To give it its full title ISO 27001 is actually “ISO /IEC 27001 information technology – security techniques – information security management systems – requirements” and is published jointly by the ISO (the International Standards Organisation) and the IEC (the International Electrotechnical Commission).
The ISO 27001 standard defines the requirements needed for an organisation to develop a robust and continually improving “information security management system”.
Way back in 1995 the British Standards Institute published its ground-breaking standard; BS 7799. This was the first information security standard. It was then published, in 2000, as ISO/IEC 17999 as “Information Technology – Code of practice for information security management before being re-published in 2005 as ISO 27001. Since then it has been revised in 2013 and 2017 to accommodate changing information security demands.
Obviously, all organisations these days are managed to a greater or lesser extent by their IT systems and will have a number of information security controls In place. In many cases however, these controls have often being developed in response to different issues at different times and, as a result, are often quite uncoordinated. Additionally, given the nature of the subject, it is often thought that information security is only about “IT” but the standard also includes controls for non-IT information assets (for instance, paperwork and proprietary knowledge).
In fact, the weakest part of any information security system is usually down to human behaviour; people clicking on email links they shouldn’t, writing down passwords, taking notes during a confidential conversations. Whilst this can’t be totally prevented with the use of embedded IT security features, with good and well communicated policies and good training they can largely be avoided.
The ISO 27001 standard requires that management:
In total, there are over 100 different controls in Annex A, categorised as follows:
However, it should be noted that not all controls will be relevant to every organisation.
Obtaining ISO 27001 is about systematically and rigorously testing your information security processes is against the 100+ controls detailed in the standard. We’d suggests there are two stages to this:
This would usually include “other” requirements the company may also need to comply with; specific contractual requirements, specific membership compliance e.g. Cyber Essentials Plus or contractual IT performance KPI’s linked to testing or security patch management
Once the above have been compiled, along with any other necessary procedural documentation, you will need to:
You are then ready for external assessment by a UKAS approved certification body.
Various people will need to be involved in the process and the detail of who will often depend on the information you need secure and also the scale and complexity of your company, but you are likely to need input from:
In order to understand the information security implications of the different departments
HR, purchasing etc in order to understand how supporting activities assist in delivering company objectives and targets
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |