ISO 27001 and Information Security
What is ISO 27001?
ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an information security management system (ISMS). Accredited certification to ISO 27001 demonstrates that an organisation is following information security best practices.
The newest version of the Standard is ISO/IEC 27001:2013, which supersedes ISO/IEC 27001:2005. Copies of the ISO 27000 family of standards can be purchased
ISO 27001 – a framework for compliance
Accredited certification to ISO 27001 demonstrates to existing and potential customers that an organisation has defined and put in place best-practice information security processes. Not only does certification to the Standard show that you are safeguarding your sensitive data, it will help you create a framework for complying with a number of regulations, including:
- The Telecommunications Regulations Act 1998
- The Data Protection Act 1998
- The Computer Misuse Act 1990
- The Human Rights Act 1998
- The Regulation of Investigatory Powers Act 2000
- The Copyright, Designs and Patent Act 1998
- The Freedom of Information Act 2000 (public sector).
For more information on the benefits of ISO 27001, click here >>
Implementing ISO 27001
An ISMS is specific to the organisation that implements it, so no two ISO 27001 projects are the same. Getting ready for certification can take anything from three months to a year, depending on numerous factors specific to the organisation.
Although there is no typical ISO 27001 implementation project, most will follow this pattern, or something very similar:
- A gap analysis, which determines how far short of the Standard’s requirements your current processes fall.
- A risk assessment, which identifies risks and/or assets relevant to information security and conducts a risk estimation and evaluation of those risks.
- The identification and selection of appropriate controls in order to develop an appropriate risk response plan.
- Preparation of a risk treatment plan and a Statement of Applicability.
- Development of management system documentation, including relevant policies and procedures.
- Performance evaluation and preparation for an internal audit, which determines the extent to which your new procedures are successful.
- Development of relevant documented processes and related procedures for non-conformity, corrective action and continual improvement.
- Preparation for the certification audit.
- Surveillance, continual improvement and maintenance of your ISMS.
More detailed guidance can be found in our free green paper, Implementing an
ISMS: A Really Quick Introduction, or viewing our information page,
Implementing ISO 27001.
What is an information security management system (ISMS)?
An ISMS is "a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives" (ISO/IEC 27000:2016).
It encompasses people, processes and technology, recognising that information security is not just about antivirus software, implementing the latest firewall or locking down your laptops or web servers. Technology alone is simply too weak to defend against the evolving nature of information security threats.
The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.
An ISO 27001-aligned ISMS helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
Read more about the benefits of ISO 27001 certification here >>
ISO 27001 and the Cyber Essentials scheme
The Cyber Essentials scheme is a key deliverable of the UK government’s National Cyber Security Strategy, and was released on 7 April 2014. It aims to provide reassurances about cyber risk management to UK-based organisations, clients and partners, and to ensure that risk management practices have been independently tested and verified, where relevant.
The scheme provides a set of controls based on ISO 27001 that organisations can implement to achieve a basic level of cyber security. Organisations can attain certification to two levels: Cyber Essentials and Cyber Essentials Plus. Certified compliance with the scheme will be required in certain government procurement contracts.
Read more about ISO 27001 and the Cyber Essentials scheme >>
How IT Governance can help
IT Governance offer a comprehensive suite of information resources, training, tools, solutions and consultancy services, including:
ISO 27001 training courses
ISO27001 Certified ISMS Foundation Training Course
This one-day classroom course explains the benefits of the ISO/IEC 27001:2013 information security management standard and provides a complete introduction to the key elements required to comply with the Standard and benefit from its best practice.
All of our training courses are available in classroom and Live Online formats.
View our full range of ISO 27001 training courses >>
ISO 27001 staff awareness courses
ISO 27001 compliance tools
ISO 27001 ISMS Documentation Toolkit
Designed and developed by expert ISO 27001 practitioners, and enhanced by ten years of customer feedback and continual improvement, this toolkit provides all of the ISMS documents you need in order to comply with ISO 27001.
View our full range of ISO 27001 toolkits >>
The ISO 27001 Expertise Bundle
Need help convincing your organisation to invest in ISO 27001? Is the board still unsure of the benefits? Use this bundle to show how ISO 27001 can help your organisation fight cyber crime, combat cyber terror and improve your corporate governance.
vsRisk™ has been proven to save huge amounts of time, effort and expense when tackling complex risk assessments. Fully compliant with ISO 27001, this widely applicable risk assessment tool streamlines and delivers an information security risk assessment quickly and easily.
ISO 27001 solutions
We have created a range of packaged solutions that will enable you to implement ISO 27001 at a speed and for a budget that is appropriate to your needs and preferred project approach.
Each fixed-price solution is a combination of products and services that can be accessed online and deployed by any company in the world.
Find out more about our ISO 27001 packaged solutions and which one is right for you >>