ISO/IEC 27001

ISO/IEC 27001 Information and Data Security Management supports organisations in controlling business security systems, systematically examining the business information security risks and taking account of the threats, vulnerabilities and impact. 

The objective of the standard is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS)". 

The standard defines its 'process approach' as "The application of a system of processes within an organisation, together with the identification and interactions of these processes, and their management". It employs the Plan-Do-Check-Act model to structure the processes and reflects the principles in the OECG guidelines. 

As more SMEs carry out activities on behalf of larger organisations, often involving privileged access to sensitive information or critical business services, the ISO/IEC 27001 Information and Data Security Management standard continues to be adopted internationally.

Benefits of ISO/IEC 27001:

Manufacturing Icon
Higher customer satisfaction
Page Icon
Improved chance of winning contracts
Services Icon
Lower the risk of product/service problems
Processes Icon
Streamlined business processes
Graph Icon
Increased consistency in business practices

Frequently Asked Questions

1What is ISO/IEC 27001?
ISO/IEC 27001 is a leading international information security standard designed to assist organisations, regardless of size or industry, protect their information effectively and systematically by adopting an Information Security Management System (ISMS). ISO/IEC 27001 defines the requirements for an ISMS.

Information security can be managed by ISO/IEC 27001's best-practice approach that addresses technology, processes and people. It enables organisations to create, run, monitor, review, maintain and continuously improve their ISMS. Being ISO/IEC 27001 certified confirms that your ISMS adheres to the best practices in information security.
2Is ISO/IEC 27001 a framework?
As a standard framework, ISO/IEC 27001 defines best practices for managing the risks associated with information security systematically and efficiently to achieve the desired results.
3Why is ISO/IEC 27001 important?
Being ISO/IEC 27001 certified gives you a competitive advantage and adds value to your business. Your ISO/IEC 27001 certification assures your customers that you are proactive in protecting information and employ best practices to minimise risks.

Being ISO/IEC 27001 improves your structure and focus. In some cases, as organisations grow and adapt, the importance of information security can be lost in the shuffle. Using ISO/IEC 27001, you can implement a system that ensures everyone stays focused on information security.

And perhaps the most important reason for getting certified for ISO/IEC 27001 is to prevent security threats. It would help if you were prepared for cybercriminals breaking into your company and internal mistakes resulting in data breaches. With ISO/IEC 27001, you are provided with the tools necessary to enhance your organisation's cybersecurity in three areas: technology, processes and people. The standard can help you identify policies you need to document, security technologies to use and staff training you need to avoid errors.
4What are ISO/IEC 27001 requirements?
Following is a summary of each section's requirements:

Clause 4

The context of an organisation must be understood before an ISMS can be implemented successfully. External and internal issues, along with interested parties, must be identified. The scope of the ISMS also needs to be defined by the organisation.

Clause 5

Leadership is required by ISO/IEC 27001 in several ways since management systems require the commitment of top management. There has to be a clear definition of objectives based on the organisation's strategic goals. It is also important to meet obligations such as supplying resources for the ISMS and supporting its implementation. Additionally, the top management should establish a security policy, which should be documented and communicated within the organisation. It is necessary to assign roles and responsibilities, too.

Clause 6

Risk assessments provide a solid foundation for implementing information security controls. Based on your risk assessment, information security objectives should be established. Aligning these objectives with the company's overall goals and promoting them within the company is essential. After assessing risks and identifying security objectives, a risk treatment plan must be developed.

Clause 7

Resources, competence among employees and awareness are required. It is also essential to carry out documentation.

Clause 8

To implement information security, processes must be followed. It is necessary to plan, implement and control these processes. Additionally, treatment and risk assessment must be implemented.

Clause 9

The ISMS must be monitored, measured, analysed and evaluated. Further, the ISMS should be reviewed by the top management at set intervals. The department must not only monitor its work but also perform internal audits.

Clause 10

After evaluating, improvements need to be made. It is vital to address nonconformities by eliminating their causes whenever possible. Furthermore, continuous improvement should be implemented.
5What are ISO/IEC 27001 controls?
ISO/IEC 27001 controls are practices designed to reduce risks to an acceptable level.

Human resource controls involve providing individuals with information, education, skills or experience to enable them to perform their duties securely.

Legal controls ensure that actions and rules comply with applicable regulations, laws, contracts and other legal instruments, such as an NDA.

Organisational controls involve defining procedures to be followed and behaviour expected from personnel, equipment, software and systems. An example of this is the BYOD policy.

Physical controls involve equipment or devices that interact physically with people and objects. Examples include alarms and CCTV systems.

Technical controls exist primarily in information systems through software, hardware and firmware components, such as antivirus software.
6Who uses ISO/IEC 27001?
Implementing ISO/IEC 27001 can benefit any organisation that handles sensitive information, whether for-profit or non-profit, large or small, public or private. Some groups that widely implement ISO/IEC 27001 include IT companies, telecoms, financial institutions and government agencies.

IT Companies

The IT industry must demonstrate to its clients that sensitive information is always protected. It is common for IT companies to implement ISO/IEC 27001 to meet the specific security requirements of their clients.

Telecoms

It is undoubtedly an essential standard for internet service providers, telecommunications companies, and other businesses that regularly deal with large amounts of personal information. By implementing ISO/IEC 27001 and correcting any issues, such companies can minimise cyber-related problems quickly and effectively.

Financial institutions

The ISO/IEC 27001 standard is required as a compliance threshold by numerous regulations and laws. Since the standard primarily guides data protection legislation, it is widely used. ISO/IEC 27001 can also help financial institutions reduce fiduciary risk. One of the advantages of cybersecurity compliance is that it’s far more cost effective than dealing with data breaches.

Government agencies

A majority of the data handled by government agencies can be considered sensitive, so the integrity and availability of the data handled by these agencies must also be protected in the most effective way possible.
7How many ISO/IEC 27001 clauses?
ISO/IEC 27001 has ten clauses and 114 controls (found in Annex A), all of which assist in implementing and maintaining the ISMS.
8 Is ISO/IEC 27001 mandatory?
ISO/IEC 27001 certification is not mandatory, similar to other ISO standards. Some organisations implement the standard to access their best practices, while others opt to get an ISO/IEC 27001 and CMMC certification to demonstrate compliance with the recommendations.