What is ISO/IEC 27001?

ISO 27001 is a security standard that requires an information security management system (ISMS) be used to ensure an organization’s security controls adequately address the organization’s security needs and vulnerabilities. 

A brief history of ISO/IEC 27001

ISO/IEC 27001 (sometimes simply ISO 27001) is one of several standards in the ISO/IEC 27000 family of standards. These standards were published by the International Organization for Standardization and the International Electrotechnical Commission (IEC) as a broad set of best practices for managing info security.

In 1995, the British Standards Institution developed standard BS 7799. Part 2 of BS7799 specifically dealt with Information Security Management Systems and in 2005 the ISO adopted it as ISO/IEC 27001.

The original BS 7799 standard included the PDCA (Plan-Do-Check-Act) cycle. The PDCA was included in ISO/IEC 27001 until 2013 when all references were removed.

An ISMS is a centrally managed framework that ensures an organization's information remains secure. The ISMS contains a set of procedures, policies and controls that protect the integrity, confidentiality and accessibility of data.

There are many benefits to using an ISO/IEC 27001-compliant ISMS. Not only does a compliant system help you to comply with regulations and win trust and business. It also creates new ways of approaching information security, helping employees to be more aware of their own corporate security responsibilities and the steps they must take to ensure data is secure.

Other benefits include:

• An ISMS secures information in all forms including paper-based, cloud-based and digital data.
• Implementing an ISMS can also increase an organization's resilience to cyber attacks.
• An ISMS provides a centrally managed framework that secures all information in one place.
• Organization-wide protection can be achieved with an ISMS, including protection against technology-based risks and other threats such as ineffective security procedures and poorly informed employees.
• An ISMS can help an organization to respond to evolving security threats.
• Reduced costs are another advantage of implementing an ISMS. A centrally managed framework can reduce spending on ineffective defence technology that has little benefit to the business.
• An ISMS offers procedures, policies and physical controls that protect the integrity, confidentiality and availability of data.
• The holistic approach of ISO/IEC 27001 means that the entire organization is covered, not just IT. People, technology and processes are all covered.

When you achieve ISO/IEC 27001 certification, you prove to stakeholders and customers that you are committed to managing information securely and safely. It's a great way to promote your business, celebrate your achievement and prove that you are an organization that can be trusted.

The certification process consists of two stages: Stage 1 audit and Stage 2 audit. Stage 1, also known as the documentation review, involves a thorough audit of your documentation. Stage 2, also known as the Main audit, involves the auditor checking whether your organization's activities are compliant with both ISO/IEC 27001 and the documentation you have provided.

If you achieve certification, you will receive a certificate which is valid for three years. To ensure you maintain compliance and stand a good chance of your certificate being renewed, you must ensure that you manage your systems consistently and continue to enhance your ISMS.

So, what can we learn about implementing an ISO/IEC 27001-compliant system? Firstly, information security controls are not always IT-related, technical controls. They should be a combination of controls of different types: implementing software controls, documenting procedures and training people.

Secondly, without some type of security framework, information security can quickly become difficult to manage. This is where ISO/IEC 27001 is so important. When you build your ISMS and develop security rules, controls and responsibilities, you are better able to manage a complex system.

Finally, the better processes and defined, managed and interrelated, the fewer incidents your organization will experience.