Complete Guide To The ISO 27001 Standard
***Updated April 27, 2021***
When your company displays an ISO 27001 certificate, your customers will know you have policies in place to protect their information from today's big threats.
The 27000 series of certifications cover a variety of information security. You can optimize your time and energy by focusing on just ISO 27001, arguably the best-known and top preparation standard designed to protect your network through an information security management system (ISMS).
ISO 27001 is recognized internationally and is appropriate for any company. You'll see ISO certifications for non-profits, major corporations, boutique security firms, small e-tailers and even state and federal organizations. The standard comes from the ISO and IEC, two organizations that have made a name in standardization as well as information security.
Cybercrime has grown in recent years, costing the global economy an estimated $1 trillion in 2020.
You take threats seriously, and ISO 27001 is the smart way to let others know. Learn how to store data securely, examine new risks and create a culture that minimizes risk by seeking ISO 27001 certification. Discover what you need to know with the below guide to ISO 27001.
What Is ISO 27001?
The ISO 27001 standard has become the most popular information security standard in the world, with hundreds of thousands of companies acquiring certification. The standard is routinely updated to ensure it teaches companies how to protect themselves and mitigate risks against today's current threats.
These threats are among those the ISO 27001 helps you plan for:
- Data vandalism
- Errors related to integration with unprotected partnerships or warehouses
- Internal data theft
- Loss of data due to misuse or malfeasance
- Misuse of information
- Network breaches through third-party connections
- Personal data breaches
- State-sanctioned cyber attacks
- Terrorist attacks
- Viral attacks
Think of the security protocol as a mindset. ISO 27001 doesn't give you a step-by-step guide to protecting assets. Instead, it provides you with a framework to apply to any threats or risks you face. As such, it can be tough to implement at first. With proper training, certification to this standard will keep your organization safe for a long time.
Why Isn't There A List To Follow?
ISO standards offer frameworks instead of prescriptions because no single list works for every company — or even every division. Your organization likely has some departments that generate new customer information every day, while others add employee information only once a month. Extending protection to both of these on the same schedule would either leave customer information vulnerable for extended periods or cause your HR department to continuously perform work it didn't need.
You don't get a list — you get a mindset. You'll be taught how to approach risk management around the availability of data on your network and how to implement security for it. You'll learn how to perceive threats, identify existing risks and systematically address them.
You can follow the process for the rest of your career, and you'll learn how to expand it beyond departments. For comparison, a solid list of rules would likely focus on your IT department and on protecting data as it enters your systems. A framework like ISO 27001 expands protection to new areas, such as the legal risks of sharing information so you avoid improper sharing through policy instead of a firewall.
So What Do You Do With ISO 27001?
What you need to do with the security standard is become certified. Certification simply means that an independent organization will look over your processes to verify that you've properly implemented the ISO 27001 standard. Once you're found to be compliant, you'll get a certification you can display on your website, marketing materials and elsewhere.
To give you a thorough understanding of the ISO 27001 standard, let's review some basics about its creation, special requirements for the standard and the fundamentals of the standard itself. To start, read the background that you can benefit from right away.
Why You Need ISO 27001 Certification
Securing ISO 27001 certification will show your employees and your customers that you can be trusted with their information. In some industries, companies will not select IT partners who do not have ISO 27001 certifications, and it is often a requirement of federal or governmental data-related contracts.
The chief benefit of ISO 27001 is that it gives you a reputation for being a safe and secure partner. You won't be seen as a potential threat to business from either internal or external problems. Many companies have found that ISO 27001 certification has led to an increase in profits and influx in new business. Some even report that ISO 27001 can reduce their operational expenses by introducing review processes into their business management.
Some of the benefits your organization can expect when you introduce cybersecurity protections visible to your team and your clients include:
- Ability to differentiate your service from competitors.
- Recognized framework for addressing legal requirements to avoid penalties or fees.
- Established company culture that is threat-aware.
- Fewer intrusions, threats and employee intrusions.
- Optimized IT asset usage to protect against threats.
- Safety policies to ensure growth is sustainable and secure.
- Proactive approach to managing your IT assets and your reputation.
- Improved opportunities across multiple business sectors.
Cyber threats are on the minds of everyone. By showing the world you're prepared for threats, you can boost your business and prevent cyberattacks.
About ISO/IEC 27701:2019 And How It Relates To ISO 27001
ISO 27701 is an extension to ISO 27001 focused on data privacy. Released in 2019, it's designed to support compliance with General Data Protection Regulation (GDPR). ISO 27001 itself does not cover GDPR, so the more recent ISO 27701 acts as a natural extension of the complete ISO 27001 standard. The extension fills in the gaps to allow organizations to comply with GDPR and other global data privacy standards.
You must have an active ISO 27001 certification already or conduct a joint ISO 27001 and ISO 27701 implementation audit to become certified to ISO 27701.
The ISO 27701 standard lays out guidance for creating, implementing, maintaining and improving a Privacy Information Management System (PIMS). The standard outlines requirements for personally identifiable information (PII) controllers and PII processors to ensure they manage data privacy responsibly and accountably.
About The ISO And IEC
The ISO 27001 certification comes from the ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission).
Both organizations came together to create a special system that builds worldwide standardization. The ISO and IEC have members from all over the globe who participate in standards development. ISO/IEC standards have become the preferred credentials for manufacturers, IT companies and customers across the globe.
Currently, ISO has published more than 19,500 standards covering technology and manufacturing.
Understanding Information Security Management Systems
Information security management systems (ISMS) are a fundamental part of the ISO 27001 because you'll use the standard to establish and maintain this system. A good ISMS involves a systemic response to new risks, allowing it to grow and change alongside your business.
Every information asset must be covered by your ISMS, and you'll need to run checks whenever a new device or data set is added. The ISO/IEC standards recommend you follow a Plan-Do-Check-Act methodology to maintain your ISMS. The ISO 27001 will give you the framework to follow the methodology:
- Plan: Design an ISMS workflow to assess threats and determine controls.
- Do: Implement the plan.
- Check: Review the implementation and evaluate its effectiveness.
- Act: Make any needed changes to improve the effectiveness of your program.
One essential piece of the ISMS is that it's a flexible method. ISO 27001 certification will give you the starting point that can keep your company safe. However, you can add to that as you wish. Some practitioners will layer a Six Sigmas DMAIC approach, as well, to meet other requirements they may have.
Obtaining ISO 27001 empowers you to create and implement the best ISMS for your company. Adapt, adopt and grow at the scale that's perfect for you.
Get Your Management's Approval
One of the key differences of the ISO 27001 standard compared to most other security standards is that it requires management's involvement and full support for a successful implementation.
Adopting an ISMS is more than an IT decision — it's a business strategy decision. The process must cover every department and must work within all of your departments. An ISMS must be deployed across your entire organization, and that means you'll have to address threats and risks that could start with any department.
About The ISO 27001:2017 Update
In 2017, ISO and IEC released a minor revision of the 27001:2013 standard. The 2017 update introduces no new requirements. First, the official title of the 2017 version is now BS EN ISO/IEC 27001:2017. The inclusion of the initials "EN" indicates the standard is an official European Union standard. The 2017 standard also includes two Corrigenda, which were both released after the 2013 standard and before the 2017 standard. These changes affect:
- Clause 6.1.3: This change introduces no new rules and simply clarifies the 2013 guidelines. Essentially, this wording change indicates that a Statement of Applicability must include four elements. It should list the necessary controls the organization should implement, justify those controls, confirm whether they are implemented yet and justify excluding any controls.
- Annex A Clause 8.1: This clause addresses inventory of assets, and the updated wording clarifies that information is considered an asset and must be inventoried accordingly.
ISO 27001 Standard: 6 Stages For Planning
ISO 27001 was created to provide you with a platform-neutral, technology-neutral approach to security risks. You'll learn to address concerns individually as well as part of larger risk management policies and have a guide to creating your safety procedures.
The simplest way to view the entire process is by looking at its core values — a six-part planning assessment and procedure. Approach it from a top-down perspective and you'll find success when you:
- Define a security policy for your technology/platform/device/company.
- Create a scope for your ISMS.
- Perform risk assessments based on your results from 1 and 2.
- Identify risks and create a management plan.
- Determine appropriate metrics and controls used to track progress when the plan is implemented.
- Craft a statement of applicability to guide policy changes.
These six pillars are broad steps you'll see throughout each of the main elements of the standard. IS0 27001 will help you maintain this high-level approach throughout documentation and audits, determining responsibility for implementation and controls, ongoing maintenance and upgrades, and risk-based activities to prevent breaches or react when they occur.
While you may be the individual seeking the certification, ISO 27001 guidelines perform best when your entire company is on board.
10 Sections For Success: ISO 27001 Control Checklist
The latest standard update — ISO/IEC 27001:2017 — provides you with 10 sections that will walk you through the entire process of developing your ISMS. Each of these plays a role in the planning stages and facilitates implementation and revision.
By continually walking through the control checklist, you'll have a succinct ISMS that secures your network. With each new integration, data set, client portal and BYOD policy, run through the list again to stay safe and protected.
These 10 sections form the backbone of the ISO 27001 standard and certification.
Please note that the documentation you get when reviewing the specification will also include an introduction and a reference annex.
The introduction and annex aren't included in our list because ISO documentation notes that you can deviate from the annex, so you won't necessarily need to review those steps during your ISMS's further development and update planning. The annex itself is listed as "normative," so you are expected to use it during the initial creating of your ISMS.
The sections of the new ISO 20071 standard are:
The standard lays out the requirements and provides a management context for you to create, implement, maintain and improve your ISMS. You'll learn the requirements for making assessments of your security risks and how to manage them relative to your organizational structure.
This section will discuss the other information and background you'll need. While there is a family of standards in the 27000s, the only one specifically required is the ISO/IEC 27000. Other standards in this family are optional and may support your ISMS development. For certification purposes, you don't need to study or read anything beyond the ISO 27000 and ISO 27001 standards.
Terms And Definitions
Here you'll learn the terms in a brief glossary. This glossary has a planned obsolescence of sorts and will be replaced by information provided in the ISO 27000 standard. You can get a free online copy of the ISO 27000 overview and vocabulary from the ISO.
Context Of The Organization
This section teaches you how to take your organizational structure and needs into account when developing your ISMS. You'll get help building the scope of the ISMS by looking at different departments' interaction with your IT systems and defining all of the parties who use, provide, adjust or observe your data.
The goal is to "establish, implement, maintain and continually improve" your company's ISMS.
The ISO 27001 standard specifically calls for top management to be involved. This section shows you how to properly involve leadership throughout your company and what approvals you'll need for implementing the ISMS. Go over this carefully and work with management so you can clearly demonstrate their commitment to the ISMS and assign responsibilities for each individual section and process.
Involving management through a clearly stated plan is a big part of getting your ISO 27001 certification.
The planning stage will feel familiar to any developers, analysts, data specialists and business managers. You'll get assistance with the creation of a workflow for identifying, reviewing and dealing with IT security risks. It will give you the structure to review threats related to your company and the objectives you've provided for your ISMS.
Because you're dealing with a policy and not a prescribed plan, support will vary and requires a broad understanding of your assets and capabilities. The support section will help you define and secure adequate resources to manage an ISMS from implementation through reviews. Pay close attention to its discussion of how to promote awareness of ISMS policies within your organization. Because certification to ISO 27001 will require you to have a broad policy that can be applied across divisions.
Threat assessment is a continually evolving practice. The operational segment will help you review threat assessment and determine what types of information you should collect from your network. Get assistance noting and evaluating threats, manage your ISMS and allow for changes, and build a policy for documenting successes, failures and weaknesses.
Audits are essential to any IT security paradigm, and the ISO 27001 standard prepares you for a variety of threat assessments.
Put your new knowledge into action with guidance on how to monitor your network, measure and analyze your processes, audit changes and view every IT security control relative to your KPIs. Bring your ISMS through all departments to look for proper implementation and check for threats. You'll also improve your capabilities to improve your system. Essentially, you'll be putting the entire Operation segment into practice with the capability to properly review and address changes.
The core of the ISO 27001 standard is to get better at threat analysis and management.
The improvement section will help you review your auditing process and the audits themselves. When you identify problems and concerns through auditing, you can then determine which are true threats and need a corrective action. Beyond known threats, the improvement process helps you create a maintenance schedule for continual improvements to your platform. You will learn standard maintenance strategies and develop procedures to add audits or reviews when new data is added.
ISO 27001 Certification Process
The certification process for the ISO 27001 standard can be over in as quick as a month and only has three main steps for you to follow — application, assessment and certification.
Here you'll simply work with a partner to register for the certification process. At NQA, we handle the application process through our quote request form, which gives us your certification partner information about your organization so we can have an accurate estimate of your business and what to check for in an audit.
We'll review your business, the processes and the implementations that are noted on the Initial Certification Audit form. Your company will need to demonstrate that your ISMS has been implemented and fully operational for at least three months. We'll also need to see a full cycle of internal audits. The assessment has two stages:
Stage 1 — Verify that you're ready for an audit and assessment.
During this stage, we will:
- Confirm that your ISMS meets standards and best practices.
- Determine ISMS implementation status.
- Review scope of certification.
- Check that you meet legal and legislative compliance for your area.
- Develop a report that notes your non-compliance areas and areas for improvement.
- Create a plan that covers any corrective action.
- Produce an assessment used to begin stage two assessments and testing.
Stage 2 — Execute an audit to review your ISMS and certify it is functioning properly.
In stage 2, we:
- Perform sample audits to review activities and elements needed for certification.
- Document your ISMS's capability to compile information and review threats.
- Look for non-compliance and areas of improvement.
- Create a new surveillance report that reviews your system and puts forth a date for your first annual surveillance visit.
ISO 27001 documentation will be issued by your certification partner, and you will set up a program of annual surveillance audits plus a three-year audit program to receive the certification.
By working with a smart partner, you can also get pre-certification training and reviews to ensure you're ready when the certification process begins. Feel free to ask us about options to help you prepare for ISO 27001 certification and for help maintaining requirements after the initial certification is awarded.
We also recommend a gap analysis before you start the certification process. This analysis allows you to determine any likely workload and timing for implementing an ISMS or improving your existing ISMS that will allow you to achieve ISO 27001 certification. Gap analysis is a very good value if you plan on bringing in outside professionals for ISMS development because you'll be able to provide them with an understanding of the scope you need.
Part of the whole certification process is producing reports and policies that should guide your ISMS development and your internal audits. These can be a great place to begin because you'll need to perform initial audits to generate some of these reports. The ISO 27001 standard itself will provide you with information you need to understand and develop required documents.
Mandatory Certification Requirements: Document List
To get started with your journey to the ISO 27001 certification, you should pick up a copy of the ISO documentation from the standards body. Don't trust documents you find from an outside source unless they're also an officially accredited provider of certifications.
The latest version of the ISO 27001 standard provides a list of required documents to ensure you adhere to the standard and can meet your certification. Some of the documents are also listed as optional, but we recommend that you create these optional documents because they directly target new trends in the workforce, new technologies and important business analysis.
Numbers provided near the document are a reference for explanations, requirements and more in the ISO standards documentation. For any document listed with an Annex location, you'll need to review your processes closely. These documents are required if they apply to your business. As you're getting certified, the third-party certification body will determine if you need any of those documents, so review these closely and consider developing these documents just in case.
Documentation For ISO 27001 Adherence and Certification
|Scope of the ISMS||4.3|
|Information security policy and objectives (may be split into two documents||5.2, 6.2|
Risk assessment and risk treatment methodology
|Statement of Applicability||6.1.3 d|
|Risk treatment plan||6.1e, 6.2|
Risk assessment report
|Definition of security roles and responsibilities||7.1; 13.2.4|
Inventory of assets
|Acceptable use of assets||8.1.3|
|Access control policy||9.1.1|
|Operating procedures for IT management||12.1.1|
|Secure system engineering principles||14.2.5|
|Supplier security policy||15.1.1|
|Incident management procedure||16.1.5|
|Business continuity procedures||17.1.2|
|Company requirements: statutory, regulatory, and contractual||18.1.1|
Records you must keep and maintain
|Employee experience, qualifications, skills and certifications||7.2, 7.2|
Monitoring and measurement results (baselines and new)
|Internal audit procedures||9.2|
Internal audit results and recommendations
|Management review results and recommendations||9.3|
|Corrective action results and recommendations||10.1|
|Logs by user: activities, exceptions, security events and flags||12.4, 12.4.3|
Optional but recommended documents
|Document control procedures||7.5|
|Record management procedures||7.5|
|Internal audit guidance and review procedures||9.2|
|Corrective actions guidance||10.1|
|Bring your own device (BYOD) policy||6.2.1|
|Mobile and teleworking policy||6.2.1.|
|Information classification directive||8.2.1, 8.2.2, 8.2.3|
|Password policies for ISMS and users||9.2.1, 9.2.2, 9.2.4, 9.3.1, 9.4.3|
Data and e-waste disposal and destruction policy
|Secure area processing and access requirements||11.1.5|
Clear desk and clear screen policy
Change management policy
|Data storage and backup policy||12.3.1|
|Digital data transfer policies||13.2.1, 13.2.2, 13.2.3|
Business impact and development analysis procedures
Maintenance and review plan
Business continuity strategy
Where Should You Get Certified?
You need to turn to a trusted partner when it comes to your ISO 27001 certification. Look for a certification partner who has a strong reputation for proper audits, valid accreditations and the ability to help companies meet their goals.
We work with all of our customers to ensure that they have the right processes in place to achieve certification. When any ISMS is found lacking, we're here to work with you to create and implement strategies to address gaps we detect. You can have experts review your process and proper implementation so you don't have to worry about creating the right platform and company mindset to achieve your goals.
Reduce the risk your company faces and improve your company's reputation by working with NQA for all of your ISO 27001 preparations and certifications.
Contact us today for a free quote using our Quick Quote form.
Appendix 1: Meeting Threats Through ISO 27001
NQA recommends that you undertake ISO 27001 training and certification because it can help you make the case to your business partners that you're ready for the modern digital world. To help you make that case to your management — or to vendors you like and wish would adopt the ISO 27001 standard — we've prepared a brief explanation of how ISO 27001 can help you address some of the top problems digital industries face:
- Risk Management Assurance: Customers demand strong risk management. The only way to prove you have correct policies in place is to show certification and outside verification. ISO 27001 proves you take cyber threats seriously and have prepared to address them. Certification is a clear sign that you have the policies in place and you continually update and improve to keep your data safe.
- Data Breaches: A single breach can bring down a small or mid-sized vendor. Large companies can only survive a handful, if they're lucky. ISO 27001 audits offer great protection because they limit your vulnerability. Audits highlight potential breaches and can put other risks into focus by using the security risk framework you learn. ISO 27001 will help you prevent breaches, guarding you against customer litigation and even potential regulatory action.
- Legal Compliance: We've focused our work on data security all around the world. ISO 27001 certification can satisfy many different laws, and some like the U.K. Data Protection Act have proven track records of ISO 27001 acceptance. Implementing the standard will help you stay compliant. Using NQA as your partner will ensure you have the most relevant legal checks when you undergo any audit or review.
- Lapses in Attention: At the core of the ISO 27001 standard is a security mindset. The audit process and ISMS development provide a company-wide focus on security and can make every department accountable. By spelling out who is in charge of which function and who must ensure each team member adheres to policies, you have begun to implement a strong cybersecurity protection plan.
- Information Management and Access: Control over your data is vital for your business, not just for the ISO 27001 certification process. By implementing a new focus through these audits and reviews, you can determine areas that may create bottlenecks and gaps in the access, management and protection of your data. Strong audits from partners such as NQA also help you determine gaps and issues in areas where your customers access your data. That can improve customer relationships and protect you against excess liability.
These are just some of the top conversations you can have with your customers and your management to show how beneficial ISO 27001 certification is. Contact NQA today for help making the case and answers to how this certification can apply specifically to your business.
Appendix 2: Glossary
- ISO: International Organization for Standards — one of the two bodies responsible for creating the certification and managing its credential authentication.
- ISMS: Information Security Management System — set of company policies that create a process for addressing information security, data protection and more to prevent data loss, harm, theft and errors within a company and its culture, not just its IT systems.
- IEC: International Electrotechnical Commission — one of the two bodies responsible for creating the certification and managing its credential authentication.
- KPI: Key Performance Indicator — a business metric used to evaluate elements that are key to the success of a program or an organization as a whole.
- Audit: Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
- Availability: Property of being accessible and usable upon demand by an authorized entity.
- Competence: Ability to apply knowledge and skills to achieve intended results.
- Confidentiality: Property that information is not made available or disclosed to unauthorized individuals, entities or processes. See 27000 2.61 for help applying this to certifications.
- Continual Improvement: Recurring activity to enhance performance. Will require a specific definition in relationship to your individual requirements and processes when asked for in audit documentation.
- Control: Measure that is modifying risk. See 27001 2.68 for application assistance.
- Correction: Action to eliminate a detected nonconformity during your audit and review processes. When compared to "Corrective Action," view this as treating a symptom and the "Action" as curing a disease.
- Corrective Action: Action to eliminate the cause of a nonconformity and to prevent recurrence. This usage specifically notes action you'll take to remove root causes.
- Documented Information: Information that must be controlled and maintained by you and secured by the medium you use to collect it. This can be information in any format, from any source, and will require an audit history when documents request it.
- Effectiveness: An estimated and then proven measure of the extent to which planned activities are realized and planned results achieved.
- Executive Management: Person or group of people who have delegated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organization. See 2.29 and 2.57 for help determining your governing body and the scope of this management.
- Information Security: Preservation of confidentiality, integrity and availability of information. Secondary properties may include authenticity verification, accountability, reliability and other elements based on your ISMS.
- Indicator: A measure that provides an estimate or evaluation of specified attributes derived from an analytical model (with respect to defined information needs).
- Integrity: Property of accuracy and completeness in reviews, audits and more.
- Interested Party: Person or organization that can affect, be affected or perceive themselves to be affected by a decision or activity undertaken by an ISMS, agent, employee or other party you authorize.
- Level of Risk: Magnitude of a risk expressed in terms of the combination of consequences and their likelihood. Further explanation available in 2.14 (consequences), 2.45 (likelihood of risk) and 2.68 (risk magnitude).
- Management System: Set of interrelated or interacting elements of an organization to establish policies, objectives and processes to achieve those objectives. Management systems can address single or multiple disciplines and must include a variety of elements such as roles, responsibilities, planning, operations, organizational structure and more.
- Measurement: Process to determine a value. This may seem vague to some, but it is important because it notes that you're required to determine proper measurements for your ISMS implementation.
- Metrics: Elements of your business used to evaluate performance and effectiveness of your ISMS and information security controls. You'll see this in documentation from auditors but not in the specifications themselves.
- Monitoring: Determining the status of a system, process or activity. Monitoring is about status and then shifts focus when events occur.
- Nonconformity: Non-fulfilment of a requirement as defined by the ISMS.
- Objective: Strategic, tactical or operational result to be achieved. Objectives can differ greatly, and audits will need a strong structure to properly express objectives to evaluate them.
- Outsource (verb): Make an arrangement where an external organization performs part of an organization's function or process. ISMS must review and specify all outsourcing options. Controls and responsibilities must be extremely clear when outsourcing any element.
- Performance: Measurable result that can relate either to quantitative or qualitative findings.
- Policy: Intentions and direction of an organization as formally expressed by its top management.
- Process: Set of interrelated or interacting activities which transforms inputs into outputs.
- Reliability: Property of consistent intended behavior and results across audits, methodology and reviews.
- Requirement: Need or expectation that is stated, generally implied or obligatory. "Generally implied" is listed when the necessity of custom or practice is implied.
- Residual Risk: Risk that remains after a risk treatment. These can contain unidentified risks and may also be listed as "retained risks" in auditor information.
- Review: Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives.
- Risk: The effect of uncertainty on objectives, including real and potential events. See 2.14 through 2.89 for a better understanding of risk, its positive and negative elements, and how it can relate to a variety of situations.
- Risk Owner: Person or entity with the accountability and authority to manage a risk and related responses.
- Risk Treatment: Process used to modify risk. Methods can include removing sources, changing likelihoods, adjusting consequences, retaining risks by choice, adding new actions and avoiding risks.
- Top Management: Person or group of people who directs and controls an organization at the highest level.