ISO 27001 – Most Frequently Asked Questions
What is ISO 27001? – Part 1
What is ISO 27001? – Part 2
What is ISO 27001 for?
ISO 27001 provides a standardised approach that outlines how to manage information security proactively, allowing you to identify and manage your information security risk. It is widely recognised as the best practice approach for achieving this.
How does ISO 27001 work?
ISO 27001 advocates the use of an Information Security Management System (an ISMS for short), which is made up of a standardised set of policies, processes and procedures to enable you to identify what information needs to be protected, what types of protection you require and what mitigating actions can be taken to address any identified risks. In effect, your ISMS outlines the approach you take to managing your information security.
Why does ISO 27001 matter?
There are many ways your organisation can be impacted by a failure to protect your information and the consequences can be potentially catastrophic. For example, in Europe, a failure to protect the personally identifiable information of your employees or customers could result in your organisation being prosecuted under the General Data Protection Regulation (GDPR). This carries with it fines of up to 4% of global turnover, or 20 million Euros, whichever is the higher. If a failure to protect information becomes public knowledge, it can also lead to negative publicity in traditional or social media, resulting in significant brand and reputational damage and impacting your organisation’s ability to generate revenue.
Implementing an ISMS based upon ISO 27001 will help you to identify where your greatest risks are and for you to deal with them appropriately, and reduce the likelihood of significant impacts occurring. This will reassure your stakeholders that information security risk is being managed effectively.
ISO 27001 Certification
In order to provide further reassurance to your stakeholders, and customers in particular, you are also able to seek independent certification to ISO 27001. This is a process where, following an assessment of your ISMS by an accredited certification body, you are able to provide evidence that you meet the requirements of the standard.
Is there a legal requirement to comply with or be certified to ISO 27001?
There is, generally, no direct legal requirement as such. Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders. There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by way of a contract.
How long does it take to implement ISO 27001?
There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available. However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001. With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.
So what does ISO 27001 require me to do?
A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS. You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement. These requirements are broken down into 7 major clauses which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement.
What are the 7 mandatory clauses of ISO 27001?
The 7 mandatory clauses which you are required to comply with are clauses 4 to 10. Clauses 1 to 3 deal with scope of the document, normative references and terms and definitions.
You are required to identify the internal and external issues that are relevant to your organisation’s purpose. You are also required to identify any parties that have an interest in your organisation’s ability to provide adequate security for your information and you need to determine what the needs of those parties are. Clause 4 also requires that the scope of your ISMS is determined and that not only is the ISMS established and implemented, but that it is also maintained and continually improved.
It requires that your organisation’s top management demonstrates effective information security related leadership, establishes an information security policy and assigns appropriate roles, responsibilities and authorities.
It requires that your organisation plans how you will take action to address risks and opportunities as well as how you will perform information security-related risk assessments. There is also a requirement, at this point, to identify how suitable treatments for the identified risks will be determined.
Another requirement of Clause 6 is that you identify a suitable set of information security objectives These objectives need to be aligned with the output of the risk assessment and be consistent with your information security policy and your organisation’s overall business objectives. You also need to develop plans that detail how the objectives are going to be achieved.
It deals with several requirements that need to be implemented in order to effectively support your ISMS. You will need to ensure that people are competent to perform their roles and that appropriate training and awareness is provided, There is also a requirement for you to determine communications relevant to your ISMS and to meet various documentation requirements.
You are required to ensure that any processes needed to meet the security requirements of your organisation are planned, implemented and controlled. Specifically, you must ensure that plans made in Clause 6 are implemented including the risk assessment process and the risk treatment plan. You are also required, within Clause 8, to control planned changes and to keep documentation as evidence of processes being carried out.
It enables you to check to see if your efforts and your ISMS are working. This is achieved through the use of internal audit, management review and through monitoring, measurement, analysis and evaluation of activities.
You are required to ensure there is continual improvement and any nonconformities you have identified are corrected and prevented from reoccurring.
What is the difference between ISO 27001 and ISO 27002?
ISO 27002 is a supporting document that provides guidance on 114 best practice information security controls that can be implemented to help mitigate the risks identified by your ISO 27001 risk assessment.
In fact, these 114 controls are replicated in Annex A of ISO 27001 and you are required to consider all of them when determining the most appropriate actions to mitigate your risks.
The controls are separated into 14 different control areas or groups. These groups cover different aspects of an organisation where you would expect to find some information security controls to be implemented such as in human resources, IT, physical security and supplier relationships. Some control groups also have a specific outcome in mind, for example, cryptography, access control and compliance.
Can I Use Annex A as an Information Security Controls Checklist?
Many organisations use the 114 controls listed in Annex A as a menu or checklist of best practice controls to be implemented in order to provide a level of information security. However, URM recommends that your risk assessment is used to determine which controls are relevant, as some of them may not be applicable to your organisation. We would also recommend that you don’t use Annex A in isolation as ISO 27002 provides very good additional guidance on how controls should be implemented. It should also be noted that following your risk assessment, there may be additional controls not included in ISO 27002 or Annex A which you wish to implement to address high-risk areas.
Why work with URM?
We could quote our experience – all our consultants have at least 5 years of experience of implementing and managing ISMS’ which has enabled them to truly understand the challenges before becoming consultants. However, whilst all of these things are important, we believe it is our approach and our passion that really sets us apart.
For URM, it is vitally important that your ISMS and ISO 27001 implementation reflects and is appropriate to your organisation. Your ISMS needs to be pragmatic and maximises everything you have in place and becomes business as usual. Doing something simply because the Standard says so and producing a document to reflect that, will never become fully embedded in your organisation.
Added to our approach and passion is our flexibility. We will help you in the way that suits you best – whether that is through providing advice and guidance, taking responsibility for some of the requirements such as risk assessment and policy production or providing you with an experienced individual for a period of time.
More about ISO 27001
ISO 27001 Training
URM is dedicated to providing high quality, cost-effective and tailored consultancy and training in the areas of information security, data protection, business continuity and risk management.