What is ISO 27001

Your simple introduction to the basic facts

ISO 27001 is an international standard published by the International Standardization Organization
(ISO), and it describes how to manage information security in a company. The latest revision of this
standard was published in 2013, and its full title is now ISO/IEC 27001:2013. The first revision of
the standard was published in 2005, and it was developed based on the British standard BS 7799-2.
ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or stateowned, small or large. It was written by the worlds best experts in the field of information security
and provides methodology for the implementation of information security management in an
organization. It also enables companies to become certified, which means that an independent
certification body has confirmed that an organization has implemented information security
compliant with ISO 27001.
ISO 27001 has become the most popular information security standard worldwide and many
companies have certified against it here you can see the number of certificates in the last couple of
years:

Source: The ISO Survey of Management System Standard Certifications

How does ISO 27001 work

The focus of ISO 27001 is to protect the confidentiality, integrity and availability of the information
in a company. This is done by finding out what potential problems could happen to the information
(i.e., risk assessment), and then defining what needs to be done to prevent such problems from
happening (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 27001 is
based on managing risks: find out where the risks are, and then systematically treat them.

The safeguards (or controls) that are to be implemented are usually in the form of policies,
procedures and technical implementation (e.g., software and equipment). However, in most cases
companies already have all the hardware and software in place, but they are using them in an
unsecure way therefore, the majority of the ISO 27001 implementation will be about setting the
organizational rules (i.e., writing documents) that are needed in order to prevent security breaches.
Since such implementation will require multiple policies, procedures, people, assets, etc. to be
managed, ISO 27001 has described how to fit all these elements together in the information security
management system (ISMS).
So, managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.) it is
also about managing processes, legal protection, managing human resources, physical protection,
etc.
See also The basic logic of ISO 27001: How does information security work?

Why is ISO 27001 good for your company?

There are 4 essential business benefits that a company can achieve with the implementation of this
information security standard:
Comply with legal requirements there are more and more laws, regulations and contractual
requirements related to information security, and the good news is that most of them can be resolved
by implementing ISO 27001 this standard gives you the perfect methodology to comply with them
all.
Achieve marketing advantage if your company gets certified and your competitors do not, you
may have an advantage over them in the eyes of the customers who are sensitive about keeping their
information safe.
Lower costs the main philosophy of ISO 27001 is to prevent security incidents from happening
and every incident, large or small, costs money. Therefore, by preventing them, your company will
save quite a lot of money. And the best thing of all investment in ISO 27001 is far smaller than the
cost savings youll achieve.
Better organization typically, fast-growing companies dont have the time to stop and define their
processes and procedures as a consequence, very often the employees do not know what needs to
be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because

it encourages companies to write down their main processes (even those that are not securityrelated), enabling them to reduce the lost time of their employees.
See also Free Return on Security Investment Calculator.

Where does information security management fit in a company

Essentially, information security is part of overall risk management in a company, with areas that
overlap with cybersecurity, business continuity management and IT management:

What does ISO 27001 actually look like?

ISO/IEC 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not
mandatory for implementation), while sections 4 to 10 are mandatory meaning that all their
requirements must be implemented in an organization if it wants to be compliant with the standard.
Controls from Annex A must be implemented only if declared as applicable in the Statement of
Applicability.

According to Annex SL of the International Organization for Standardization ISO/IEC Directives,

the section titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO 9001:2015, and
other management standards, enabling easier integration of these standards.
Section 0: Introduction explains the purpose of ISO 27001 and its compatibility with other
management standards.
Section 1: Scope explains that this standard is applicable to any type of organization.
Section 2: Normative references refers to ISO/IEC 27000 as a standard where terms and
definitions are given.
Section 3: Terms and definitions again, refers to ISO/IEC 27000.
Section 4: Context of the organization this section is part of the Plan phase in the PDCA cycle
and defines requirements for understanding external and internal issues, interested parties and their
requirements, and defining the ISMS scope.
Section 5: Leadership this section is part of the Plan phase in the PDCA cycle and defines top
management responsibilities, setting the roles and responsibilities, and contents of the top-level
Information security policy.
Section 6: Planning this section is part of the Plan phase in the PDCA cycle and defines
requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and
setting the information security objectives.
Section 7: Support this section is part of the Plan phase in the PDCA cycle and defines
requirements for availability of resources, competences, awareness, communication, and control of
documents and records.
Section 8: Operation this section is part of the Do phase in the PDCA cycle and defines the
implementation of risk assessment and treatment, as well as controls and other processes needed to
achieve information security objectives.
Section 9: Performance evaluation this section is part of the Check phase in the PDCA cycle and
defines requirements for monitoring, measurement, analysis, evaluation, internal audit and
management review.
Section 10: Improvement this section is part of the Act phase in the PDCA cycle and defines
requirements for nonconformities, corrections, corrective actions and continual improvement.
Annex A this annex provides a catalogue of 114 controls (safeguards) placed in 14 sections
(sections A.5 to A.18).
See also: Has the PDCA Cycle been removed from the new ISO standards?

How to implement ISO 27001

To implement ISO 27001 in your company, you have to follow these 16 steps:
1) Get top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
For more detailed explanation of these steps, see ISO 27001 implementation checklist.

Mandatory documentation
ISO 27001 requires the following documentation to be written:

Scope of the ISMS (clause 4.3)

Information security policy and objectives (clauses 5.2 and 6.2)

Risk assessment and risk treatment methodology (clause 6.1.2)

Statement of Applicability (clause 6.1.3 d)

Risk treatment plan (clauses 6.1.3 e and 6.2)

Risk assessment report (clause 8.2)

Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)

Inventory of assets (clause A.8.1.1)

Acceptable use of assets (clause A.8.1.3)

Access control policy (clause A.9.1.1)

Operating procedures for IT management (clause A.12.1.1)

Secure system engineering principles (clause A.14.2.5)

Supplier security policy (clause A.15.1.1)

Incident management procedure (clause A.16.1.5)

Business continuity procedures (clause A.17.1.2)

Statutory, regulatory, and contractual requirements (clause A.18.1.1)

And these are the mandatory records:

Records of training, skills, experience and qualifications (clause 7.2)

Monitoring and measurement results (clause 9.1)

Internal audit program (clause 9.2)

Results of internal audits (clause 9.2)

Results of the management review (clause 9.3)

Results of corrective actions (clause 10.1)

Logs of user activities, exceptions, and security events (clauses A.12.4.1 and
A.12.4.3)

Of course, a company may decide to write additional security documents if it finds it necessary.
To see more detailed explanation of each of these documents, download the free white paper
Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).

How to get certified

Two types of ISO 27001 certificates exist: (a) for organizations, and (b) for individuals.
Organizations can get certified to prove that they are compliant with all the mandatory clauses of the
standard; individuals can attend the course and pass the exam in order to get the certificate.
For an organization to become certified, it must implement the standard as explained in previous
sections, and then go through the certification audit performed by the certification body. The
certification audit is performed in the following steps:

Stage 1 audit (Documentation review) the auditors will review all the documentation.
Stage 2 audit (Main audit) the auditors will perform an on-site audit to check whether all
the activities in a company are compliant with ISO 27001 and with ISMS documentation.

Surveillance visits after the certificate is issued, during its 3-year validity, the auditors will
check whether the company maintains its ISMS.

See also Becoming ISO 27001 certified How to prepare for certification audit.
Individuals can go for several courses in order to obtain certificates the most popular are:

ISO 27001 Lead Auditor Course this 5-day course will teach you how to perform
certification audits and it is intended for auditors and consultants.
ISO 27001 Lead Implementer Course this 5-day course will teach you how to implement
the standard and is intended for information security practitioners and for consultants.

ISO 27001 Internal Auditor Course this 2- or 3-day course will teach you the basics of the
standard and how to perform an internal audit it is intended for beginners in this topic and
for internal auditors.

See also: How to learn about ISO 27001.

2005 and 2013 revisions of ISO 27001

As mentioned before, ISO 27001 was first published in 2005 and was revised in 2013 therefore,
the current valid version is ISO/IEC 27001:2013.
The most important changes in the 2013 revision are related to the structure of the main part of the
standard, interested parties, objectives, monitoring and measurement; also, Annex A has reduced the
number of controls from 133 to 114 and increased the number of sections from 11 to 14. Some
requirements were deleted from the 2013 revision, like preventive actions and the requirement to
document certain procedures.
See also Infographic: New ISO 27001 2013 revision What has changed?
However, all these changes actually did not change the standard much as a whole its main
philosophy is still based on risk assessment and treatment, and the same phases in the Plan-DoCheck-Act cycle remain. This new revision of the standard is easier to read and understand, and it is
much easier to integrate it with other management standards like ISO 9001, ISO 22301, etc.
The companies that have been certified against ISO/IEC 27001:2005 must transition to the new
2013 revision by September 2015 if they want to keep their certificate valid. See here how to do it:
How to make a transition from ISO 27001 2005 revision to 2013 revision.

Related information security and other standards

ISO/IEC 27002 provides guidelines for the implementation of controls listed in ISO 27001. ISO
27001 specifies 114 controls that can be used to reduce security risks, and ISO 27002 can be quite
useful because it provides details on how to implement these controls. ISO 27002 was previously
referred to as ISO/IEC 17799, and emerged from the British standard BS 7799-1.
ISO/IEC 27004 provides guidelines for the measurement of information security it fits well with
ISO 27001 because it explains how to determine whether the ISMS has achieved its objectives.
ISO/IEC 27005 provides guidelines for information security risk management. It is a very good
supplement to ISO 27001 because it gives details on how to perform risk assessment and risk
treatment, probably the most difficult stage in the implementation. ISO 27005 emerged from the
British standard BS 7799-3.
ISO 22301 defines the requirements for business continuity management systems it fits very well
with ISO 27001 because A.17 of ISO 27001 requires business continuity to be implemented;
however, it doesnt provide too many details. Learn more about ISO 22301 here

ISO 9001 defines the requirements for quality management systems although at first glance,
quality management and information security management do not have much in common, the fact is
that about 25% of the ISO 27001 and ISO 9001 requirements are the same: document control,
internal audit, management review, corrective actions, setting the objectives, and managing
competences. This means if a company has implemented ISO 9001, it will have a much easier job
implementing ISO 27001. Learn more about ISO 9001 here