What is ISO 27001?
To give it its full title, ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements’ is an international standard which was published by the International Organisation for Standardisation (ISO). The purpose of the Standard is provide the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of your organisation. This is the Standard organisations can certify against.
The current version of the Standard replaced the 2013 version on 25 October 2022 and is applicable to all organisations, irrespective of type, size or sector.
What is the purpose of ISO 27001?
ISO 27001 provides a standardised approach that outlines how to manage information security proactively, allowing you to identify and manage the risks to your organisation. It is widely recognised as the best practice approach for achieving this.
How does ISO 27001 work?
ISO 27001 advocates the use of an Information Security Management System (an ISMS for short), which is made up of a standardised set of policies, processes and procedures to enable you to identify what information needs to be protected, what types of protection you require and what mitigating actions can be taken to address any identified risks. In effect, your ISMS outlines the approach you take to managing your information security.
Why does ISO 27001 matter?
There are many ways your organisation can be impacted by a failure to protect your information and the consequences can be catastrophic.
For example, in Europe, a failure to protect the personally identifiable information (PII) of your employees or customers could result in your organisation being prosecuted under the General Data Protection Regulation (GDPR).
This carries with it fines of up to 4% of global turnover, or 20 million Euros, whichever is the higher.
If a failure to protect information becomes public knowledge, it can also lead to negative publicity in traditional or social media, resulting in significant brand and reputational damage and impacting your organisation’s ability to generate revenue.
Implementing an ISMS based upon ISO 27001 will help you to identify where your greatest risks are and for you to deal with them appropriately, and reduce the likelihood of significant impacts occurring. This will reassure your stakeholders that information security risk is being managed effectively.
When was ISO 27001 updated?
The current version of the Standard, ISO/IEC 27001:2022 replaced the 2013 version of the Standard on 25 October 2022.
What changes were made with ISO/IEC 27001:2022?
The major change to ISO 27001, with the publication of the 2022 version, was the incorporation of the control set from ISO 27002:2022 into Annex A of ISO 27001:2022. With ISO 27002:2022, there was a a significant revision of the set of information security controls with the previous 114 being reduced to 93. Of those 93 controls:
- 58 have been updated
- 24 controls represent merging of 57 of the previous controls
- 11 new controls have been introduced.
More information on ISO 27002:2022 can be found here.
A number of changes to the management system clauses were made in ISO/IEC 27001:2022 with the goal of making some of the requirements more explicit and improving the alignment with other Annex SL standards, such as ISO 9001 and ISO 22301, e.g. sub clause titles, terms and definitions.
ISO 27001 certification
In order to provide further reassurance to your stakeholders, and customers in particular, you are also able to seek independent certification to ISO 27001. This is a process where, following an assessment of your ISMS by an accredited certification body, you are able to provide evidence that you meet the requirements of the standard.
Is there a legal requirement to comply with or be certified to ISO 27001?
There is, generally, no direct legal requirement as such. Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so.
However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.
There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by way of a contract.
How long does it take to implement ISO 27001?
There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available.
However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001.
With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.
So what does ISO 27001 require me to do?
A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS. You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement.
These requirements are broken down into 7 major clauses which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement.
What are the 7 mandatory clauses of ISO 27001?
The 7 mandatory clauses which you are required to comply with are clauses 4 to 10. Clauses 1 to 3 deal with scope of the document, normative references and terms and definitions.
You are required to identify the internal and external issues that are relevant to your organisation’s purpose.
You are also required to identify any parties that have an interest in your organisation’s ability to provide adequate security for your information and you need to determine what the needs of those parties are.
Clause 4 also requires that the scope of your ISMS is determined and that not only is the ISMS established and implemented, but that it is also maintained and continually improved.
It requires that your organisation’s top management demonstrates effective information security-related leadership, establishes an information security policy and assigns appropriate roles, responsibilities and authorities.
It requires that your organisation plans how you will take action to address risks and opportunities as well as how you will perform information security-related risk assessments.
There is also a requirement, at this point, to identify how suitable treatments for the identified risks will be determined.
Another requirement of Clause 6 is that you identify a suitable set of information security objectives.
These objectives need to be aligned with the output of the risk assessment and be consistent with your information security policy and your organisation’s overall business objectives. You also need to develop plans that detail how the objectives are going to be achieved.
It deals with several requirements that need to be implemented in order to effectively support your ISMS.
You will need to ensure that people are competent to perform their roles and that appropriate training and awareness is provided.
There is also a requirement for you to determine communications relevant to your ISMS and to meet various documentation requirements.
You are required to ensure that any processes needed to meet the security requirements of your organisation are planned, implemented and controlled.
Specifically, you must ensure that plans made in Clause 6 are implemented including the risk assessment process and the risk treatment plan. You are also required, within Clause 8, to control planned changes and to keep documentation as evidence of processes being carried out.
It enables you to check to see if your efforts and your ISMS are working. This is achieved through the use of internal audit, management review and through monitoring, measurement, analysis and evaluation of activities.
You are required to ensure there is continual improvement and any nonconformities you have identified are corrected and prevented from reoccurring.
What is the difference between ISO 27001 and ISO 27002?
ISO 27002 is a supporting document that provides guidance on 93 best practice information security controls that can be implemented to help mitigate the risks identified by your ISO 27001 risk assessment. The ISO/IEC 27002:20022 Standard restructured and rationalised the previous 114 controls, and added a further 11 controls to the structure, reflecting the evolving IS technologies and the emergence of new threats.
In fact, these 93 controls are replicated in Annex A of ISO 27001 and you are required to consider all of them when determining the most appropriate actions to mitigate your risks.
The controls are separated into 4 main themes organisational, people, technological and physical. The Standard also introduced 5 ‘attributes’, where you can assign hashtags to controls to enable you to filter, sort, or present controls in different ways. More information can be found here.
Can I use Annex A as an information security controls checklist?
Many organisations use the controls listed in Annex A as a menu or checklist of best practice controls to be implemented in order to provide a level of information security.
However, URM recommends that your risk assessment is used to determine which controls are relevant, as some of them may not be applicable to your organisation.
We would also recommend that you don’t use Annex A in isolation as ISO 27002 provides very good additional guidance on how controls should be implemented.
It should also be noted that following your risk assessment, you may identify risks that cannon be adequately mitigated using the supplied controls. The standard provides the flexibility to permit the creation or introduction of additional controls from other sources which you may wish to implement to address unique risks.
Why work with URM?
- We have helped over 350 organisations to becomecertified to ISO 27001 across a range of sizes and industry sectors
- 100% certification guarantee
We could quote our experience – all our consultants have at least 5 years of experience of implementing and managing ISMS’ which has enabled them to truly understand the challenges before becoming consultants.
However, whilst all of these things are important, we believe it is our approach and our passion that really sets us apart.
For URM, it is vitally important that your ISMS and ISO 27001 implementation reflects and is appropriate to your organisation. Your ISMS needs to be pragmatic and maximises everything you have in place and becomes business as usual.
Doing something simply because the Standard says so and producing a document to reflect that, will never become fully embedded in your organisation.
Added to our approach and passion is our flexibility.
We will help you in the way that suits you best – whether that is through providing advice and guidance, taking responsibility for some of the requirements such as risk assessment and policy production or providing you with an experienced individual for a period of time.
Stay in the loop
Please provide your contact details and we will email you with any future changes to ISO 27001 (and the implications!).
URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.
URM’s blog explains how the principles of confidentiality, integrity and availability (CIA) can help align your information security controls with best practice