BM TRADA Management Systems, Chain of Custody and Supply Chain Certification Contact us Client area Logo library Consultant area FAQS Newsletter sign up
BM TRADA Client Area Consultants Logo Library
Get a quote
menu Created with Sketch. close Created with Sketch.
Home Resources Videos
Back to Basics - ISO 27001

Back to Basics - ISO 27001

Watch this recorded webinar delivered by Linda Porter, who takes ISO 27001 back to basics.
Please feel free to download the slides here.


This video covers the basics of ISO 27001 and discusses areas to watch out for, so you can make sure your management system is achieving its intended goals in adherence with the standard.

It has been designed for organisations that already have a certified management system and want to ensure that it stays effective; and also for organisations that looking into ISO 27001 or working towards it, making their journey as smooth as possible.

Webinar Transcript: Back to Basics of ISO 27001

Welcome to today’s webinar, “Back to Basics of ISO 27001.” We’ll begin shortly, as we’re waiting for a few attendees to return from lunch. Please feel free to relax, grab a cup of tea or coffee, or take a quick break we’ll start in a minute or two.
Once we begin, Linda will be leading the session. I’m Charles Beecroft, Training Manager at NQA. I’ll be monitoring the chat, so please send any questions throughout the webinar and I’ll do my best to answer them.

Thank you, Charles. Hello everyone, and thank you for joining today’s session on ISO 27001: Back to Basics. My name is Linda. My background is in accounting, corporate tech software, and compliance for a hosted solutions company, managing integrated management systems for ISO 9001, 27001, and 20000 for three years. I passed my CISM exam in Information Security Management Principles in 2018. In January 2023, I became a Chartered Quality Professional with the CQI (Chartered Quality Institute), and last year I passed the ISACA CISA exam for Certified Information Systems Auditor. I have been with NQA since last October as a regional assessor and am a lead auditor for ISO 27001 (information security), 9001 (quality), and 20000 (service management).
NQA is an accredited certification body under UKAS, ensuring audits meet rigorous standards. We are now part of Kiwa, with global reach and numerous accolades.
Any questions during the webinar can be put in the chat and will be answered at the end of the session.

Agenda and Objectives

Today’s objectives:

  • Understand the core principles of ISO 27001.

  • Break down the key components of an Information Security Management System (ISMS).

  • Explore why ISO 27001 is more important than ever.

  • Provide practical implementation tips.

Outcomes:

  • Explain the purpose and structure of ISO 27001.
  • Identify the mandatory clauses and key Annex A control categories.
  • Apply risk-based thinking to information security.
  • Recognise common challenges and how to avoid them.

What is ISO 27001?

ISO 27001 is the international standard for information security, providing a systematic approach to managing sensitive company data. It’s not just about strong passwords or firewalls it’s about embedding security into every business process.
Compliance involves developing and implementing policies and procedures, risk management (identifying threats and vulnerabilities, assessing their impact, and mitigating them), and ongoing monitoring and improvement of the ISMS.
ISO 27001 helps organisations protect data, build trust with stakeholders, and remain resilient against cyber threats. It’s a commitment to security excellence, not just a certification.

Common Misconceptions

ISO 27001 isn’t just about IT or cybersecurity. It’s a comprehensive management framework that applies to any company, regardless of size or industry. Everyone, from the CEO to support staff, has a role in maintaining the ISMS.
Examples:

  • Leadership supports a culture of security.
  • HR ensures staff training and awareness.
  • Even cleaners can contribute by reporting unattended documents.
No system guarantees zero breaches, but ISO 27001 offers a structured, risk-based approach to consistently manage and reduce information security risks.

Benefits of ISO 27001

  • Protects valuable data (customer information, financial records, internal comms).
  • Prevents costly breaches—financially, legally, and reputationally.
  • Ensures compliance with regulations like GDPR.
  • Improves efficiency and builds customer confidence.

ISO 27001 Structure

The standard has three main parts:
  • Clauses 1–3: Introduction, scope, references, and definitions.
  • Clauses 4–10: Mandatory core requirements for building and maintaining the ISMS.
  • Annex A: 93 controls in four categories—organisational, people, physical, and technological.

Clauses 4–10 create a cycle: Plan, Do, Check, Act (PDCA).

Summary of Clauses:
  • Clause 4 – Context: Identify internal/external factors, stakeholders, and ISMS scope.
  • Clause 5 – Leadership: Top management commitment, roles, responsibilities, and policy.
  • Clause 6 – Planning: Risk assessment, objectives, and risk treatment planning.
  • Clause 7 – Support: Ensure resources, competency, awareness, and proper documentation.
  • Clause 8 – Operation: Implement and control ISMS processes and risk mitigation controls.
  • Clause 9 – Performance Evaluation: Monitoring, audits, and management reviews.
  • Clause 10 – Improvement: Address non-conformities, identify root causes, and pursue improvement opportunities.

Statement of Applicability (SoA)

The SoA is a central ISMS document listing all Annex A controls. For each, you must decide if it applies, justify inclusion/exclusion, and document its implementation. The SoA links risks to controls and demonstrates your security management approach.
Annex A control categories:
  • A5: Organisational controls (policies, supplier relationships, roles).
  • A6: People controls (screening, training, awareness, discipline).
  • A7: Physical controls (secure areas, equipment, entry control).
  • A8: Technical controls (access management, encryption, malware protection).
You aren’t required to implement every control, but you must justify your choices based on risk assessment.

Common Implementation Mistakes

  • Treating ISO 27001 as an IT-only project, causing process, people, and governance gaps.
  • Copy-pasting templates without customisation. The ISMS must be risk-based and context-specific.
  • Focusing on documentation rather than actual implementation.
  • Ignoring top management involvement, leading to misalignment and insufficient resources.
  • Inadequate risk assessment, missing key threats or vulnerabilities.
  • Failing to embed security in the company culture and neglecting ongoing training for all staff, including leadership.

Steps Toward Certification

  • Secure top management buy-in.
  • Define the ISMS scope (systems, locations, teams).
  • Conduct a risk assessment and create a risk treatment plan.
  • Determine and implement policies and procedures; provide training and awareness for everyone.
  • Conduct internal audits to check compliance and effectiveness.
  • Invite an accredited certification body for assessment.
Certification involves a Stage 1 audit (documentation and readiness check), followed by a Stage 2 audit (formal certification, practical verification). If successful, you receive certification and begin a three-year audit cycle: surveillance audits in years one and two, and recertification in year three.

Q&A Highlights

  • Annex A controls: To manage the volume, group related controls (e.g., governance, supplier management) for audit efficiency.
  • Statement of Applicability must link risks and controls. Cross-referencing between the risk register and SoA is essential.
  • Integrated audits (e.g., ISO 9001, 14001, 27001) are possible and efficient but require qualified auditors for each standard.
  • Employee training evidence: Auditors require tangible records (e.g., training logs, attendance records) and annual training is recommended.
  • Common risks: Human error is often the biggest threat—accidental breaches, data loss, or misdirected emails.
  • Plans for AI controls in ISO 27001: Current standard is 2022; an AI-specific standard (ISO 42001) exists and may influence future updates.
  • Physical security monitoring (Annex 7.4): If you have cameras, consider what your business is responsible for, such as access to footage or backups. Exclusions must be justified.
  • Cyber Essentials Plus and ISO 27001: They serve different purposes—one is a management system, the other verifies technical controls. Both can be valuable depending on requirements.
  • Outsourcing IT: Manage third-party providers with contracts, SLAs, KPIs, clear responsibilities, and regular reviews. You retain responsibility even if services are outsourced.
  • Audit planning: You’ll receive an audit plan 6 weeks in advance to arrange resources and availability. The three-year cycle covers all requirements.
  • Opportunities in risk assessments: Opportunity may arise from leveraging existing risk management processes or identifying new efficiencies.
  • Auditor rotation: Pros and cons exist for using the same or different auditors; fresh eyes can bring new insights, but repeat auditors understand organisational context. No strict UCAS rule, but best practice is under discussion.
  • Certification scope: ISO 27001 can cover the whole company or just a specific region—scope must be clearly defined.
  • Integration of management systems: Can save time and reduce duplication, though costs and auditor qualifications should be considered.
Thank you all for attending and for your active participation. If you have further questions, please contact us via email (inquiries@nqa.com or training@nqa.com). We hope you found the session informative and wish you a fantastic rest of the day!