ISO 27001, the International Information Security Standard

What is ISO 27001?

What is an ISMS?

An ISMS is a systematic approach to securing corporate information assets.

It consists of policies, procedures and other controls involving people, processes and technology.

 To find out more about what an ISO 27001 information security management system is, download our free infographic.

ISO 27001 and risk management

Risk management forms the cornerstone of an ISO/IEC information security management system. All ISO 27001 projects rely on regular information security risk assessments to determine which security controls to implement and maintain.

The Standard defines its requirements for the risk management process, including risk assessment and risk treatment, in Section 6.1.2.

ISO/IEC 27001: 2013 controls

• A.5 Information security policies
• A.6 Organisation of information security
• A.7 Human resources security
• A.8 Asset management
• A.9 Access control
• A.10 Cryptography
• A.11 Physical and environmental security
• A.12 Operational security
• A.13 Communications security
• A.14 System acquisition, development and maintenance
• A.15 Supplier relationships
• A.16 Information security incident management
• A.17 Information security aspects of business continuity management
• A.18 Compliance

ISO 27001 benefits

Recognised all around the world, ISO 27001 is one of the most popular information security standards in existence. The number of certifications has grown by more than 450% in the past ten years.

Implementing ISO 27001 helps you meet the information security requirements of laws such as the EU GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems Regulations). This helps reduce the costs associated with data breaches.

  Learn more about the benefits of ISO 27001 certification

Demonstrating GDPR compliance with ISO 27001 and ISO 27701

ISO/IEC 27701:2019 (ISO 27701) is an extension to ISO 27001, which expands its requirements to cover privacy management – including the processing of personal data/PII (personally identifiable information).

Implementing both ISO 27701 and ISO 27001 will enable you to meet the EU GDPR’s requirement for “appropriate technical and organisational measures” – as well as help you comply with many other data protection regimes.

  Learn more about ISO 27701

How to implement an ISO 27001-compliant ISMS

Implementing an ISO 27001-compliant ISMS involves:

• Scoping the project
• Securing management commitment and budget
• Identify interested parties, and legal, regulatory and contractual requirements
• Conduct a risk assessment
• Reviewing and implementing the required controls
• Developing internal competence
• Developing the appropriate documentation
• Conducting staff awareness training
• Continually measuring, monitoring, reviewing and auditing the ISMS

  Discover our ISO 27001 implementation checklist and solutions

How IT Governance can help you

• Our implementation methodology has been honed over 15 years.
• We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799).
• We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else.
• We guarantee certification (provided you follow our advice!).
• You benefit from real-world practitioner expertise, not just academic knowledge.
• We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
• We’ve helped more than 600 consultancy clients achieve certification to and compliance with ISO 27001.
• We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organisation.
• Our pricing and proposals are completely transparent, so you won’t get any surprises.
• We can help small organisations prepare for ISO 27001 certification in three months.