What is ISO 27001?
We explain what ISO 27001 is and how it relates to IT management systems
Among the family of ISO 27000 international family of standards for IT systems is ISO 27001, which a security standard for computer systems that offer the procedures for keeping an organisation’s assets safe.
The broader family of standards refer to information security management systems, although this particular standard handles bundling a company’s security processes into a single management platform. Organisations that meet the requirements can be certified under the ISO 27001 standard by an accredited organisation after completing an audit.
ISO 27001 offers a framework which aims to maintain a company’s risk management strategy and ensure this is free of any policy gaps or security holes. The standard will help businesses find any gaps that may arise, which if left unchecked would create a risk to the organisation’s data. Implementing the standard in full would, in practice, ensure processes are put into motion that prevents such data risk in future.
The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers.
Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.
When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.
Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The standard itself comprises a swathe of guidelines, certifications and systems required to help any business assess its internal procedures. Organisations may otherwise have to rely on separate services for handling the dynamic and multi-faceted risk to data, rather than the single unified approach which ISO 27001 offers.
Elements of a business may, for example, be identified as being high-risk, and may already have some procedures in place to ensure there are no missteps. Other areas within a business may, by contrast, pose less risk and may, therefore, have historically never been properly assessed or audited.
When ISO 27001 was first outlined in the 90s, it allowed for the wealth of separate processes to be brought under a single umbrella, with the standard designed to handle multiple components within a single management system. This allows managers to examine such assessments across an entire organisation as a whole.
Since its inception, ISO 27001 has been updated significantly, with a major overhaul in 2013. There were initially just five clauses, which served as the main objectives for the standard, with the update raising this to ten. They are as follows:
- Scope of the standard
- How the document is referenced
- Reuse of the terms and definitions in ISO/IEC 27000
- Organizational context and stakeholders
- Information security leadership and high-level support for policy
- Planning an information security management system; risk assessment; risk treatment
- Supporting an information security management system
- Making an information security management system operational
- Reviewing the system's performance
- Corrective action
History of ISO 27001
Guidance around IT security was first introduced in 1992 when the Department of Trade and Industry (DTI) published a code of practice or IT security management.
In 1995, the British Standards Institute republished it as BS7799. This was revised over the years and in 2000, it was fast-tracked as an ISO and became ISO 17799.
In 2002, this was updated and a second part introduced - BS7799-2, an Information Security Management Specification, rather than a code of practice. This update entered the ISO fast track in 2005 and became the ISO27001.
It was updated significantly in 2013, overhauling how ISO27001 works. One major change was addressing the trend of using databases to store information rather than only physical documents.
Key guidelines in ISO 27001
Although there are many requirements of ISO 27001, the primary concerns (and those that are audited in order for an organisation to become certified) are that management must continuously analyse the businesses security risks, design and implement a collection of security controls and how to manage risks and adopt an overall management process that ensures the business is never left open to risk and that security needs are continuously addressed. Specifically, ISO 27001 requires management to:
- Examine the organisation's security holes through risk assessments
- Design and implement a comprehensive suite of security controls
- Define the scope of the ISMS
- Adopt new processes to ensure new security controls meet the needs of the business
How to become certified for ISO 27001
Gaining certification in ISO 27001 is a great way to demonstrate your company's commitment to data security, and show that you take security management seriously. When faced with two organisations, clients will usually pick the one that's certified over the one that isn't.
ISO 27001 certification is undertaken by third-party certification bodies and the processes each will analyse varies greatly.
Before the audit begins, the company's management will decide upon the parts of a business that will be certified upon completion. This can be the entire organisation or just a department or division, depending on what the management deems suitable.
Anything not included in this initial scope will not be certified and therefore, if only part of the business is certified, there are no guarantees the rest of the organisation is sticking to the guidelines.
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.