ISO 27001

What does ISO 27001 mean?

ISO 27001 is the leading international standard focused on information security. It was published by the International Organization for Standardization (ISO), in partnership with the International Electro-technical Commission (IEC). Both are leading international organizations that develop international standards.

For better understanding of ISO 27001 meaning, it’s important to know that this standard is part of a set of standards developed to handle information security: the ISO/IEC 27000 series. ISO 27001 is the most important part of that set because it describes how to manage all aspects of security, and its full name is “ISO/IEC 27001 – Information security, cybersecurity and privacy protection — Information security management systems — Requirements.”

Why is ISO 27001 important?

As per ISO 27001 definition, the basic goal of an Information Security Management System (ISMS) is to protect three aspects of information:

Confidentiality: Only authorized persons have the right to access information.

Integrity: Only authorized persons can change the information.

Availability: The information must be accessible to authorized persons whenever it is needed.

Why do we need an ISMS?

There are four essential business benefits that a company can achieve with the implementation of ISO 27001:

Comply with legal requirements – There is an ever-increasing number of laws, regulations, and contractual requirements related to information security. The good news is that most of them can be resolved by implementing ISO 27001. This standard gives you the perfect methodology to comply with them all. For example, ISO 27001 can help guide the creation of a company’s security policy to be compliant with the EU GDPR.

Achieve competitive advantage – If your company gets its ISMS ISO 27001 certified, and your competitors do not, you may have an advantage over them in the eyes of those customers who are sensitive about keeping their information safe.

Lower costs – The main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.

Better organization – Typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, employees often do not know what needs to be done, when, and by whom. Implementation of an ISO 27001-compliant ISMS helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security related), enabling them to reduce lost time by their employees and maintain critical organizational knowledge that could otherwise be lost when people leave the organization.

The 14 phases of ISO 27001

ISO 27001 is currently the most widely adopted international information security standard and is used by organizations all over the world. By following ISO 27001, organizations can be confident that their ISMSes are up to date and comply with current best practices.

To do so, ISO 27001 provides a comprehensive framework that helps organizations develop and maintain a secure ISMS. ISO 27001 is divided into 14 phases:

• Information Security Policy
• Organization of Information Security
• Risk Assessment and Treatment
• Asset Management
• Access Control
• Cryptography
• Physical Security
• Operations Security
• Communications Security
• System Acquisition, Development and Maintenance
• Supplier Relationships
• Compliance with Legal Requirements and Industry Standards
• Information Quality Management
• Risk Monitoring and Review

What are the ISO 27001 controls?

The ISO 27001 controls (also known as safeguards) are the practices to be implemented to reduce risks to acceptable levels. Controls can be technological, organizational, physical, and human-related.

What are the requirements for ISO 27001?

The standard requires a minimum set of documents to be written and managed (e.g., policies, plans, records, and other documented information) and activities to be performed (e.g., risk assessment and treatment, internal audit, management review, etc.) for a company to become ISO27001 compliant. To see the specific documents and records that are considered to be mandatory for ISO 27001 implementation and certification.

Who can issue ISO 27001 certification?

Only Certification Bodies (CBs) that have been accredited to ISO 27001:2013 can issue ISO 27001:2013 certificates. You can check to see if a CB is accredited to a particular standard by searching the UKAS directory of accredited CBs.

It is worth an explanation of the global accreditation structure in order to better understand how CBs are able to issue certificates.

CBs are the organizations that are accredited to issue certificates to organizations. There are many CBs in several countries and due to the international accreditation regime all certificates issued by accredited CBs are mutually recognised globally.

In order for a CB to be accredited to a particular ISO standard the CB must undergo an accreditation audit by an approved National Accreditation Body (NAB). The UK’s NAB is the United Kingdom Accreditation Service (UKAS).

UKAS is a signatory to the European Co-Operation for Accreditation’s (EA) Multi-Lateral Agreement (MLA).

The EA MLA is recognised at the global level by the International Accreditation Forum, which means that a certificate issued by an accredited CB in the UK is recognised globally. Similarly, for example, a certificate issued by a CB in the USA that is accredited by the ANSI Accreditation Board has mutual standing in the UK.

Preparing for ISO 27001 Certification

ISO 27001 is a powerful tool for organizations to use when creating a secure ISMS, but it’s important to remember that ISO 27001 is a framework, not an inflexible set of rules.

That means it must be studied, adapted and applied in the context of each organization’s unique needs and circumstances. ISO 27001 provides best practices and guidance, but it’s up to each organization to develop its own ISO 27001-compliant information security system.

Organizations should find an ISO-accredited certification body to assess their ISO 27001 compliance and provide training on topics such as risk assessment, access control, cryptography, physical security, communications security and more.

Organizations should also ensure they have the resources in place to plan and implement ISO 27001-compliant processes and controls.

Getting prepared for ISO 27001 Certification

Using the steps below, organizations can ensure that they are properly prepared for ISO 27001 certification. Doing so helps protect their critical data assets and comply with applicable laws and regulations:

Step 1. Build an ISO 27001-compliant ISMS.

Step 2. Identify risks, and develop risk treatment strategies.

Step 3. Implement ISO 27001-compliant processes and controls.

Step 4. Have ISO-accredited certification body assess compliance.

Step 5. Monitor your ISO 27001 compliance regularly.

By following ISO 27001, organizations can reduce the risk of data breaches and other security incidents, protect their critical information assets, and comply with applicable legal and regulatory requirements.

Other standards in the 27000 family

There are several other standards being developed in the 27000 family:

ISO/IEC 27003 — implementation guidance;

ISO/IEC 27031 — resilience;

ISO/IEC 27005 — risk management guidance;

ISO/IEC 27032 — cybersecurity guidance;

ISO/IEC 27033 — network security guidance;

ISO/IEC 27034 — application security guidance;

ISO/IEC 27035 — incident management guidance;

ISO/IEC 27036 — information exchange protection guidelines for cloud and other outsourced services; and

ISO/IEC 27037 — digital evidence handling guidelines.

How do you check if a company is ISO 27001 certified?

There isn’t a public register of certified companies. But certified companies will have been issued with a certificate by their certification body so you can ask to see a copy. You should check for the following items on the company’s ISO 27001 certificate:

1. The current version of ISO 27001 is ISO 2001:2013. Any older versions are no longer valid. As and when a new version is issued there is a transition period during which organizations adopt the new version, so only then could there be a different version number (there is no transition currently in place for ISO 27001:2013).
2. The expiration date.
3. That the certificate is for the company. In multi-group companies it is often the case that a particular member company only is certified – the certification won’t cover other members of the group unless it is stated on the certificate.
4. The physical sites covered by the certificate. This is only really helpful if you know from where your services are being delivered from.
5. The scope of the certification. Does the scope of the certification cover what the organization is supplying to you? Just because an organization states it is certified to ISO 27001 doesn’t always mean that it is relevant for you.
6. The accreditation body that issued the certificate. In the UK this is likely to be UKAS, but because of the global mutual recognition scheme it could be a non-UK accreditation body. The important thing to check is that the accreditation body subscribes to the IAF.
7. You can request a copy of the Statement of Applicability. Check it to confirm that they haven’t excluded any controls that may be necessary to secure the services they provide.

How long does it take to get ISO 27001 certification?

There are a number of factors that can determine how long it takes. The crucial factor is the scope of the certification, which itself comprises things like: size of the organization, the number and complexity of processes, number of locations and number of employees. And then the maturity of the information security capability and knowledge already within the organization. In general, with increasing size and complexity comes greater time and effort. The process may also be quicker if the organization already has experience of management system standards, such as ISO 9001 Quality.

We would always recommend that achieving ISO 27001 certification be treated as project and managed accordingly. This can either be done in-house or with the support of an ISO 27001 consultant – our Sales Team can help organizations decide and also recommend consultants with whom we have a high degree of confidence.

Well-run projects with experienced personnel can take 2 to 3 months, although over 6 months is not uncommon. In ideal circumstances the organization will have a fully functioning management system in place before the audits take place. Towards of the end of the project the organization would undergo a short Stage 1 audit – this essentially a preparedness check. Then a Stage 2 audit is conducted, typically over several days, and is where every requirement of the standard and the organization’s information security controls are reviewed.

The Role of MDR Consultants in ISO 27001 Certification

While ISO 27001 is a powerful tool for information security, achieving compliance can be a complex process. MDR consultants specialize in guiding organizations through the implementation of ISO 27001. They can assist with:

• Gap analysis: Identifying areas where your organization’s current information security practices fall short of ISO 27001 requirements.
• Developing an Information Security Management System (ISMS): Creating a framework for managing information security risks and implementing controls.
• Risk assessment: Identifying and prioritizing information security risks.
• Control selection and implementation: Selecting and implementing appropriate controls to mitigate information security risks.
• Documentation: Developing and maintaining the necessary documentation for your ISMS.
• Certification audit preparation: Preparing your organization for the ISO 27001 certification audit.

By partnering with an MDR consultant, you can gain valuable expertise and streamline the process of achieving ISO 27001 certification.

Call us today at to speak to a qualified consultant and learn how we can help your organization achieve ISO 27001 compliance.