ISO 27001 Information Security Management System

The standard was previously known as BS 7799 and ISO 17799 and the ISO 27001 (ISMS) standard was published in 2005 and re-released in 2013.

ISO 27001 is the British Standard for an Information Security Management System (ISMS). It is the only (ISMS) that is auditable to international standards.

Information is vital to every organization and the standard provides an auditable method of monitoring, protecting and managing information and data systems.

Loss of data and information of any kind can, at the very least, be inconvenient to an organization, at worst it can lead to its collapse.

How will ISO 27001 certification help my organization?

ISO 27001 is suitable for all organizations worldwide, large or small and across all business sectors.

By implementing a robust system to manage information within an organization you will protect information assets to ensure continuity of business should damage or loss occur.

Loss or damage could be caused by natural disasters such as fire or flood, accidental loss or mismanagement, corrupted or stolen data, the effects of any of these losses can have catastrophic consequences for organizations.

Data can be Information that an organization processes or owns. This can be electronically stored data, information transmitted by post or email, printed data or information that individuals hold within the organization.

By implementing ISO 27001 an organization will identify the type of information that exists within the organization and define the risks and threats. Systems, controls and procedures can then be set up to minimize the risk.

ISO 27001 provides a system for monitoring and maintaining:

  • Confidentiality of information
  • Availability of information
  • Accuracy of information

Organizations that handle information on behalf of others can benefit greatly from being certified because they are able to show they have a process in place for continual monitoring and protection of third party data.

Gaining ISO 27001 certification will give your customers confidence in the knowledge that security risks have been assessed and minimized and that you have systems in place to protect and recover information quickly if there is a loss.

A process of continual improvement and assessment will provide your organization with the necessary management tools to monitor and improve the security of your information.


Cyber crime

Cyber crime is becoming a major problem as organizations store their information digitally on a variety of devices:

  • Company servers
  • Individual PCs
  • In the cloud
  • Memory sticks
  • Company websites etc.

Cyber criminals are finding more and more ways to exploit business computer systems resulting in disruption to users, theft of data, identity theft and virus infection.

Costs for dealing with these security breaches can be substantial, so reducing the risk of a cyber attack should be at the top of your list of priorities and will save you time, worry and cost in the future.

How cyber security risks can affect your business

If your company suffers a security breach, the implications for your business could be catastrophic.

  • Your IT department or provider will be working overtime to investigate how your systems were breached, what information has been accessed and how to repair the damage.
  • The reputation of your company could be at risk and you may have to counter any adverse publicity.
  • Legal responsibilities will need to be assessed and claims dealt with.
  • Financial losses running into tens of thousands of pounds could be incurred to repair the damage.

A management system will help to mitigate the impact of an incident and get your business back to normal as quickly as possible.

Information Security Management System (ISMS)

By implementing ISO 27001 (ISMS) you will be assessing the risks, identifying threats and putting in place a process to protect your valuable information assets.

Benefits of ISO 27001

Implementing an information security management system will provide your organization with a system that will help to eliminate or minimize the risk of a security breach that could have legal or business continuity implications.

An effective ISO 27001 information security management system (ISMS) provides a management framework of polices and procedures that will keep your information secure, whatever the format.

Following a series of high profile cases, it has proven to be very damaging to an organization if information gets into the wrong hands or into the public domain. By establishing and maintaining a documented system of controls and management, risks can be identified and reduced.

Achieving ISO27001 certification shows that a business has:

  • Protected information from getting into unauthorized hands
  • Ensured information is accurate and can only be modified by authorized users
  • Assessed the risks and mitigated the impact of of a breach
  • Been independently assessed to an international standard based on industry best practices

ISO27001 accreditation demonstrates that you have identified the risks, assessed the implications and put in place systemized controls to limit any damage to the organization.

Benefits include:

  • Increased reliability and security of systems and information
  • Improved customer and business partner confidence
  • Increased business resilience
  • Alignment with customer requirements
  • Improved management processes and integration with corporate risk strategies

Achieving ISO 27001 is not a guarantee that information breaches will never occur, however by having a robust system in place, risks will be reduced and disruption and costs kept to a minimum.

Process stages

Some of the stages you will need to go through to protect your business and achieve ISO 27001 include:

  • Assessing the potential risks to your business and identifying areas that are vulnerable.
  • Implementing a management system that covers the entire organization will help to control how and where information is stored and used.
  • Maintaining a process to manage current and future information security policy.
  • Making employees and third party contractors aware of the risks and incident reporting.
  • Monitoring system activity and logging user activities.
  • Keeping IT systems up to date with the latest protection.
  • System access control.

Find out more about the process of certification

ISO 27001 Accreditation

Due to the wide-ranging nature of data storage and protection, you will need to involve all levels of management and all areas of your organization to implement and maintain an effective information security management system (ISMS). Information security is as much about people as technology.

To achieve accreditation you will need to create an internal information security forum and engage the services of an external consultant or technical expert to provide guidance and support through the implementation and certification process.

You will then need to appoint an accredited certification body to conduct an independent assessment of your information security management system. Your organization, your customers and partners will feel confident that your ISMS has been competently audited to the requirements of the International standard.

ISO 27001 controls

To implement a robust and workable system you will need to consider the following:

  • Define the scope of the system
  • Define your information security policy
  • Establish the security objectives of the business
  • Perform an information security risk assessment
  • Formulate a risk treatment plan
  • Select the most suitable control methods
  • Establish policies and procedures
  • Implement internal review and internal audits
  • Monitor the performance of controls to identify opportunities for improvement.

Certification audit

When you are satisfied that your documentation and processes are in place, you are then ready for your first audit. The auditor will review your documentation and make sure that procedures are being followed throughout the organization.

If there are any areas that need to be rectified, these will have to be done before your ISO 27001 certificate is issued.