What is ISO 27001?

We explain what ISO 27001 is and how it relates to IT management systems

Graphic representing security in either data protection or cyber security contexts

Among the family of ISO 27000 international family of standards for IT systems is ISO 27001, which a security standard for computer systems that offer the procedures for keeping an organisation’s assets safe. 

The broader family of standards refer to information security management systems, although this particular standard handles bundling a company’s security processes into a single management platform. Organisations that meet the requirements can be certified under the ISO 27001 standard by an accredited organisation after completing an audit.

Advertisement - Article continues below

ISO 27001 offers a framework which aims to maintain a company’s risk management strategy and ensure this is free of any policy gaps or security holes. The standard will help businesses find any gaps that may arise, which if left unchecked would create a risk to the organisation’s data. Implementing the standard in full would, in practice, ensure processes are put into motion that prevents such data risk in future.

The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers. 

Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.

Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:

The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers. 

Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.

Advertisement - Article continues below

When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.

Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:

  1. Scope of the standard
  2. How the document is referenced
  3. Reuse of the terms and definitions in ISO/IEC 27000
  4. Organizational context and stakeholders
  5. Information security leadership and high-level support for policy
  6. Planning an information security management system; risk assessment; risk treatment
  7. Supporting an information security management system
  8. Making an information security management system operational
  9. Reviewing the system's performance
  10. Corrective action

History of ISO 27001

Guidance around IT security was first introduced in 1992 when the Department of Trade and Industry (DTI) published a code of practice or IT security management.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In 1995, the British Standards Institute republished it as BS7799. This was revised over the years and in 2000, it was fast-tracked as an ISO and became ISO 17799.

In 2002, this was updated and a second part introduced - BS7799-2, an Information Security Management Specification, rather than a code of practice. This update entered the ISO fast track in 2005 and became the ISO27001.

It was updated significantly in 2013, overhauling how ISO27001 works. One major change was addressing the trend of using databases to store information rather than only physical documents.

Key guidelines in ISO 27001

Although there are many requirements of ISO 27001, the primary concerns (and those that are audited in order for an organisation to become certified) are that management must continuously analyse the businesses security risks, design and implement a collection of security controls and how to manage risks and adopt an overall management process that ensures the business is never left open to risk and that security needs are continuously addressed. Specifically, ISO 27001 requires management to:

Advertisement - Article continues below
  • Examine the organisation's security holes through risk assessments
  • Design and implement a comprehensive suite of security controls
  • Define the scope of the ISMS
  • Adopt new processes to ensure new security controls meet the needs of the business

How to become certified for ISO 27001

Gaining certification in ISO 27001 is a great way to demonstrate your company's commitment to data security, and show that you take security management seriously. When faced with two organisations, clients will usually pick the one that's certified over the one that isn't.

ISO 27001 certification is undertaken by third-party certification bodies and the processes each will analyse varies greatly.

Before the audit begins, the company's management will decide upon the parts of a business that will be certified upon completion. This can be the entire organisation or just a department or division, depending on what the management deems suitable.

Anything not included in this initial scope will not be certified and therefore, if only part of the business is certified, there are no guarantees the rest of the organisation is sticking to the guidelines.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020