In this article, you’ll be introduced to the BS EN ISO/IEC 27001 Information Security standard. We will cover what the standard is, its purpose, benefits and why it could make a difference to your organisation. In the article we discuss how we, here at Digital Octopii, can help you to implement the certificate within your own organisation knowing we are right there, by your side.
Reading time: 6 minutes
What is the meaning of ISO 27001?
ISO 27001 is a widely known global standard created by the International Organisation for Standardisation or ISO. The standard deals with Information Security Management and can help your organisations to identify and manage information security risks. Its implementation can assist your organisation in handling information security for the purpose of minimising risks to the confidentiality, integrity, and availability of the information in your organisation. Confidentiality, integrity and availability are often referred to as CIA.
The path you undergo to implement ISO 27001 standardisation will put your organisation on the right path to establishing and continually maintaining an efficient Information Security Management System or ISMS. Through the certification process you are asked to assess all risks to your organisation’s information security and implement relevant policies and procedures to manage identified risks.
Overall, the ISMS certification processes are a clear defined sets of processes that help organisations handle their sensitive information. ISMS lay out the actions to take place in the event of a problem, allowing them to quickly analyse what went wrong and what must be done to reduce the risk of it happening again.
What is the purpose of ISO 27001?
In our ever-developing world, the news is often packed with stories of organisations suffering data breaches and their subsequent struggles with the loss of consumer data, confidence and fines. The General Data Protection Regulation (GDPR) has only strengthened this fallout, thanks to the Information Commissioner’s Office’s (ICO) power to leverage hefty fines on non-compliant organisations.
Aside from the consequences faced by organisations not complying with ISO security standards in an economic sense, ISO 27001 certification sends a strong message to consumers that they’re taking their security concerns and rights seriously. In other words you can be seen as a trusted organisation in the consumers eyes due to the certification the organisation has undergone. You are minimising risk. The information security management systems that compliant organisations create, enable them to be proactive in the face of information security risks. Organisations can anticipate and prevent security breaches before they occur, giving potential and existing consumers peace of mind.
History of ISO 27001
The ISO jointly published the ISO 27001 standard alongside the International Electrotechnical Commission or IEC. The latest version of the standard traces back to the British Standard Institution BSI 7799, published in 1995. The BSI 7799 was written by the DTI and was eventually transformed into the standard known today. The most accepted iteration of ISO 27001 is the ISO/IEC 27001:2017.
What are the benefits of ISO 27001?
There are tonnes of benefits to achieving ISO 27001 compliance for all organisations, including SMEs, MNCs and charitable organisations. The benefits are outlined below and are expanded upon by ‘What are the benefits of ISO 27001.’
ISO 27001 helps you reduce information security and privacy risks and breaches.
Certification demonstrates compliance with regulation and a commitment to continually improving information security practices.
Achieving certification helps save excess money and time in information security crises.
ISO 27001 compliance helps boost your organisation's reputation to gain an edge over competitors and win new customers.
How to achieve ISO 27001 compliance?
From a high-level perspective, achieving ISO 27001 certification involves demonstrating that you have implemented sufficient processes for an information security management system that meets the standards of ISO 27001. Certification can only be achieved by an accredited certification body who are loosely assessing the following three information security categories:
- Information confidentiality and, more specifically, whether adequate access controls are in place to prevent unauthorised access.
- Information integrity
- Information availability
Â
Understanding the expectations of certification audits from a high-level perspective sets the tone for implementing security controls. It’s easy to understand that a certification body is assessing an ISMS’s practices, policies and procedures against the established standards of ISO 27001.
Despite the simplicity of looking at ISO 27001 certification from a high-level perspective, the intricate details of certification can be pretty daunting at first. The standard has two main ‘parts’ organisations must go through:
Eleven clauses (0 to 10)
The core of ISO 27001 certification consists of eleven clauses, from clause 0 to clause 10. The first three clauses, 0 to 3, set a base for certification and denote the general ‘metadata’ of the standard, including scope, references, terms and conditions. The remaining clauses, 4 to 10, require deeper consideration and outline the minimal compliance expectations for certification.Â
Clauses 4 to 10 are mandatory certification requirements and outline the processes, documents and policies necessary to function as a compliant system.
Annex A
The next part of the certification is built by the 114 Annex A Controls, a sort of ‘catalogue’ of security controls, broken down into 14 categories that helps manage information security risks. Annex A is arguably one of the most notorious annexes of all ISO standards due to its extensive nature, which can make it seem quite intimidating at first. But with Digital Octopii by your side, the controls can be selectively applied to your organisation based on risk assessments, making it a much easier process than it may initially seem.
To introduce the Annex A controls, the 14 overall categories are broken down below, with further descriptions of the controls documented in the attached video:
- Annex A.5 Information security policies
- Annex A.6: Organisation of information security
- Annex A.7: Human resource security
- Annex A.8: Asset management
- Annex A.9: Access control
- Annex A.10: Cryptography
- Annex A.11: Physical and environmental security
- Annex A.12: Operations security
- Annex A.13: Communications security
- Annex A.14: System acquisition, development and maintenance
- Annex A.15: Supplier relationships
- Annex A.16: Information security incident management
- Annex A.17: Information security aspects of business continuity management
ISO 27001:2013 and ISO 27001:2017, what are the differences?
Suppose you’ve been looking at achieving ISO 27001 compliance for your organisation. In that case, you may have noticed two recent versions of the standard, ISO 27001:2013 and ISO 27001:2017. So, what is the difference?
The most recently published version of the information security management system standard is BS EN ISO/IEC 27001:2017. ISO and IEC introduced this iteration of the standard to indicate approval by CEN/CENELEC for the EN designation (European Standard). Its incorporation did not affect the 2013 iteration, and its changes do not directly introduce new requirements. Â
How can Digital Octopii help you get ISO 27001 certified?
Digital Octopii can help you achieve ISO 27001 through our bespoke certification ‘toolkit’ designed to guide you to compliance in the most suitable manner. Small businesses looking to save costs can conduct the bulk of the work in-house. Using our Pro Toolkit, they gain access to a wide array of documentation templates and risk and asset registers, alongside a few hours of support from a dedicated ISO consultant. On the other hand, organisations looking to get as much help as possible can opt for a custom plan, with as many hours of support and supporting services as needed.
Elisabeth Belisle
Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO 27001 Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.
Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification or if you would prefer start with a helpful compliance checklist download