Basic Introduction to

ISO27001:
Scope, Implementation &
Application

Introduction

ISO 27001 is the international standard describing best practice for

an Information Security Management System (ISMS).

An ISMS is a framework of policies and procedures that includes all

legal, physical and technical controls involved in an organisation's
information risk management processes.

Being ISO 27001 approved is a certification which shows that the

business has defined and implemented effective Information
security processes.

Benefits of ISO27001
Table (1)
1

Information Security
Issue

How ISO 27001 helps

With increasing fines for

personal data breaches,
organizations need to ensure
compliance with legislative
requirements, such as the
UK Data Protection Act

It provides a framework for

the management of
information security risks,
which ensures you take into
account your legal and
regulatory requirements

Benefits

Supports compliance with relevant

laws and regulations
Reduces likelihood of facing
prosecution and fines
Can help you gain status as a
preferred supplier
Protects your reputation
It requires you to identify risks
Provides reassurance to clients that
Potential information breach, to your information and put in
their information is secure
damaging your reputation
place security measures to
Cost savings through reduction in
manage or reduce them
incidents
Demonstrates credibility and trust
It ensures that authorised
Availability of vital
Improves your ability to recover your
users have secure access to
information at all times
operations and continue business as
information when they need it
usual

Benefits of ISO27001
Table (2)
Information Security
Issue

How ISO 27001 helps

Gives you a framework for

Lack of confidence in your
identifying risks to information
organizations ability to
security and implementing
manage information security
appropriate management and
risks
technical controls
It provides a way of ensuring
Difficulty in responding to
that a common set of policies,
rising customer expectations
procedures and controls are in
in relation to the security of
place to manage risks to
their information
information security

Benefits
Confidence in your information
security arrangements
Better visibility of risks amongst
interested stakeholders

Meet customer and tender

requirements
Reduce third party scrutiny of your
information security requirements
Get a competitive advantage
Improved information security
It ensures senior management awareness
No awareness of information recognize information security Shows commitment to information
security within your
as a priority and that there is
security at all levels throughout your
organization
clear level of knowledge from organization

ISO 27001
ISO 27001 uses a top down, risk-based approach and is
technology-neutral. The specification defines a six-part
planning process:
Define

a security policy.

Define

the scope of the ISMS.

Conduct

a risk assessment.

Manage

identified risks.

Select

control objectives and controls to be implemented.

ISO 27002
This standard describes a comprehensive set of information security control objectives
and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1.

Risk assessment

2.

Security policy

3.

Organization of information
security

7.

Communications and operations

management

8.

Access control

9.

Information systems acquisition,

development and maintenance

4.

Asset management

5.

Human resources security

10.

6.

Physical and environmental

security

Information security incident

management

11.

Business continuity management

ISO 27000 Family

Other standards that have also been developed in the
27000 family are:

27003 implementation guidance.

27004 - an information security management measurement standard

suggesting metrics to help improve the effectiveness of an ISMS.

27005 an information security risk management standard. (Published in

2008)

27006 - a guide to the certification or registration process for accredited

Thanks for reading!