Summary

The ISO 27001 is the leading international standard focussed on information security.

The International Organisation for Standardisation (ISO) collaborated with the International Electrotechnical Commission (IEC) to publish this standard.

There is a wide range of standards in the ISO/IEC 27000 series, but ISO 27001 is the most notable, as it covers all aspects of security.

About the ISO and framework

ISO is an international non-governmental organisation that develops standards by taking contributions from national standard organisations from all over the globe.

The ISO 27001 framework outlines requirements for defining, implementing, operating, and improving Information Security Management Systems (ISMS) within the context of an organisation.

Why is it so important?

Having this standard provides the necessary know-how for protecting valuable information for companies and as it is internationally recognised. The certification proves to customers, partners and stakeholders that the organisation safeguards the data that they hold.

Implementation of ISO 27001 is not yet mandatory. However, in some EU countries, they have published regulations that mean certain industries need to implement this standard to be able to trade.

Three primary principles of ISO 27001

1. Confidentiality: Only authorised persons have the right to access information
2. Integrity: Only authorised persons can change the information
3. Availability: The information must be accessible to authorised persons whenever it is needed

ISO 27001 framework

The fundamentals of this framework are to investigate what potential incidents could happen to the individuals’ or companies' information by carrying out a risk assessment.

This assessment can then be used to define how the risk could be mitigated.

The philosophy of ISO 27001 can be summarised as a process for managing risks, finding and identifying the risks then working on preventative measures, and the implementation of security controls. The controls can be broken down into four categories: technological, organisational, physical, and human-related.

Within the ISO 27001 2022 revision, there are a list of 93 different controls across the four categories:

• Organisational controls - These are rules that are defined throughout the entirety of the organisation covering expected user behaviour, equipment, software, and systems. This would include things like Access Control Policies, BYOD policies, etc.
• People controls - These controls focus on knowledge, education, skills, and experiences for individuals to be able to perform their duties in the most secure way they can.
• Physical controls - These cover equipment and devices that are actively used by staff or other objects including CCTV cameras, alarms, locks etc.
• Technological controls - This set of controls refer to software, hardware, and firmware components in the system.

Implementing Information Security Management Systems achieves four essential business benefits:

• Compliance with legal requirements - As laws, regulations, and contractual requirements related to security increase and change. The standard gives a perfect methodology to comply with them all and can be used to create a company security policy compliant with EU GDPR.
• Achieve competitive advantage - By getting this certification businesses have a competitive edge over other companies as customers may feel more confident trusting them to keep their information safe.
• Lower costs - A primary goal of the ISO 27001 is to prevent security incidents which, in turn, saves money.
• Better organisation - When companies are growing rapidly it becomes hard to define their processes and procedures. The ISMS helps resolve this by encouraging companies to document their processes allowing employees to maintain critical organisational knowledge.

Standard requirements

The ISO 27001 standard is separated into two parts; the main part consists of ten clauses and the second part contains guidelines for control objectives and the actual controls themselves. The first three clauses act as an introduction to the wider standard.

Here are the main standard requirements for the other clauses:

• Context of the organisation - The internal and external issues within the organisation need to be considered. These requirements then help define the Information Security Management Systems (ISMS) scope.
• Leadership - Leader involvement is essential for the management system and objectives and need to be established according to the organisation strategy. This also provides a top-level policy for information security. Roles and responsibilities also need to be assigned to report on the performance of ISMS.
• Planning - This covers the planning of the ISMS environment and considers risks and opportunities, as part of a risk assessment. They provide the organisation with security goals everyone can align to.
• Support - This clause provides resources and improves the competence of employees.
• Operation - Processes need to be planned, implemented, and controlled. The plans put forth in the leadership clause now need to be put into action.
• Performance evaluation - The ISMS should be monitored, measured, analysed, and evaluated throughout its lifetime. Internal audits are required to match key performance indicators.
• Improvement - Once the evaluation is completed, non-conformities need to be addressed within the plans.

This standard requires a set of documents to be written and managed as well as various other activities and actions to be carried out, find out more information on this link.

How to get ISO 27001 certification

To obtain certification, a course needs to be completed and an exam needs to be passed to substantiate the skills required for implementing and auditing ISMS.

Find out more about obtaining this certification.

Other relevant ISO standards

The ISO 27000 series is a collection of standards that cover cyber and information security. Below is a brief summary of some of the supporting standards:

• ISO 27002 - Implementation of control guidelines. It informs the organisation how best to implement new controls
• ISO 27004 - Provides guidelines for the measurement of information security
• ISO 27005 - Provides guidelines for information security risk management
• ISO 27017 - Provides guidelines for information security in cloud environments
• ISO 27018 - Provides guidelines for the protection of privacy in cloud environments
• ISO 27031 - Provides guidelines for what to consider when developing business continuity for ICT

Cyber Works provides a range of support opportunities to businesses within the North West helping them to defend, innovate and grow their businesses. is a four month programme designed to help owner-managers, MDs and senior decision makers of SMEs to grow their businesses. This programme is fully funded and available to European Regional Development Fund eligible businesses. Contact us through cyberfoundry@lancaster.ac.uk or visit lancaster.ac.uk/cyberworks to find out more.

Related Blogs

• 

  Why you should use 2-Factor Authentication

• 

  The Value of Personal Development in Cyber Leadership

• 

  State of the Nation and a Look Ahead

Disclaimer

The opinions expressed by our bloggers and those providing comments are personal, and may not necessarily reflect the opinions of Lancaster University. Responsibility for the accuracy of any of the information contained within blog posts belongs to the blogger.