To give it its full title ISO 27001 is actually “ISO /IEC 27001 information technology – security techniques – information security management systems – requirements” and is published jointly by the ISO (the International Standards Organisation) and the IEC (the International Electrotechnical Commission).
The ISO 27001 standard defines the requirements needed for an organisation to develop a robust and continually improving “information security management system”.
Way back in 1995, the British Standards Institute published its ground-breaking standard; BS 7799. This was the first information security standard. It was then published, in 2000, as ISO/IEC 17999 as “Information Technology – Code of practice for information security management before being re-published in 2005 as ISO 27001. Since then it has been revised in 2013 and 2017 to accommodate changing information security demands.
Obviously, all organisations these days are managed to a greater or lesser extent by their IT systems and will have a number of information security controls In place. In many cases however, these controls have often being developed in response to different issues at different times and, as a result, are often quite uncoordinated. Additionally, given the nature of the subject, it is often thought that information security is only about “IT” but the standard also includes controls for non-IT information assets (for instance, paperwork and proprietary knowledge).
In fact, the weakest part of any information security system is usually down to human behaviour; people clicking on email links they shouldn’t, writing down passwords, taking notes during a confidential conversations. Whilst this can’t be totally prevented with the use of embedded IT security features, with good and well communicated policies and good training they can largely be avoided.
The ISO 27001 standard requires that management:
In total, there are over 100 different controls in Annex A, categorised as follows:
However, it should be noted that not all controls will be relevant to every organisation.
The duration for obtaining ISO 27001 is likely to depend on a number of factors which might typically include:
However, most of the projects we have undertaken for owner managed organisations typically of between say 30 to 50 people, operating from a single office might take about 6-9 months.
 
															Obtaining ISO 27001 is about systematically and rigorously testing your information security processes is against the 100+ controls detailed in the standard. We’d suggests there are two stages to this:
Given the standard includes paper based information, this would also include not just core activities focused on delivering value to the customer but also things like objectives, targets, business plans and strategies.
The first stage will be to understand the boundary of the system; essentially to define what is included and excluded in the system and where responsibility for information management begins and ends. This would cover hardware and software assets and people and processes and associated hazards and risks for each.
This would require a review of each of the controls in Annex A and due consideration of legal requirements, contractual obligations, business requirements and the results of the information security risk assessment.
This process is likely to result in a number of documents including:
Once the above have been compiled, along with any other necessary procedural documentation, you will need to:
You are then ready for external assessment by a UKAS approved certification body.
 
															The chosen certification body will then undertake an audit in two stages:
Given all of the requirements have been met and all of the activities are being undertaken as expected, the company is likely to be “recommended for registration”. Interestingly, assessors cannot give approval on the day as their report needs to be endorsed by the accredited certification company’s technical committee.
Various people will need to be involved in the process and the detail of who will often depend on the information you need secure and also the scale and complexity of your company, but you are likely to need input from:
The big external benefit of having registration to ISO 27001 is that it will open up new commercial opportunities.  ISO 27001 registration usually allows direct access to larger and more lucrative tenders and contracts offered by central and local government departments and blue chip companies.
However, the world work is rarely static and that is particularly the case with the world of information security.  This means that the underlying core of the information security management standard should be focused on helping the organisation improve overtime.  This will mean:
These are the internal activities that you would need to execute.  In addition to which, the accredited certification body would usually audit the system annually, more frequently for larger more complex organisations, to ensure systems remain effectively implemented.
Your focus should be on deploying information security assets so that you are better placed to meet your goals, our focus should be to assist you with the management of the information security management system. As one client said “you guys keep us honest, you do”.
The type of services and support we can provide includes: