes and technology, ensuring staff understand risks and embrace security as part of their everyday working practices.

Meet contractual obligations

Certification demonstrates your organisation’s commitment to data security and provides a valuable credential when tendering for new business.

Learn more about the benefits of ISO 27001

What is an ISMS?

An ISMS takes a systematic approach to securing the CIA (confidentiality, integrity and availability) of corporate information assets.

An ISO 27001 ISMS consists of organisational, people, physical and technological controls, selected on the basis of regular risk assessments.

Its technology- and vendor-neutral approach makes it suitable for all organisations, whatever their size, complexity, sector or location.

ISO 27001 has changed

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022. As of 30 April 2024, certification bodies can no longer offer (re)certification to the 2013 edition of the Standard.

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and how they affect your organisation, visit ISO 27001 and ISO 27002:2022 updates.

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

How to achieve ISO 27001 compliance

Implementing an ISMS involves the following:

Scoping the project.
Securing management commitment and adequate resources.
Identifying interested parties and applicable legal and contractual requirements.
Conducting a risk assessment.
Selecting and implementing the required controls.
Developing internal competence to manage the project.
Developing the appropriate documentation.
Conducting staff awareness training.
Continually measuring, monitoring, reviewing and auditing the ISMS.
Implementing the necessary corrective and preventive actions.

Discover our ISO 27001 implementation checklist and our nine-step approach to implementing an ISMS in our bestselling guide.

ISO 27001 and risk management

Risk management forms the cornerstone of an ISMS. All ISMS projects rely on regular information security risk assessments to determine which security controls to implement and maintain.

The Standard defines its requirements for the risk management process, including risk assessment and treatment, in Clause 6.1.

ISO 27001 clauses and controls

ISO 27001:2022 has ten management system clauses. Together with Annex A, which lists the 93 information security controls from ISO 27002:2022, they support the implementation and maintenance of an ISMS.

Scope
Normative references
Terms and definitions
Context of the organization
Leadership

Planning
Support
Operation
Performance evaluation
Improvement

Although the 2022 version of the Standard has fewer controls than the 2013 version, this is because many controls have been merged rather than removed. ISO 27002:2022 also introduces 11 new controls.

The 93 controls are grouped into four themes:

Organisational (37 controls)
People (8 controls)

Physical (14 controls)
Technological (34 controls)

ISO 27001 doesn’t require all 93 to be implemented. Instead, your risk assessment should define which controls are required, and you should justify why other controls are excluded.

Read our blog ISO 27001:2022 Annex A Controls Explained to learn more.

Download the ISO 27001 Management System Clauses infographic

Demonstrating GDPR compliance with ISO 27001 and ISO 27701

Like all ISO management system standards, ISO 27001 follows Annex SL. This common high-level structure makes implementing integrated management systems that conform to multiple standards easier.

For instance, an ISO 22301-compliant BCMS (business continuity management system) could share components with an ISO 27001-compliant ISMS.

ISO 27701 is an extension to ISO 27001, expanding its requirements to cover privacy management. This includes the processing of personal data or PII (personally identifiable information).

Implementing an integrated ISMS and ISO 27701-compliant PIMS (privacy information management system) will help you meet the GDPR’s requirements for managing, processing and protecting personal data.

Learn more about ISO 27701

How IT Governance can help you get ISO 27001 certified

Our implementation methodology has been honed for more than 20 years.
We are the global authority on ISO 27001. Our management team led the world’s first certification project when the Standard was known as BS 7799.
We offer everything you need to implement an ISMS – you don’t need to go anywhere else.
We guarantee certification (provided you follow our advice!).
You benefit from real-world practitioner expertise, not just academic knowledge.
We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
We’ve helped more than 800 consultancy clients achieve certification to and compliance with ISO 27001.
We have a proven and pragmatic approach to assessing compliance with international standards, no matter your organisation’s size or nature.
Our pricing and proposals are completely transparent, so you won’t get any surprises.
Our FastTrack™ service helps organisations prepare for certification in three to six months.

Need expert guidance on ISO 27001?

Having led the world's first successful ISO 27001 certification project and helped 800+ organisations achieve certification, our experts can guide you through every step of the process.

Schedule a consultation

Frequently asked questions (FAQs)

What is ISO 27001?

ISO 27001 is the international standard for information security management. It sets out the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The standard helps organisations protect data, manage risk and demonstrate compliance to customers and regulators.

What is ISO 27001 certification?

ISO 27001 certification is the formal recognition that an independent auditor has verified your organisation’s ISMS meets the requirements of the standard. Certification shows clients, partners and regulators that you follow best practice for information security.

How do you get ISO 27001 certification?

To achieve ISO 27001 certification, an organisation must:

Define the scope of its ISMS.
Conduct a risk assessment and apply security controls.
Document and implement policies, procedures and processes.
Undergo an external audit from an accredited certification body.

Most businesses seek expert support, such as consultancy or toolkits, to streamline the process.

How many controls are in ISO 27001?

The 2022 version of ISO 27001 references 93 controls grouped into four themes: organisational, people, physical and technological. These controls are detailed in Annex A of the standard.

What is ISO 27001 compliance?

ISO 27001 compliance means your organisation has implemented the policies, procedures and controls required by the standard, but may not yet have external certification. Compliance shows alignment with best practice, while certification provides independent verification.

How long does ISO 27001 certification last?

An ISO 27001 certificate is valid for three years, subject to annual surveillance audits. After three years, a recertification audit is required to maintain certification.

Is ISO 27001 GDPR compliant?

ISO 27001 is not the same as GDPR compliance, but it supports it. The standard provides a structured framework for protecting personal data, helping organisations demonstrate that they have appropriate security measures in place to meet GDPR requirements.

What does ISO 27001 stand for?

ISO refers to the International Organization for Standardization, and 27001 is the number assigned to the standard covering information security management systems (ISMS).

Ready to simplify your security? Let’s get started.

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.