ISO 27001, the International Information Security Standard

What is ISO 27001?

ISO/IEC 27001:2013 (also known as ISO27001) is the international standard that sets out the specification for an ISMS (information security management system).

Its best-practice approach helps organisations manage their information security by addressing people and processes as well as technology.

Independently accredited certification to the Standard is recognised around the world as an indication that your ISMS is aligned with information security best practice.

Part of the ISO 27000 series of information security standards, ISO 27001 is technology and vendor neutral and applicable to all organisations – irrespective of their size, type or nature.

The latest version of ISO 27001 was published in September 2013, replacing the 2005 iteration.

Watch our short video for an overview of ISO 27001.

Speak to an ISO 27001 expert

Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard. We can support you throughout your project, from implementation to certification. Speak to one of our experts for more information on how we can help you.

Contact us

What is an ISMS?

An ISMS is a holistic approach to securing the confidentiality, integrity and availability of corporate information assets.

It consists of policies, procedures and other controls involving people, processes and technology.

Informed by regular information security risk assessments, an ISMS is an efficient, cost-effective approach to keeping your information assets secure.

To find out more about what an ISO 27001 information security management system is, download our free infographic.

Learn more about
ISO 27001

Download free reports, brochures, infographics and green papers on how to implement an ISMS.

View free
ISO 27001 resources

Get certified to
ISO 27001

Understand ISO 27001 accreditation and achieve certification with a range of solutions to support your project.

Get started with ISO 27001 certification

Achieve an ISO 27001 qualification

Gain industry-leading qualifications, and the practical skills to implement and audit an ISO 27001-compliant ISMS.

View ISO 27001 training and qualifications

Simplify your ISO 27001 project

Achieve ISO 27001 certification quickly and hassle-free with our DIY packages, internal audits, managed services and more.

Shop for ISO 27001

ISO 27001 and risk management

Risk management forms the cornerstone of an ISO/IEC information security management system. All ISO 27001 projects rely on regular information security risk assessments to determine which security controls to implement and maintain.

The Standard defines its requirements for the risk management process, including risk assessment and risk treatment, in section 6.1.2.

ISO 27001 clauses and controls

Annex A of ISO 27001 lists 114 security controls. There are also ten management system clauses. Together, they support the implementation and maintenance of an ISMS, as shown in the diagram below.

The Standard is also supported by a code of practice, ISO/IEC 27002:2013.

Download the ISO 27001 management system clauses infographic

What is ISO 27001?

ISO/IEC 27001: 2013 controls

  • A.5 Information security policies
  • A.6 Organisation of information security
  • A.7 Human resource security
  • A.8 Asset management
  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operations security
  • A.13 Communications security
  • A.14 System acquisition, development and maintenance
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

Download our free guide to ISO 27001

Discover the importance of ISO 27001 and how it can help you meet your legal and regulatory obligations.

Download now

ISO 27001 benefits

ISO 27001 is one of the most popular information security standards in existence. Independently accredited certification to the Standard is recognised around the world and the number of certifications has grown by more than 450% in the past ten years.

Implementing ISO 27001 helps you meet the information security requirements of laws such as the EU GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems) Regulations. This helps reduce the costs associated with data breaches.

Protect your data, wherever it lives

An ISO 27001-compliant ISMS helps protect all forms of information, whether digital, hard copy or in the Cloud

Increase your attack resilience

Implementing and maintaining an ISMS significantly increases your organisation’s resilience to cyber attacks.

Reduce information security costs

ISO 27001’s risk-based approach means you implement only the security controls you really need, helping you get the most from your budget while reducing the risk of a data breach.

Respond to evolving security threats

Constantly adapting to changes both in the environment and inside the organisation, an ISMS reduces the threat of continually evolving risks.

Improve company culture

An ISMS encompasses people, processes and technology, ensuring staff understand risks and embrace security controls as part of their everyday working practices.

Meet contractual obligations

Certification demonstrates your organisation’s commitment to information security and provides a valuable credential when tendering for new business.

Learn more about the benefits of ISO 27001 certification

Demonstrating GDPR compliance with ISO 27001 and ISO 27701

ISO/IEC 27701:2019 (ISO 27701) is an extension to ISO 27001, which expands its requirements to cover privacy management – including the processing of personal data/PII (personally identifiable information).

Implementing both ISO 27701 and ISO 27001 will enable you to meet the EU GDPR’s requirement for “appropriate technical and organisational measures” – as well as help you comply with many other data protection regimes.

Learn more about ISO 27701

How to implement an ISO 27001-compliant ISMS

Implementing an ISO 27001-compliant ISMS involves:

  • Scoping the project;
  • Securing management commitment and budget;
  • Identifying interested parties, and legal, regulatory and contractual requirements;
  • Conducting a risk assessment;
  • Reviewing and implementing the required controls;
  • Developing internal competence;
  • Developing the appropriate documentation;
  • Conducting staff awareness training; and
  • Continually measuring, monitoring, reviewing and auditing the ISMS.

Discover our ISO 27001 implementation checklist and solutions

Ready to simplify your security? Let’s get started

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.

How IT Governance can help you

  • Our implementation methodology has been honed over 15 years.
  • We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799).
  • We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else.
  • We guarantee certification (provided you follow our advice!).
  • You benefit from real-world practitioner expertise, not just academic knowledge.
  • We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
  • We’ve helped more than 600 consultancy clients achieve certification to and compliance with ISO 27001.
  • We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organisation.
  • Our pricing and proposals are completely transparent, so you won’t get any surprises.
  • We can help small organisations prepare for ISO 27001 certification in three months.
This website uses cookies. View our cookie policy