What is ISO 27001? A quick and easy explanation

ISO 27001 is the leading international standard focused on information security. It was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System.

What is ISO 27001? - 27001Academy
ISO 27001 compliance software
What is ISO 27001? - 27001Academy
ISO 27001 Templates
What is ISO 27001? - 27001Academy
ISO 27001 Courses
The basics

What does ISO 27001 mean?

ISO 27001 is the leading international standard focused on information security. It was published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.

For better understanding of ISO 27001 meaning, it’s important to know that this standard is part of a set of standards developed to handle information security: the ISO/IEC 27000 series. ISO 27001 is the most important part of that set because it describes how to manage all aspects of security, and its full name is “ISO/IEC 27001 – Information security, cybersecurity and privacy protection — Information security management systems — Requirements.”

ISO and the purpose of the ISO 27001 framework

The ISO is an independent, non-governmental international organization that develops international standards based on contributions by representatives from national standards organizations from all over the world. The ISO 27001 framework is a set of requirements for defining, implementing, operating, and improving an Information Security Management System (ISMS), and it is the leading standard recognized by the ISO for information security. This ISO security framework’s purpose is to protect companies’ information in a systematic and cost-effective way, regardless of their size or industry.

Why is ISO 27001 important?

Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.

Individuals can also get ISO 27001 certified by attending a course and passing the exam and, in this way, prove their skills at implementing or auditing an Information Security Management System to potential employers.

Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.

What are the three principles of ISO 27001?

As per ISO 27001 definition, the basic goal of an Information Security Management System is to protect three aspects of information:

  • Confidentiality: Only authorized persons have the right to access information.
  • Integrity: Only authorized persons can change the information.
  • Availability: The information must be accessible to authorized persons whenever it is needed.

Why do we need an ISMS?

There are four essential business benefits that a company can achieve with the implementation of ISO 27001:

Comply with legal requirements – There is an ever-increasing number of laws, regulations, and contractual requirements related to information security. The good news is that most of them can be resolved by implementing ISO 27001. This standard gives you the perfect methodology to comply with them all. For example, ISO 27001 can help guide the creation of a company's security policy to be compliant with the EU GDPR.

Achieve competitive advantage – If your company gets its ISMS ISO 27001 certified, and your competitors do not, you may have an advantage over them in the eyes of those customers who are sensitive about keeping their information safe.

Lower costs – The main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.

Better organization – Typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, employees often do not know what needs to be done, when, and by whom. Implementation of an ISO 27001-compliant ISMS helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security related), enabling them to reduce lost time by their employees and maintain critical organizational knowledge that could otherwise be lost when people leave the organization.

How does ISO 27001 work?

The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential incidents could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such incidents from happening (i.e., risk mitigation or risk treatment).

Therefore, the main philosophy of ISO 27001 is based on a process for managing risks: Find out where the risks are, and then systematically treat them, through the implementation of security controls (or safeguards).

What is ISO 27001? A detailed and straightforward guide

ISO 27001 requires a company to list all controls that are to be implemented in a document called the Statement of Applicability.

What are the ISO 27001 controls?

The ISO 27001 controls (also known as safeguards) are the practices to be implemented to reduce risks to acceptable levels. Controls can be technological, organizational, physical, and human-related.

How many controls are there in ISO 27001?

The 2022 revision of ISO 27001 Annex A lists 93 controls organized into four sections numbered A.5 through A.8, as explained below.

How do you implement ISO 27001 controls?

Organizational controls (Annex A section A.5) are implemented by defining the rules to be followed, as well as expected behavior from users, equipment, software, and systems. E.g., Access Control Policy, BYOD Policy, etc.

People controls (Annex A section A.6) are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g., ISO 27001 awareness training, ISO 27001 internal auditor training, etc.

Physical controls (Annex A section A.7) are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g., CCTV cameras, alarm systems, locks, etc.

Technological controls (Annex A section A.8) are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g., backup, antivirus software, etc.

For help with writing policies and procedures for the ISMS, and for security controls, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Requirements

Two parts of the standard

The standard is separated into two parts. The first (main) part consists of 11 clauses (0 to 10). The second part, called Annex A, provides the guidelines for 93 control objectives and controls.

Clauses 0 to 3 of the main part of the standard (Introduction, Scope, Normative references, Terms and definitions) serve as an introduction to the ISO 27001 standard. Clauses 4 to 10, which provide the ISO 27001 requirements, are mandatory if the company wants to be compliant with the standard, and are examined in more detail later in this article.

Annex A of the standard supports the ISO 27001 clauses and their requirements with a list of controls that are not mandatory, but that are selected as part of the risk management process. For more, read the article The basic logic of ISO 27001: How does information security work?

What is ISO 27001? A detailed and straightforward guide

What are the requirements for ISO 27001?

The standard requires a minimum set of documents to be written and managed (e.g., policies, plans, records, and other documented information) and activities to be performed (e.g., risk assessment and treatment, internal audit, management review, etc.) for a company to become ISO27001 compliant. To see the specific documents and records that are considered to be mandatory for ISO 27001 implementation and certification, click here.

The requirements from ISO 27001 clauses 4 through 10 can be summarized as follows:

Clause 4 of ISO 27001 - Context of the organization – One prerequisite of implementing an Information Security Management System successfully is understanding the context of the organization. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond.

With this in mind, the organization needs to define the ISMS scope.

Clause 5 of ISO 27001 - Leadership – The requirements of ISO 27001 for adequate leadership are manifold. The commitment of the top management is mandatory for a management system. Objectives need to be established according to the strategic direction and objectives of the organization. Providing resources needed for the ISMS, as well as supporting persons in their contribution to the ISMS, are other examples of the obligations to meet.

Furthermore, the top management needs to establish a top-level policy for information security. The company’s ISO 27001 Information Security Policy should be documented, as well as communicated within the organization and to interested parties.

Roles and responsibilities need to be assigned, too, in order to meet the requirements of the ISO 27001 standard and to report on the performance of the ISMS.

Clause 6 of ISO 27001 - Planning – Planning in an ISMS environment should always take into account risks and opportunities. An information security risk assessment provides a key foundation to rely on. Accordingly, information security objectives should be based on the risk assessment. These objectives need to be aligned with the company`s overall objectives, and they need to be promoted within the company because they provide the security goals to work toward for everyone within and aligned with the company. From the risk assessment and the security objectives, a risk treatment plan is derived, based on controls as listed in Annex A.

Clause 7 of ISO 27001 - Support – Resources, competence of employees, awareness, and communication are key for supporting the ISMS. Another requirement is documenting information according to ISO 27001. Information needs to be documented, created, and updated, as well as being controlled. A suitable set of documentation, including a communications plan, needs to be maintained in order to support the success of the ISMS.

Clause 8 of ISO 27001 - Operation – Processes are mandatory to implement information security. These processes need to be planned, implemented, and controlled. Risk assessment and treatment – which need to be on top management`s minds, as we learned earlier – have to be put into action.

Learn more about risk assessment and treatment in this free Diagram of 6 steps in ISO 27001/ISO 27005 risk management.

Clause 9 of ISO 27001 - Performance evaluation – The requirements of the ISO 27001 standard expect monitoring, measurement, analysis, and evaluation of the Information Security Management System. In addition to checking key performance indicators of its work, the company needs to conduct internal audits. Finally, at defined intervals, the top management needs to review the organization`s ISMS and ISO 27001 KPIs.

Clause 10 of ISO 27001 - Improvement – Improvement follows the evaluation. Nonconformities need to be addressed by taking action and eliminating their causes. Moreover, a continual improvement process should be implemented. Even though the PDCA (Plan-Do-Check-Act) cycle is no longer explicitly mentioned in ISO 27001, it is still recommended, as it offers a solid structure and fulfills the requirements of ISO 27001.

Annex A (normative) Information security controls reference – This Annex provides a list of 93 safeguards (controls) that can be implemented to decrease risks and comply with security requirements from interested parties. The controls that are to be implemented must be marked as applicable in the Statement of Applicability.

For more about Annex A, read the articles Understanding the ISO 27001 controls from Annex A and How to structure the documents for ISO 27001 Annex A controls.

IMPLEMENTATION & CERTICIFATION

What is ISO 27001 compliance?

ISO 27001 compliance means sticking to all applicable requirements defined in the standard. Such requirements can be recognized by the word “shall” before a verb in a phrase, implying that the action required by the verb must be performed so the organization can be ISO 27001 compliant.

For example, in the requirement that states: “The scope shall be available as documented information,” the ISMS scope must exist as a written document.

ISO 27001 mandatory documents

As said, ISO 27001 requires you to write specific documents and records that are considered mandatory for ISO 27001 implementation and certification.

To see a more detailed explanation of each of these documents, download the free white paper Checklist of Mandatory Documentation Required by ISO 27001.

What is “ISO 27001 certified”?

A company can go for ISO 27001 certification by inviting an accredited certification body to perform the certification audit and, if the audit is successful, to issue the ISO 27001 certificate to the company. This certificate will mean that the company is fully compliant with the ISO 27001 standard.

Please note that there is no “ISO security certification,” because the ISO does not provide certification services; it only publishes the standards.

An individual can go for ISO 27001 certification by going through ISO 27001 training and passing the exam. This certificate will mean that this person has acquired the appropriate skills during the course.

An overview of the versions of ISO 27001

As of the publication of this article, the current version of ISO 27001 is ISO/IEC 27001:2022, released in October 2022.

The first version of ISO 27001 was released in 2005 (ISO/IEC 27001:2005), and the second version in 2013. The current 2022 version is the third revision of the standard. Learn more about these changes in the infographic in this article: ISO 27001 2013 vs. 2022 revision – What has changed?

It is important to note that different countries that are members of ISO can translate the standard into their own languages, making minor additions (e.g., national forewords) that do not affect the content of the international version of the standard. These “versions” have additional letters to differentiate them from the international standard; e.g., NBR ISO/IEC 27001 designates the Brazilian version, while BS ISO/IEC 27001 designates the British version. These local versions of the standard also contain the year when they were adopted by the local standardization body, so the latest British version is BS EN ISO/IEC 27001:2017, meaning that ISO/IEC 27001:2013 was adopted by the British Standards Institution in 2017.

Is ISO 27001 mandatory?

In most countries, implementation of ISO 27001 is not mandatory. However, some countries have published regulations that require certain industries to implement ISO 27001. To determine whether ISO 27001 is mandatory or not for your company, you should look for expert legal advice in the country where you operate.

Public and private organizations can specify compliance with ISO 27001 as a legal requirement in their contracts and service agreements with their suppliers.

ISO 27001 and other standards

What are the ISO 27000 standards?

Because it defines the requirements for an ISMS, ISO 27001 is the main standard in the ISO 27000 family of standards. But, because it mainly defines what is needed, but does not specify how to do it, several other information security standards have been developed to provide additional guidance. Currently, there are more than 40 standards in the ISO 27k series.

ISO 27001 supporting standards

Here are some of the most commonly used other standards in the 27K series that support ISO 27001, providing guidance on specific topics.

ISO/IEC 27000 provides terms and definitions used in the ISO 27k series of standards.

ISO/IEC 27002 provides guidelines for the implementation of controls listed in ISO 27001 Annex A. It can be quite useful, because it provides details on how to implement these controls.

ISO/IEC 27004 provides guidelines for the measurement of information security – it fits well with ISO 27001, because it explains how to determine whether the ISMS has achieved its objectives.

ISO/IEC 27005 provides guidelines for information security risk management. It is a very good supplement to ISO 27001, because it gives details on how to perform risk assessment and risk treatment, probably the most difficult stage in the implementation.

ISO/IEC 27017 provides guidelines for information security in cloud environments. It is a code of practice based on ISO/IEC 27002 for cloud services.

ISO/IEC 27018 provides guidelines for the protection of privacy in cloud environments. It is a code of practice based on ISO/IEC 27002 for the protection of personally identifiable information (PII) in public clouds acting as PII processors.

ISO/IEC 27031 provides guidelines on what to consider when developing business continuity for information and communication technologies (ICT). This standard is a great link between information security and business continuity practices.

To implement ISO 27001 easily and efficiently, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.