What is ISO 27001?

We explain what ISO 27001 is and how it relates to IT management systems

Graphic representing security in either data protection or cyber security contexts

Among the family of ISO 27000 international family of standards for IT systems is ISO 27001, which a security standard for computer systems that offer the procedures for keeping an organisation’s assets safe. 

The broader family of standards refer to information security management systems, although this particular standard handles bundling a company’s security processes into a single management platform. Organisations that meet the requirements can be certified under the ISO 27001 standard by an accredited organisation after completing an audit.

ISO 27001 offers a framework which aims to maintain a company’s risk management strategy and ensure this is free of any policy gaps or security holes. The standard will help businesses find any gaps that may arise, which if left unchecked would create a risk to the organisation’s data. Implementing the standard in full would, in practice, ensure processes are put into motion that prevents such data risk in future.

The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers. 

Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.

When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.

Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:

The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers. 

Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.

When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.

Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:

  1. Scope of the standard
  2. How the document is referenced
  3. Reuse of the terms and definitions in ISO/IEC 27000
  4. Organizational context and stakeholders
  5. Information security leadership and high-level support for policy
  6. Planning an information security management system; risk assessment; risk treatment
  7. Supporting an information security management system
  8. Making an information security management system operational
  9. Reviewing the system's performance
  10. Corrective action

History of ISO 27001

Guidance around IT security was first introduced in 1992 when the Department of Trade and Industry (DTI) published a code of practice or IT security management.

In 1995, the British Standards Institute republished it as BS7799. This was revised over the years and in 2000, it was fast-tracked as an ISO and became ISO 17799.

In 2002, this was updated and a second part introduced - BS7799-2, an Information Security Management Specification, rather than a code of practice. This update entered the ISO fast track in 2005 and became the ISO27001.

It was updated significantly in 2013, overhauling how ISO27001 works. One major change was addressing the trend of using databases to store information rather than only physical documents.

Key guidelines in ISO 27001

Although there are many requirements of ISO 27001, the primary concerns (and those that are audited in order for an organisation to become certified) are that management must continuously analyse the businesses security risks, design and implement a collection of security controls and how to manage risks and adopt an overall management process that ensures the business is never left open to risk and that security needs are continuously addressed. Specifically, ISO 27001 requires management to:

  • Examine the organisation's security holes through risk assessments
  • Design and implement a comprehensive suite of security controls
  • Define the scope of the ISMS
  • Adopt new processes to ensure new security controls meet the needs of the business

How to become certified for ISO 27001

Gaining certification in ISO 27001 is a great way to demonstrate your company's commitment to data security, and show that you take security management seriously. When faced with two organisations, clients will usually pick the one that's certified over the one that isn't.

ISO 27001 certification is undertaken by third-party certification bodies and the processes each will analyse varies greatly.

Before the audit begins, the company's management will decide upon the parts of a business that will be certified upon completion. This can be the entire organisation or just a department or division, depending on what the management deems suitable.

Anything not included in this initial scope will not be certified and therefore, if only part of the business is certified, there are no guarantees the rest of the organisation is sticking to the guidelines.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Most Popular

Unilever adopts Google Cloud’s complex data processing for conservation drive
big data analytics

Unilever adopts Google Cloud’s complex data processing for conservation drive

22 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020