The basic logic of ISO 27001: How does information security work?

Updated: December 20, 2022., according to ISO 27001:2022 revision.

When speaking with someone new to ISO 27001, very often I encounter the same problem: this person thinks the standard will describe in detail everything they need to do – for example, how often they will need to perform backup, how distant their disaster recovery site should be, or even worse, which kind of technology they must use for network protection or how they have to configure the router.

Here’s the bad news: ISO 27001 does not prescribe these things; it works in a completely different way. Here’s why…

ISO 27001 gives you a framework for a systematic overview of the bad things that can happen to you (assessing the risks), and then deciding which safeguards to implement to prevent those bad things from happening (treating the risks).

Why is ISO 27001 not prescriptive?

Let’s imagine that the standard prescribes that you need to perform a backup every 24 hours – is this the right measure for you? It might be, but believe me, many companies nowadays will find this insufficient – the rate of change of their data is so quick that they need to do backup if not in real time, then at least every hour. On the other hand, there are still some companies that would find the once-a-day backup too often – their rate of change is still very slow, so performing backup so often would be overkill.

The point is – if this standard is to fit any type of a company, then this prescriptive approach is not possible. So, it is simply impossible not only to define the backup frequency, but also which technology to use, how to configure each device, etc.

By the way, this perception that ISO 27001 will prescribe everything is the biggest generator of myths about ISO 27001 – see also 5 greatest myths about ISO 27001.

Risk management is the central idea of ISO 27001

So, you might wonder, “Why would I need a standard that doesn’t tell me anything concretely?”

Because ISO 27001 gives you a framework for you to decide on appropriate protection. The same way, e.g., you cannot copy a marketing campaign of another company to your own, this same principle is valid for information security – you need to tailor it to your specific needs.

And the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment and risk treatment. This is nothing but a systematic overview of the bad things that can happen to you (assessing the risks), and then deciding which safeguards to implement to prevent those bad things from happening (treating the risks).

What is ISO 27001: The basic logic of information security managementFigure: Method of safeguard selection in ISO 27001

The whole idea here is that you should implement only those safeguards (controls) that are required because of the risks, not those that someone thinks are fancy; but, this logic also means that you should implement all the controls that are required because of the risks, and that you cannot exclude some simply because you don’t like them.

See also: ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide.

IT alone is not enough

If you work in the IT department, you are probably aware that most of the incidents are happening not because the computers broke down, but because the users from the business side of the organization are using the information systems in the wrong way.

And such wrongdoings cannot be prevented with technical safeguards only – what is also needed are clear policies and procedures, training and awareness, legal protection, discipline measures, etc. Real-life experience has proved that the more diverse safeguards are applied, the higher level of security is achieved.

And when you take into account that not all the sensitive information is in digital form (you probably still have papers with confidential information on them), the conclusion is that IT safeguards are not enough, and that the IT department, although very important in an information security project, cannot run this kind of project alone.

Again, this fact that IT security is only 50% of information security is recognized in ISO 27001 – this standard tells you how to run the information security implementation as a company-wide project where not only IT, but also the business side of the organization, must take part.

Getting the top management aboard

But, ISO 27001 doesn’t stop with the implementation of various safeguards – its authors understood perfectly well that people from the IT department, or from other lower- or mid-level positions in the organization, cannot achieve much if the executives at the top don’t do something about it.

For instance, you may propose a new policy for the protection of confidential documents, but if your top management does not enforce such policy with all employees (and if they themselves do not comply with it), such a policy will never gain a foothold in your company.

So, ISO 27001 gives you a systematic checklist of what the top management must do:

  • set their business expectations (objectives) for information security
  • publish a policy on how to control whether those expectations are met
  • designate main responsibilities for information security
  • provide enough money and human resources
  • regularly review whether all the expectations were really met

Not allowing your system to deteriorate

If you work in a company for a couple of years or more, then you probably know how the new initiatives/projects work – at the beginning they look nice and shiny and everyone (or at least most of the people) are trying to do their best to make everything work. However, in time, the interest and the zeal deteriorate, and with them, everything related to such a project also deteriorates.

For instance, you may have had a classification policy that worked fine initially, but in time the technology changed, the organization changed and people changed, and if no one has cared to update the policy, it will become obsolete. And, as you are well aware, no one will want to comply with an obsolete document, meaning that your security will grow worse.

To prevent this, ISO 27001 has described a couple of methods that prevent such deterioration from taking place; even more, those methods are used to improve the security over time, making it even better than it was at the time when the project was at its highest. These methods include monitoring and measurement, internal audits, corrective actions, etc.

Therefore, you shouldn’t be negative about ISO 27001 – it may seem vague at first reading, but it can prove to be an extremely useful framework for resolving many security problems in your company. What’s more, it can help you do your job more easily, and get more recognition from the top. (See also: 4 reasons why ISO 27001 is useful for techies.)

To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.