ISO 27001 is the international security standard that lays out all information security controls when building an ISMS (Information Security Management System) for your organisation. When you comply with ISO 27001, it can help your organisation identify and overcome risks and possible data breaches.
Let's take a closer look at ISO 2700 requirements, the type of documentation required and why your organisation should aim to become ISO 27001 certified.
What is ISO 27001?
What is an ISMS?
What is the ISO 27001 Certification?
What is the ISO 27001:2022 standard?
Why is ISO 27001 important? Why should I consider getting an ISO 27001 Certification?
Who needs ISO 27001 Certification?
How hard is it to get ISO 27001 certified?
How long does it take to get certified?
Does the ISO 27001 Certification expire?
What are the benefits of getting ISO 27001 certified?
What are the certification steps? What exactly do I need to do to get ISO 27001 certified?
Conducting a risk assessment
Implementing controls and a risk treatment plan to mitigate risks?
Documenting your ISMS
What is an ISO 27001 audit, and why is it important?
Conducting internal audits: How to go about it?
How long does it take to get ready for an ISO 27001 external audit?
What you can expect at an external audit
What are the ISO 27001 controls?
The costs of ISO 27001 Certification
Is the investment worth it?
How to get started with ISO 27001 Certification?
Typically, ISO 27001 sets out procedures and rules you need to follow to comply and obtain certification. Certification provides you with credibility among your stakeholders and helps you gain a competitive advantage. If you want to learn more about ISO 27001, read our complete guide on ISO 27001.
An ISMS is a system consisting of processes and technology that helps an organisation manage and protect its information. This system shapes an organisation's data privacy and data management structure and allows it to identify risks, such as data breaches, that attempt to enter the data management system. If you want to learn more about ISMS, read our comprehensive guide on ISMS.
It's necessary to have an up-to-date ISMS to meet the ISO 27001 requirements. As having one in today's day and age where information security is becoming increasingly important will help you navigate the world of data privacy with a greater level of understanding.
To start implementing an ISMS, an organisation will need to understand the requirements of ISO 27001 and their context. All aspects and criteria are essential when complying with ISO 27001.
Having analysed the fundamental considerations of adapting ISO 27001 standard requirements and also the purpose behind implementing an ISMS, let’s understand what the requirements are in the form of clauses under the ISO 27001 standard.
Consider that these requirements have to be complied with not only when preparing for the ISO 27001 certification process, but also through continuous compliance with ISO 27001 as it's not just about gaining the certification, but about setting up a strong information security policy.
4.1 - Understanding the organisational context
This clause acts as the base of an organisation's ISO 27001 implementation. Seemingly self-explanatory, it is understanding an organisation’s setting.
4.2 - Understanding the needs and expectations of interested parties
This requirement is completed after understanding the organisational context. Typically, after understanding Clause 4.1 and the goals of the organisation, it is possible to understand its potential stakeholders.
4.3 - Determining the scope of the ISMS
This step involves defining the scope of the ISMS, tailored specifically to the organisation. This is important as stakeholders will be able to understand what areas are and are not protected by the ISMS.
4.4 - Information Security Management System
This is where an organisation implements the ISMS. Once implemented, the organisation is required to continuously update and improve the system all while providing adequate training to employees.
Your ISO 27001 certification process made simple.
5.1 - Leadership & commitment
This is where senior management and C-level executives of the organisation are expected to focus and show genuine interest in learning about information security. This ensures that they adapt to it so they lead junior management by example.
5.2 - Information security policy
Senior management and C-level executives are expected to create an information security policy. This policy document may be easy to create. However, it's what is inside the document that will play a role in relating to the ISMS–as this document will provide stakeholders the confidence to trust the organisation with the policy.
5.3 - Organisational roles, responsibilities & authorities
When implementing ISMS, senior management and C-level executives are expected to ensure roles, responsibilities and authorities are divided accordingly among employees.
6.1 - Actions to address risks and opportunities
Risk management plays a vital role in ISO 27001. Through risk management and risk assessment within the ISMS, organisations are able to identify risks and opportunities and assess the organisation's requirements.
6.2 - Information security objectives & planning to achieve them
Information security secures organisation's success and can be leveraged as a competitive advantage. That's why an organisation will need to know why they are implementing an ISMS in order to make processes quicker and more transparent along the way–and in line with their organisational goals.
7.1 - Resources
An organisation needs to provide adequate resources to itself when complying with ISO 27001. In addition to what is mentioned previously in clause 5.3, it's not compulsory that organisations must continuously supply staff to update, maintain and improve the ISMS, but resources must be placed where necessary.
7.2 - Competence
ISO 27001 urges that staff handling processes related to ISMS and ISO 27001 are required to have the relevant knowledge and continuous training in order to remain competent with the standard and information security as a whole.
7.3 - Awareness
Staff handling processes related to ISMS and ISO 27001 must be aware of and be continuously updated on information security policy within the organisation. This includes the benefits of the ISMS, methods of identifying risks and opportunities through risk assessments and risk management, and the possibilities of errors if the ISMS doesn't meet the organisation's security policy requirements.
7.4 - Communication
Staff handling processes related to ISMS and ISO 27001 must be able to understand terminology used in information security such as in the UK GDPR, ISMS, and ISO 27001 and other security standards, who they have to communicate with and how they should communicate.
7.5 - Documented information
ISO 27001 and other ISO standards are stringent about the legitimacy and accuracy of documentation they receive from the organisation.
8.1 - Operational planning & control
It's important that an organisation has structural processes in place before and while implementing an ISMS and ISO 27001 such as what is mentioned above in clauses 6.1, 6.2 and 7.5. This provides scope for efficient processes and a clear path to success.
8.2 - Information security risk assessment
A security risk assessment identifies, evaluates, and implements important information security controls. It also focuses on preventing security weak spots in applications. These assessments must be performed at regular intervals as changes may be made within the ISMS and information security policy.
8.3 - Information security risk treatment
Avoiding, optimising, transferring, or keeping risk are some of the risk treatment options. The measures can be chosen from a list of security controls used by the organisation's ISMS.
9.1 - Monitoring, measurement, analysis, and evaluation
If an organisation is looking to become ISO 27001 certified, an auditor from the UKAS (United Kingdom Accreditation Service) for information security will be monitoring the established information security processes and controls, ISMS maintenance, and overall ISO 27001 compliance. Therefore, it's required for an organisation to constantly monitor, measure, analyse, and evaluate its ISMS.
9.2 - Internal audit
An organisation must conduct internal audits on a regular basis to ensure that the ISMS abides by the organisation's information security policy and meets the requirements of the ISO 27001 standard to become certified.
9.3 - Management review
Senior management and C-level executives are required to conduct management reviews at uniform intervals throughout the year. These management reviews should identify areas that can be improved in your organisation's ISMS and overall ISO 27001 standard.
Typically, while the reviews may only be required to be completed once or twice a year, it's advised that your organisation performs management reviews regularly–due to the constant evolution of threat actors and their toolkits.
10.1 - Nonconformity and corrective action
If a nonconformity is spotted within the ISMS, the action that follows is a crucial part of ISMS improvement in an organisation. Both the nonconformity and the corrective action that followed must be documented.
10.2 - Continual improvement
An ISMS relies heavily on continuous improvement to achieve and maintain the adequacy and effectiveness of information security in respect to the organisation's objectives.
If an organisation complies with the above clauses and makes information security an important aspect of the organisation, it will play a vital role in obtaining ISO 27001 certification for itself.
Even though it's essential to comply with all the above requirements, it's not essential to comply with all ISO 27001 controls. A crucial aspect of ISO 27001 apart from its requirements, is assessing the exact controls that apply to a specific organisation.
ISO 27001 controls fall under the Annex A of the standard, so they are referred to as Annex A controls. Annex A is comprised of 114 information security controls and goals under 14 categories that organisations need to consider when complying with ISO 27001 measures and implementing ISMS measures.
The 14 categories of Annex A are:
Information security policies
Organisation of information security
Human resources security
Asset management
Access control
Cryptography
Physical and environmental security
Operational security
Communications security
Systems acquisition, development and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance
ISO 27001 Annex A is the most well-known annex of all ISO standards, as it offers an important tool for managing information security risks. If you want to learn more about ISO 27001: Annex A controls, read our comprehensive blog that breaks down the Annex A controls and provides a deeper understanding of how controls work within the ISO 27001 standard.
Annex A can also be thought of as a portfolio of information security controls from which you can choose – pick from the 114 measures listed in Annex A that are relevant to your organisation's environment. Once these controls have been chosen specifically for your organisation, you can start preparing the documentation for ISMS.
Documentation is a crucial part of complying with the ISO 27001 standard, as regular audits are to be held by external parties such as the UKAS. When an organisation undergoes audits, the external auditors will need proof of all parts of ISO 27001 and ISMS implementation, which should be shown through documentation.
The mandatory documents required for ISO 27001 are:
4.3 The scope of the ISMS
5.2 Information security policy
6.1.2 Information security risk assessment process
6.1.3 Information security risk treatment plan
6.1.3 The Statement of Applicability
6.2 Information security objectives;
7.2 Evidence of competence
5.5.1 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
8.1 Operational planning and control
8.2 Results of the information security risk assessment
8.3 Results of the information security risk treatment
9.1 Evidence of the monitoring and measurement of results
9.2 A documented internal audit process
9.2 Evidence of the audit programmes and the audit results
9.3 Evidence of the results of management reviews
10.1 Evidence of the nature of the non-conformities and any subsequent actions taken
10.1 g) Evidence of the results of any corrective actions
Each of these documents is covered by the ISO 27001 requirements outlined above. Each criteria must be followed and documented accordingly for an organisation to present during external audits.
Clause 6.1.3 The Statement of Applicability is one of the main documents that fall under the clause 6.1 Actions to address risks and opportunities.
When starting to implement ISMS controls and measures, you may come across the SoA which is mandatory and acts as the main link between a risk assessment and a risk treatment in an organisation.
The SoA is part of 6.1.3 of the primary ISO standards for ISO 27001, a component of the larger 6.1 requirements, which is focused on activities that address risks and opportunities and one of the first things an external auditor looks at when performing an audit. If you want to learn more about the SoA, read our article on Statement of Applicability in ISO 27001.
Using the SoA, an organisation may determine which ISO 27001 controls and policies are currently in place and compare them to the ISO 27001 Annex A controls.
Now that you understand IS0 27001, you can start implementing it. An ISO 27001 certification proves to your stakeholders that your organisation takes information security seriously.
It reduces uncertainty and the risks of having a compromised system, and enables your organisation to operate in an increasingly volatile cyberspace with the peace of mind that you are doing what you can to mitigate the risks of operating in a technical world.
Need help understanding ISO 27001 requirements and preparing for ISO 27001 compliant ISMS implementation? Schedule a call with our information security experts today.
Up to 50% cheaper than external consultants
Close up to 50% of your company's biggest risks in as little as 8 weeks
Achieve compliance in as little as 3 months
First-try pass rate in external audits on ISO 27001 and TISAX®
Up to 75% less workload compared to doing it manually
A ton of big brands trust us with over 4,000 Customers
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide Software-as-a-Service and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.