Achieve ISO 27001
Reading time: 6 minutes
What is the meaning of ISO 27001?
ISO 27001 is a widely known global standard created by the International Organisation for Standardisation or ISO. The standard deals with Information Security Management and can help your organisations to identify and manage information security risks. Its implementation can assist your organisation in handling information security for the purpose of minimising risks to the confidentiality, integrity, and availability of the information in your organisation. Confidentiality, integrity and availability are often referred to as CIA.
The path you undergo to implement ISO 27001 standardisation will put your organisation on the right path to establishing and continually maintaining an efficient Information Security Management System or ISMS. Through the certification process you are asked to assess all risks to your organisation’s information security and implement relevant policies and procedures to manage the risks identified.
Overall, the ISMS certification processes are a clearly defined sets of processes that help organisations handle their sensitive information. ISMS lays out the actions to take in the event of a problem, allowing organisations to quickly analyse what went wrong and what must be done to reduce the risk of it happening again.
What is the purpose of ISO 27001?
In our ever-developing world, the news is often packed with stories of organisations suffering data breaches and their subsequent struggles with the loss of consumer data, confidence and fines. The General Data Protection Regulation (GDPR) has only strengthened this fallout, thanks to the Information Commissioner’s Office’s (ICO) power to leverage hefty fines on non-compliant organisations.
Aside from the consequences faced by organisations not complying with ISO security standards in an economic sense, ISO 27001 certification sends a strong message to consumers that they’re taking their security concerns and rights seriously. In other words, you can be seen as a trusted organisation in consumers’ eyes due to the certification your organisation has undergone. You are minimising risk. The information security management systems that compliant organisations create, enable them to be proactive in the face of information security risks. Organisations can anticipate and prevent security breaches before they occur, giving potential and existing consumers peace of mind.
History of ISO 27001
The ISO jointly published the ISO 27001 standard alongside the International Electrotechnical Commission or IEC. The latest version of the standard traces back to the British Standard Institution BSI 7799, published in 1995. The BSI 7799 was written by the DTI and was eventually transformed into the standard known today. The most accepted iteration of ISO 27001 is the ISO/IEC 27001:2017.
What are the benefits of ISO 27001?
There are a huge number of benefits to achieving ISO 27001 compliance for all organisations, including SMEs, MNCs and charitable organisations. The benefits are outlined below and are expanded upon by ‘What are the benefits of ISO 27001.’
ISO 27001 helps you reduce information security and privacy risks and breaches.
Certification demonstrates compliance with regulation and a commitment to continually improving information security practices.
Achieving certification helps save excess money and time in information security crises.
ISO 27001 compliance helps boost your organisation's reputation to gain an edge over competitors and win new customers.
How to achieve ISO 27001 compliance?
From a high-level perspective, achieving ISO 27001 certification involves demonstrating that you have implemented sufficient processes for an information security management system to meet the standards of ISO 27001. Certification can only be achieved by an accredited certification body who are, broadly speaking, assessing the following three information security categories:
- Information confidentiality and, more specifically, whether adequate access controls are in place to prevent unauthorised access.
- Information integrity
- Information availability
Understanding the expectations of certification audits from a high-level perspective sets the tone for implementing security controls. It’s easy to understand that a certification body is assessing an ISMS’s practices, policies and procedures against the established standards of ISO 27001.
Despite the simplicity of looking at ISO 27001 certification from a high-level perspective, the intricate details of certification can be pretty daunting at first. The standard has two main ‘parts’ organisations must go through:
Part one: Eleven clauses (0 to 10)
The core of ISO 27001 certification consists of eleven clauses, from clause 0 to clause 10. The first three clauses, 0 to 3, set a base for certification and denote the general ‘metadata’ of the standard, including scope, references, terms and conditions. The remaining clauses, 4 to 10, require deeper consideration and outline the minimal compliance expectations for certification.
Clauses 4 to 10 are mandatory certification requirements and outline the processes, documents and policies necessary to function as a compliant system.
Part two: Annex A
The next part of the certification is built by the 114 Annex A Controls. This is a ‘catalogue’ of security controls, broken down into 14 categories that helps manage information security risks. Annex A is arguably one of the most notorious annexes of all ISO standards due to its extensive nature, which can make it seem quite intimidating at first. With Digital Octopii by your side, the controls can be selectively applied to your organisation based on risk assessments, making it a much easier process than it may initially seem.
To introduce the Annex A controls, the 14 overall categories are broken down below, with further descriptions of the controls documented in the attached video:
- Annex A.5 Information security policies
- Annex A.6: Organisation of information security
- Annex A.7: Human resource security
- Annex A.8: Asset management
- Annex A.9: Access control
- Annex A.10: Cryptography
- Annex A.11: Physical and environmental security
- Annex A.12: Operations security
- Annex A.13: Communications security
- Annex A.14: System acquisition, development and maintenance
- Annex A.15: Supplier relationships
- Annex A.16: Information security incident management
- Annex A.17: Information security aspects of business continuity management
ISO 27001:2013 and ISO 27001:2017, what are the differences?
Suppose you’ve been looking at achieving ISO 27001 compliance for your organisation. You may have noticed two recent versions of the standard, ISO 27001:2013 and ISO 27001:2017. So, what is the difference?
The most recently published version of the information security management system standard is BS EN ISO/IEC 27001:2017. ISO and IEC introduced this iteration of the standard to indicate approval by CEN/CENELEC for the EN designation (European Standard). Its incorporation did not affect the 2013 iteration, and its changes do not directly introduce new requirements.
How can Digital Octopii help you get ISO 27001 certified?
Digital Octopii can help you achieve ISO 27001 through our bespoke consultancy programmes designed to guide you to compliance in the most suitable manner. Small businesses looking to save costs can conduct the bulk of the work in-house. Working with us will gain you access to a wide array of documentation templates and risk and asset registers, alongside dedicated hours of support from an ISO consultant.
Download our ISO 27001 Requirements checklist
- Use this checklist to make sure you’re ready for the certification assessment
- Check you’re not missing any of the requirements of ISO/IEC 27001:2022
Elisabeth Belisle
Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO 27001 Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.
Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification or if you would prefer start with a helpful requirements checklist download