What is ISO 27001?

We explain what ISO 27001 is and how it relates to IT management systems

Graphic representing security in either data protection or cyber security contexts

Among the family of ISO 27000 international family of standards for IT systems is ISO 27001, which a security standard for computer systems that offer the procedures for keeping an organisation’s assets safe. 

The broader family of standards refer to information security management systems, although this particular standard handles bundling a company’s security processes into a single management platform. Organisations that meet the requirements can be certified under the ISO 27001 standard by an accredited organisation after completing an audit.

Advertisement - Article continues below

ISO 27001 offers a framework which aims to maintain a company’s risk management strategy and ensure this is free of any policy gaps or security holes. The standard will help businesses find any gaps that may arise, which if left unchecked would create a risk to the organisation’s data. Implementing the standard in full would, in practice, ensure processes are put into motion that prevents such data risk in future.

The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers. 

Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.

Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:

The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers. 

Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.

Advertisement - Article continues below

When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.

Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:

  1. Scope of the standard
  2. How the document is referenced
  3. Reuse of the terms and definitions in ISO/IEC 27000
  4. Organizational context and stakeholders
  5. Information security leadership and high-level support for policy
  6. Planning an information security management system; risk assessment; risk treatment
  7. Supporting an information security management system
  8. Making an information security management system operational
  9. Reviewing the system's performance
  10. Corrective action

History of ISO 27001

Guidance around IT security was first introduced in 1992 when the Department of Trade and Industry (DTI) published a code of practice or IT security management.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In 1995, the British Standards Institute republished it as BS7799. This was revised over the years and in 2000, it was fast-tracked as an ISO and became ISO 17799.

In 2002, this was updated and a second part introduced - BS7799-2, an Information Security Management Specification, rather than a code of practice. This update entered the ISO fast track in 2005 and became the ISO27001.

It was updated significantly in 2013, overhauling how ISO27001 works. One major change was addressing the trend of using databases to store information rather than only physical documents.

Key guidelines in ISO 27001

Although there are many requirements of ISO 27001, the primary concerns (and those that are audited in order for an organisation to become certified) are that management must continuously analyse the businesses security risks, design and implement a collection of security controls and how to manage risks and adopt an overall management process that ensures the business is never left open to risk and that security needs are continuously addressed. Specifically, ISO 27001 requires management to:

Advertisement - Article continues below
  • Examine the organisation's security holes through risk assessments
  • Design and implement a comprehensive suite of security controls
  • Define the scope of the ISMS
  • Adopt new processes to ensure new security controls meet the needs of the business

How to become certified for ISO 27001

Gaining certification in ISO 27001 is a great way to demonstrate your company's commitment to data security, and show that you take security management seriously. When faced with two organisations, clients will usually pick the one that's certified over the one that isn't.

ISO 27001 certification is undertaken by third-party certification bodies and the processes each will analyse varies greatly.

Before the audit begins, the company's management will decide upon the parts of a business that will be certified upon completion. This can be the entire organisation or just a department or division, depending on what the management deems suitable.

Anything not included in this initial scope will not be certified and therefore, if only part of the business is certified, there are no guarantees the rest of the organisation is sticking to the guidelines.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/security/cyber-attacks/356417/trump-confirms-cyber-attacks-on-russia-election-trolls
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020