What is ISO 27001?
We explain what ISO 27001 is and how it relates to IT management systems
ISO 27001 is an international standard for IT systems that provides the policies and procedures for keeping a company's IT assets secure. It forms part of the wider ISO 27000 family of IT standards that all refer to information security management systems, but specifically deals with unifying a business's security processes into one management platform.
The framework is largely designed to keep a company's risk management strategy in check by helping to identify any issues that could represent a risk to data and creating processes and procedures to prevent similar instances occurring in the future.
ISO 27001 incorporates all the systems, guidelines and certifications needed to help a business analyse its processes. Prior to its implementation, companies were forced to rely on a number of separate services for handling data risk, resulting in massive inefficiencies.
For example, parts of a business may have been identified as high risk, and would have had appropriate processes and policies in place to help mitigate that. However, other parts of a company may have been neglected.
The development of ISO 27001 in the 1990s allowed for processes to be brought under a single standard, and therefore manage components of a business inside a single management system. This can then be seen by managers across the entire organisation as a whole, rather than each having responsibility for a single section.
The standard has also received significant updates since its development, most notably in 2013. Originally based on just five 'clauses', which serve as the objectives of the standard, the update increased this to 10.
1. Scope of the standard2. How the document is referenced3. Reuse of the terms and definitions in ISO/IEC 270004. Organizational context and stakeholders5. Information security leadership and high-level support for policy6. Planning an information security management system; risk assessment; risk treatment7. Supporting an information security management system8. Making an information security management system operational9. Reviewing the system's performance10. Corrective action
History of ISO 27001
Guidance around IT security was first introduced in 1992 when the Department of Trade and Industry (DTI) published a code of practice or IT security management.
In 1995, the British Standards Institute republished it as BS7799. This was revised over the years and in 2000, it was fast-tracked as an ISO and became ISO 17799.
In 2002, this was updated and a second part introduced - BS7799-2, an Information Security Management Specification, rather than a code of practice. This update entered the ISO fast track in 2005 and became the ISO27001.
It was updated significantly in 2013, overhauling how ISO27001 works. One major change was addressing the trend of using databases to store information rather than only physical documents.
Key guidelines in ISO 27001
Although there are many requirements of ISO 27001, the primary concerns (and those that are audited in order for an organisation to become certified) are that management must continuously analyse the businesses security risks, design and implement a collection of security controls and how to manage risks and adopt an overall management process that ensures the business is never left open to risk and that security needs are continuously addressed. Specifically, ISO 27001 requires management to:
- Examine the organisation's security holes through risk assessments
- Design and implement a comprehensive suite of security controls
- Define the scope of the ISMS
- Adopt new processes to ensure new security controls meet the needs of the business
How to become certified for ISO 27001
Gaining certification in ISO 27001 is a great way to demonstrate your company's commitment to data security, and show that you take security management seriously. When faced with two organisations, clients will usually pick the one that's certified over the one that isn't.
ISO 27001 certification is undertaken by third-party certification bodies and the processes each will analyse varies greatly.
Before the audit begins, the company's management will decide upon the parts of a business that will be certified upon completion. This can be the entire organisation or just a department or division, depending on what the management deems suitable.
Anything not included in this initial scope will not be certified and therefore, if only part of the business is certified, there are no guarantees the rest of the organisation is sticking to the guidelines.
Digitally perfecting the supply chain
How new technologies are being leveraged to transform the manufacturing supply chainDownload now
Three keys to maximise application migration and modernisation success
Harness the benefits that modernised applications can offerDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
The 3 approaches of Breach and Attack Simulation technologies
A guide to the nuances of BAS, helping you stay one step ahead of cyber criminalsDownload now