ISO 27001 Consultancy

ISO 27001 is an international standard designed to help organisations improve their information security through the creation and operation of an information security management system (ISMS), that is developed and tailored to their own particular set of circumstances.  ISO 27001 provides a framework to establish an effective information security programme that is based on a consistent risk management process that utilises controls that are incorporated within the ISMS.

ISO 27001 is the second standard in the ISO 27000 family of standards that comprises over 30 documents. When organisations are audited by an external assessor for ISO 27001 certification, they are required to meet the requirements described within ISO 27001. The standard is also referred to as ISO/IEC 27001, which indicates it is a standard that was published by the International Organization for Standardization (ISO)  and International Electrotechnical Commission (IEC).

ISO/IEC standards do change over time whenever new versions are published. The current version is ISO/IEC  27001:2017 

An ISMS is an abbreviation for Information Security Management System. An ISMS, as the name suggests, is a system for managing the information assets of an organisation in a secure manner. This means that the system takes into account the information security risks to which the assets are exposed (i.e. takes account of the confidentiality, integrity and availability risks) and has the means to minimise the risks through the application of controls so that the risks are acceptable to the business.

An ISMS consists of policies, procedures, processes (and other elements) that are scoped and developed for a particular organisation, that together constitute the system. The ISMS contains the guidance, processes and operational methodology, which has been established by the management team, that if followed by staff and others, will have a good chance of protecting the information assets of the organisation from the anticipated risks.

The complete ISMS requires the establishment of several processes (relevant to the creation of the ISMS) such as risk assessment, risk treatment, asset management, document management, awareness training relevant to job roles, management review, incident management, supplier management and others.

ISMS’s have traditionally existed as a series of Excel and Word documents. But this medium has many limitations. Document control is difficult because it can be a challenge to ensure that staff are working from up-to-date documents. Significant time is wasted by staff operating the system and getting staff buy-in.  A better and more efficient way is adopting a digital approach. See SMART ISMS’s – a better way for fostering compliance within your organisation

ISO 27001 is the standard to which businesses are required to comply with when looking to get a certification in ISO information security management. ISO 27001 describes all the information security management requirements in a series of seven clauses together with an Appendix that lists 114 popular controls that can be used to mitigate and reduce information security risks.  Known as ‘Annex A’, each control objective is described together with the actual control. In Annex A, the controls are listed as ‘shall be defined’ or ‘shall be maintained’ etc where the pre-fix ‘shall’ is an expectation from the certification body that the control (if selected within the risk treatment process) is a MUST do requirement.

ISO 27002 is a guidance document that lists all the controls within ISO 27001 Annex A but also includes implementation guidance. The principle difference is that the prefix ‘should’ is utilised within ISO 27002 control descriptions instead of ‘shall’ which is used within ISO 27001. The reasoning is that the 114 controls listed within Annex A are popular measures to treat risks but they are not the only ones. This is evident in some sectors which have specific control requirements that are unique for a particular industry.

There are 7 distinct steps to gaining ISO 27001 certification:

Step 1 - develop an understanding of ISO 27001 requirements 

Step 2 - gain an understanding of the processes that underpin and run the business

Step 3 - undertake risk assessments 

Step 4 - develop and build an ISMS with an appropriate scope that meets the needs of its interested parties

Step 5 - operate the ISMS 

Step 6 - pass the Stage 1 Audit

Step 7 - pass the Stage 2 Audit

The award of an ISO 27001 certificate lasts for 3 years before recertification is required. However, it should be noted that the certification body will carry out periodic surveillance audits to make sure that the ISMS continues to conform to the ISO 27001 standard. These surveillance audits are typically every 12 months.

Typically 6 months to a year depending upon the complexity and the size of the business. It's vital to have management support.

ISO 27001 Annex A contains 114 controls that are designed to mitigate information security risks. The controls are grouped together into 14 control sets or categories.

A Statement of Applicability (SOA) is a requirement of clause 6 of the ISO 27001 standard. The SOA document lists the selected controls chosen to mitigate risks as part of the risk treatment process.  All controls from Annex A must be considered and their selection justified. Similarly, when a control (from Annex A) is not required, the justification for its exclusion must also be recorded.

ISO 27001 can help with GDPR compliance if an appropriately designed ISO 27001 Information Security Management System (ISMS) is utilised.

GDPR is a risk-based regulation that relies upon organisations having 'appropriate organisational and technical measures ' to protect personal information. Similarly, ISO 27001 is a risk-based standard for information security management. The following table is an extract from Article 32 of the GDPR and provides a mapping to the relevant aspects of an ISO 27001 Information Security Management System (ISMS).

It should be borne in mind that when the ISMS is planned, GDPR compliance would be included as a statutory requirement within Clause 4 'Understanding the context of the organisation'.

An appropriately developed ISO 27001 ISMS will help protect personal data by minimising confidentiality, integrity and availability risks. The ISO 27001 ISMS will not help with privacy risks such as failing to respond to subject access requests within a month etc.

When organisations are audited by an external assessor for ISO 270001 certification, they are required to meet requirements 4 through to 10 of the ISO 27001 standard. These requirements are summarized here at a very high level:

Do bear in mind you are creating a system that manages your information assets (i.e. the Information Security Management System, known as your ISMS. See 'What is an ISMS?' in this FAQ) The ISMS takes into account all the risks that you have identified. 

The ISO 27001 requirements that will be checked (as part of certification) are as follows:

Requirement 4 - Context of the organisation. Here you consider and record all the factors that may influence the creation and operation of your ISMS. For instance, they must include any legal requirements, laws, regulations, industry frameworks that the organisation must comply with etc, etc.

Requirement 5 - Leadership - The management team must promote the adoption and ongoing commitment to ISO27001 compliance within the company. For instance, there must be evidence of the management teams participation in the creation and ongoing operation of the ISMS together with ensuring sufficient resources are provided.  They must also ensure that suitable policies are created etc, etc

Requirement 6 - Planning - The organisation must have evidence of planning to identify potential information security risks and how these risks can be minimised to an acceptable level by using your defined risk treatment plan. The organisation must have evidence of setting security objectives and planning as to how these objectives can be met etc, etc.

Requirement 7 - Support - The organisation must operate a process to ensure that up-to-date and approved ISMS documents are available to staff. Suitable communications must also be made to relevant parties about the operation of the ISMS and their role, etc, etc

Requirement 8 - Operation- The organisation must undertake (and record the details of planned) risk assessments. Change management must be practised etc, etc

Requirement 9 - performance evaluation - Performance of the ISMS must be recorded and checked via suitable audits to identify nonconformance. The management team must review the performance of the ISMS to ensure it is meeting the planned objectives etc, etc

Requirement 10 - Improvement - When a non-conformance is identified, there must be evidence of a process to decide the best course of action to fix it and take steps to ensure it is not repeated. Similarly, there must be evidence of continual improvement of the ISMS etc, etc.