It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.
ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.
ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.
Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.
Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.
The basic goal of ISO 27001 is to protect three aspects of information:
An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:
This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
There are four essential business benefits that a company can achieve with the implementation of this information security standard:
Comply with legal requirements – there is an ever-increasing number of laws, regulations, and contractual requirements related to information security, and the good news is that most of them can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to comply with them all.
Achieve competitive advantage – if your company gets certified and your competitors do not, you may have an advantage over them in the eyes of those customers who are sensitive about keeping their information safe.
Lower costs – the main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.
Better organization – typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce lost time by their employees.
The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment).
Therefore, the main philosophy of ISO 27001 is based on a process for managing risks: find out where the risks are, and then systematically treat them, through the implementation of security controls (or safeguards).
ISO 27001 requires a company to list all controls that are to be implemented in a document called the Statement of Applicability.
The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – this means that all those requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.
The requirements from sections 4 through 10 can be summarized as follows:
Clause 4: Context of the organization – defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
Clause 5: Leadership – defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.
Clause 6: Planning – defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
Clause 7: Support – defines requirements for availability of resources, competencies, awareness, communication, and control of documents and records.
Clause 8: Operation – defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
Clause 9: Performance evaluation – defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
Clause 10: Improvement – defines requirements for nonconformities, corrections, corrective actions, and continual improvement.
There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:
A.5. Information security policies: The controls in this section describe how to handle information security policies.
A.6. Organization of information security: The controls in this section provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of information security, like project management, use of mobile devices, and teleworking.
A.7. Human resource security: The controls in this section ensure that people who are under the organization’s control are hired, trained, and managed in a secure way; also, the principles of disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.
A.9. Access control: The controls in this section limit access to information and information assets according to real business needs. The controls are for both physical and logical access.
A.10. Cryptography: The controls in this section provide the basis for proper use of encryption solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security: The controls in this section prevent unauthorized access to physical areas, and protect equipment and facilities from being compromised by human or natural intervention.
A.12. Operations security: The controls in this section ensure that the IT systems, including operating systems and software, are secure and protected against data loss. Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and make precautions to prevent audit activities from affecting operations.
A.13. Communications security: The controls in this section protect the network infrastructure and services, as well as the information that travels through them.
A.14. System acquisition, development and maintenance: The controls in this section ensure that information security is taken into account when purchasing new information systems or upgrading the existing ones.
A.15. Supplier relationships: The controls in this section ensure that outsourced activities performed by suppliers and partners also use appropriate information security controls, and they describe how to monitor third-party security performance.
A.16. Information security incident management: The controls in this section provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner; they also define how to preserve evidence, as well as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this section ensure the continuity of information security management during disruptions, and the availability of information systems.
A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and audit whether information security is implemented and is effective according to the defined policies, procedures, and requirements of the ISO 27001 standard.
A closer look at these domains shows us that managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.), but also about managing processes, legal protection, managing human resources, physical protection, etc.
The ISO 27001 controls (also known as safeguards) are the practices to be implemented to reduce risks to acceptable levels. Controls can be technical, organizational, legal, physical, human, etc.
ISO 27001 Annex A lists 114 controls organized in the 14 sections numbered A.5 through A.18 listed above.
Technical controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g. backup, antivirus software, etc.
Organizational controls are implemented by defining rules to be followed, and expected behavior from users, equipment, software, and systems. E.g. Access Control Policy, BYOD Policy, etc.
Legal controls are implemented by ensuring that rules and expected behaviors follow and enforce the laws, regulations, contracts, and other similar legal instruments that the organization must comply with. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.
Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g. CCTV cameras, alarm systems, locks, etc.
Human resource controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g. security awareness training, ISO 27001 internal auditor training, etc.
ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented information that are needed to become compliant.
ISO 27001 requires the following documents to be written:
And these are the mandatory records:
Of course, a company may decide to write additional security documents if it finds it necessary.
To see a more detailed explanation of each of these documents, download the free white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).
The costs of the implementation and certification of the ISMS will depend on the size and complexity of the ISMS scope, which varies from organization to organization. The cost will also depend on the local prices of the various services you will be using for the implementation.
Broadly speaking , these are some of the costs you should consider:
To see a more detailed explanation of the certification costs, download the free white paper How to Budget an ISO 27001 Implementation Project.
A company can go for ISO 27001 certification by inviting an accredited certification body to perform the certification audit and, if the audit is successful, to issue the ISO 27001 certificate to the company. This certificate will mean that the company is fully compliant with the ISO 27001 standard.
An individual can go for ISO 27001 certification by going through ISO 27001 training and passing the exam. This certificate will mean that this person has acquired the appropriate skills during the course.
Once a certification body issues an ISO 27001 certificate to a company, it is valid for a period of three years, during which the certification body will perform surveillance audits to evaluate if the organisation is maintaining the ISMS properly, and if required improvements are being implemented in due time.
The ISO.org website provides a general overview of certified organizations, categorized by industry, country, number of sites, etc. You can find the ISO Survey at this link: https://www.iso.org/the-iso-survey.html.
To check if a particular company is ISO 27001-certified, you have to contact the certification body, because there is no official centralized database of certified companies.
Yes, an individual can get ISO 27001-certified by attending one or more of the following trainings and by passing the exam:
Because it defines the requirements for an ISMS, ISO 27001 is the main standard in the ISO 27000 family of standards. But, because it mainly defines what is needed, but does not specify how to do it, several other information security standards have been developed to provide additional guidance. Currently, there are more than 40 standards in the ISO27k series, and the most commonly used ones are as follows:
ISO/IEC 27000 provides terms and definitions used in the ISO 27k series of standards.
ISO/IEC 27002 provides guidelines for the implementation of controls listed in ISO 27001 Annex A. It can be quite useful, because it provides details on how to implement these controls.
ISO/IEC 27004 provides guidelines for the measurement of information security – it fits well with ISO 27001, because it explains how to determine whether the ISMS has achieved its objectives.
ISO/IEC 27005 provides guidelines for information security risk management. It is a very good supplement to ISO 27001, because it gives details on how to perform risk assessment and risk treatment, probably the most difficult stage in the implementation.
ISO/IEC 27017 provides guidelines for information security in cloud environments.
ISO/IEC 27018 provides guidelines for the protection of privacy in cloud environments.
ISO/IEC 27031 provides guidelines on what to consider when developing business continuity for Information and Communication Technologies (ICT). This standard is a great link between information security and business continuity practices.
As of the publication date of this article, the current version of ISO 27001 is ISO/IEC 27001:2013.
The first version of ISO 27001 was released in 2005 (ISO/IEC 27001:2005), the second version in 2013, and the standard was last reviewed in 2019, when the 2013 version was confirmed (i.e., no changes were needed).
It is important to note that different countries that are members of ISO can translate the standard into their own languages, making minor additions (e.g., national forewords) that do not affect the content of the international version of the standard. These “versions” have additional letters to differentiate them from the international standard, e.g., NBR ISO/IEC 27001 designates the “Brazilian version,” while BS ISO/IEC 27001 designates the “British version.” These local versions of the standard also contain the year when they were adopted by the local standardization body, so the latest British version is BS EN ISO/IEC 27001:2017, meaning that ISO/IEC 27001:2013 was adopted by the British Standards Institution in 2017.
ISO 27001 defines the requirements for an Information Security Management System (ISMS), while ISO 27002 provides guidance on the implementation of controls from ISO 27001 Annex A.
In other words, for each control, ISO 27001 provides only a brief description, while ISO 27002 provides detailed guidance.
While ISO 27001 is an international standard, NIST is a U.S. government agency that promotes and maintains measurement standards in the United States – among them the SP 800 series, a set of documents that specifies best practices for information security.
Although they are not the same, the NIST SP 800 series and ISO 27001 can be used together for implementation of information security.
In most countries, implementation of ISO 27001 is not mandatory. However, some countries have published regulations that require certain industries to implement ISO 27001.
To determine whether ISO 27001 is mandatory or not for your company, you should look for expert legal advice in the country where you operate.
Public and private organizations can define compliance with ISO 27001 as a legal requirement in their contracts and service agreements with their providers. Further, as mentioned above, countries can define laws or regulations turning the adoption of ISO 27001 into a legal requirement to be fulfilled by the organizations operating in their territory.
To learn more about the EU GDPR and why it is applicable to the whole world, see this article.