ISO 27001, the International Information Security Standard

ISO 27001 definition: What is ISO 27001?

The latest version of the ISO 27001 information security standard was published in September 2013, replacing the 2005 iteration.

For an introduction to the principles of information security management and ISO 27001:2013, read our bestselling An Introduction to Information Security and ISO 27001 (2013) A Pocket Guide, Second Edition.

ISO 27001 and risk management

Risk management forms the cornerstone of an ISO/IEC ISMS. All ISMS projects rely on regular information security risk assessments to determine which security controls to implement and maintain.

The Standard defines its requirements for the risk management process, including risk assessment and risk treatment, in section 6.1.2.

ISO 27001 clauses and controls

The Standard has ten management system clauses. Together with Annex A, which lists 114 information security controls, they support the implementation and maintenance of an ISMS, as shown in the infographic below.

1. Scope 
2. Normative references 
3. Terms and definitions 
4. Context 
5. Leadership

6. Planning and risk management 
7. Support 
8. Operations 
9. Performance evaluation
10. Improvement

  Download the ISO 27001 management system clauses infographic

ISO 27001 benefits

ISO 27001 is one of the most popular information security standards in existence. Independent accredited certification to the Standard is recognised worldwide. The number of certifications has grown by more than 450% in the past ten years.

Implementing the Standard helps you meet the information security requirements of laws such as the EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations. This helps reduce the costs associated with data breaches.

  Learn more about the benefits of certification

ISO/IEC 27001:2013 controls

The Standard doesn’t mandate that all 114 Annex A controls be implemented. A risk assessment should determine which controls are required and a justification provided as to why other controls are excluded from the ISMS. 

Below is the list of control sets.

• A.5 Information security policies
• A.6 Organisation of information security
• A.7 Human resource security
• A.8 Asset management
• A.9 Access control
• A.10 Cryptography
• A.11 Physical and environmental security
• A.12 Operations security
• A.13 Communications security
• A.14 System acquisition, development and maintenance
• A.15 Supplier relationships
• A.16 Information security incident management
• A.17 Information security aspects of business continuity management
• A.18 Compliance

How to achieve ISO 27001 compliance

Implementing an ISMS involves:

• Scoping the project.
• Securing management commitment and budget.
• Identifying interested parties and legal, regulatory and contractual requirements.
• Conducting a risk assessment.
• Reviewing and implementing the required controls.
• Developing internal competence to manage the project.
• Developing the appropriate documentation.
• Conducting staff awareness training.
• Reporting (e.g. the Statement of Applicability and risk treatment plan).
• Continually measuring, monitoring, reviewing and auditing the ISMS.
• Implementing the necessary corrective and preventive actions. 

  Discover our ISO 27001 implementation checklist and our nine-step approach to implementing an ISMS

Demonstrating GDPR compliance with ISO 27001 and ISO 27701

Like all ISO management system standards, ISO 27001 follows Annex SL. This common high-level structure makes it easier to implement integrated management systems that conform to multiple standards.

For instance, an ISO 22301-compliant BCMS (business continuity management system) could share components with an ISO 27001-compliant ISMS.

ISO/IEC 27701:2019 (ISO 27701) is an extension to ISO 27001 which expands its requirements to cover privacy management – including the processing of personal data/PII (personally identifiable information).

Implementing an integrated management system that combines an ISMS and an ISO 27701-compliant PIMS (privacy information management system) will help you meet the GDPR's requirements for managing, processing and protecting personal data.

  Learn more about ISO 27701

How IT Governance can help you get ISO 27001 certified

• Our implementation methodology has been honed for over 15 years.
• We are known as the global authority on ISO 27001 – our management team led the world’s first certification project when the Standard was known as BS 7799.
• We offer everything you need to implement an ISMS – you don’t need to go anywhere else.
• We guarantee certification (provided you follow our advice!).
• You benefit from real-world practitioner expertise, not just academic knowledge.
• We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
• We’ve helped more than 800 consultancy clients achieve certification to and compliance with ISO 27001.
• We have a proven and pragmatic approach to assessing compliance with international standards, no matter your organisation's size or nature.
• Our pricing and proposals are completely transparent so that you won’t get any surprises.
• We can help small organisations prepare for certification in three months.