What is ISO 27001?
ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an ISMS (information security management system).
Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected. ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013.
Purchase your copy of the standard today >>
Need help with your ISO 27001 certification?
One of our qualified ISO 27001 lead implementers is ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project and discuss different options to suit your budget and business needs.
Get in touch
What is an ISMS?
An information security management system (ISMS) provides a systematic approach to managing information security. It consists of policies, procedures, and other controls involving people, processes, and technology to help organizations protect and manage all their data.
An ISO 27001-compliant ISMS relies on regular risk assessments, so you will be able to identify and treat security threats according to your organization’s risk appetite and tolerance.
To find out more about what an ISMS is, download our free PDF >>
ISO 27001 and risk management
ISO 27001 emphasises the importance of risk management, which forms the cornerstone of an ISMS. All ISO 27001 projects evolve around an information security risk assessment - a formal, top management-driven process which provides the basis for a set of controls that help to manage information security risks.
By implementing an ISO 27001-compliant ISMS, organizations will be able to secure information in all its forms, increase their resilience to cyber attacks, adapt to evolving security threats and reduce the costs associated with information security.
ISO 27001 clauses and controls
Part of the ISO 27000 family of standards, ISO 27001 consists of 114 controls (from Annex A) and 10 management system clauses that together support the implementation and maintenance of an ISMS.
While ISO 27001 offers the specification, the Standard is supported by its code of practice for information security management, ISO/IEC 27002:2013.
ISO/IEC 27001: 2013 controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resources security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operational security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Why achieve ISO 27001 certification?
ISO 27001 is one of the most popular information security standards in the world, with certifications growing by more than 450% in the past ten years. It is recognised globally as a benchmark for good security practice, and enables organisations to achieve accredited certification by an accredited certification body following the successful completion of an audit.
Protect your data, wherever it lives
An ISO 27001-compliant ISMS helps protect all forms of information, whether digital, paper-based, or in the Cloud.
Meet contractual and regulatory obligations
Certification demonstrates an organization’s commitment to information security, and provides a valuable credential when tendering for new business.
Reduce costs associated with information security
Thanks to the risk assessment and analysis approach of an ISMS, organizations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work.
Increase your attack resilience
Implementing and maintaining an ISMS will significantly increase your organization’s resilience to cyber attacks.
Respond to evolving security threats
Constantly adapting to changes both in the environment and inside the organization, an ISMS reduces the threat of continually evolving risks.
Improve company culture
The Standard’s holistic approach enables employees to readily understand risks and embrace security controls as part of their everyday working practices.
How to implement an ISO 27001-compliant ISMS
Implementing an ISO 27001-compliant ISMS can involve a number of steps, of which the following are the most important:
- Scope the project
- Get board commitment and secure budget
- Identify interested parties, and legal, regulatory and contractual requirements
- Conduct a risk assessment
- Review and implement the required controls
- Develop internal competence
- Develop the appropriate documentation
- Conduct staff awareness training
- Continually measure, monitor, review, and audit the ISMS
- Get certified
Discover our ISO 27001 implementation checklist and solutions >>