ISO 27001: A Quick Expert’s Overview

Business benefits, regulatory compliance, risk assessment, and continual improvement

Alan Calder is the Group CEO of GRC International Group PLC, the parent company of IT Governance USA, and an ISO 27001 pioneer. He led the world’s first successful implementation of ISO 27001, and has been involved in developing a wide range of information security management training courses.

He’s also consulted for clients across the globe, and is a regular media commentator and speaker.

We sat down to chat to him.

How did your ISO 27001 journey start?

We were the first to implement an ISMS [information security management system] aligned to BS 7799, which was the precursor to ISO 27001, published in 1995. Ten years later, this was replaced by ISO/IEC 27001:2005, then by ISO/IEC 27001:2013, and now we’re at ISO/IEC 27001:2022.

Actually, this was a double first. The ISMS was audited by our then-certification body DNV, which was the first accredited certification audit that had been carried out.

We’ve since remained at the forefront of ISO 27001, introducing qualifications like the ISO 27001 Foundation, Lead Implementer, and Lead Auditor training courses. We also introduced the most effective way of implementing an ISO 27001 ISMS – our nine-step approach – which we teach in our Lead Implementer course.

I’ve written numerous books on ISO 27001, including IT Governance – An international guide to data security and ISO 27001/ISO 27002, which is the recommended textbook for the UK Open University’s postgraduate information security course. I also wrote Nine Steps to Success, which is a long-running, leading book on implementing the Standard.

What are the business benefits of ISO 27001?

Since ISO 27001 is an international standard, it doesn’t differ depending on your location – it applies in the US exactly as it does in Europe. Or, for that matter, anywhere else in the world.

That’s independent of the language it’s been translated into – the content and requirements remain the same.

Furthermore, ISO [International Organization for Standardization] standards are valid in 170 countries. More specifically, there are currently 170 national standards bodies in the world. As such, you can obtain certification from a non-US certification body, and still have it recognized in the US.

What regulatory value does ISO 27001 have?

ISO 27001 is at the heart of every cybersecurity law across the world – though not overtly, but covertly.

This is because the core objective of ISO 27001 is to preserve the confidentiality, integrity, and availability [CIA] of valuable information. Virtually every cybersecurity and privacy law is about at least one of those three things, and usually about all three.

For example, the new SEC rules are about how boards demonstrate that they have the capability in their management and their processes to ensure that the CIA of information are preserved.

How exactly can ISO 27001 help an organization meet its legal requirements, such as the SEC rules?

ISO 27001 requires several standard, straightforward activities. The first is to identify relevant legal, regulatory, and stakeholder requirements. Publicly listed companies, for instance, would probably include the SEC disclosure rules in their list.

In turn, those inform your ISMS’s objectives, which ISO 27001 requires you to establish, and inform your risk assessments.

Risk management is fundamental to the Standard. It’s not like the PCI DSS [Payment Card Industry Data Security Standard], which imposes a set of controls. ISO 27001 effectively says to management: ‘Work it out yourself!’

It’s up to management to identify:

  • The organization’s most important assets
  • The risks to them
  • The appropriate controls to mitigate those risks

In short, management is in charge of information security. It’s their job to determine what good security looks like for their organization. And to make sure that an appropriate amount of money is committed to delivering that security.

Under ISO 27001, management has very clear accountability. As it should have: Security is just as much about people as it is about processes and technology, which means influencing human behavior. That requires a top-down approach. Management must set the right example – as well as allocate sufficient resource to make security possible.

Tell us more about ISO 27001 risk assessment and control selection

Following your risk assessment, you must select controls. These can be from any framework, not just the controls listed in Annex A of the Standard itself.

That said, your SoA, or Statement of Applicability, must map those controls against Annex A if you’re using controls from a different framework. This gives everyone who might look at your management system, such as an auditor, a clear point of reference.

What are some common misconceptions around implementing ISO 27001?

Perhaps the most common is not so much the implementation itself, but the fact that, once the ISMS is implemented, it must be monitored, measured, and continually improved.

Simply having the management system in place isn’t the end of the story. Once it’s implemented, you have to make sure it’s doing what it’s supposed to. You need to monitor its effectiveness, track its performance against its objectives, and continually improve it.

ISO 27001 certification is an ongoing journey, not a destination.

How expensive is continual improvement?

The question really ought to be: How cost-effective is it?

Continual improvement means getting better results for your investment. That typically means one of two things:

  1. Getting the same results while spending less money
  2. Getting better results while spending the same amount of money

Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.

But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.

ISO 27001 isn’t just a security investment. It’s a business investment with long-term business benefits that go far beyond preventing the bad press associated with a breach.

Want to reach ISO 27001 certification readiness in just three months?

Get all the support you need to implement an ISMS quickly and cost-effectively, with minimal business disruption.

Have an experienced consultant work with you to design, develop, and establish your ISMS.

They’ll make sure that all ISO 27001 requirements are met in a way that embraces any existing activities, controls, and documentation.

Note: This package has been designed for small organizations with up to 20 employees. Larger organizations should look at our ISO 27001 FastTrack™ 500 package.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back on Friday, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s blog, where Louise Brooks – head of consultancy at DQM GRC, our sister company – gave us her expert insights into legally monitoring staff.