What is ISO 27001?
ISO/IEC 27001:2013 (ISO 27001) is an international standard that helps organizations manage the security of their information assets. It provides a management framework for implementing an ISMS (information security management system) to ensure the confidentiality, integrity, and availability of all corporate data (such as financial information, intellectual property, employee details or information managed by third parties).
The ISO 27001 framework was published in 2013 by the ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) and belongs to the ISO 27000 family of standards. It is the only internationally recognized certifiable information security standard.
ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013, which explains how to implement information security controls for managing information security risks.
Purchase your copy of the ISO 27001 standard (PDF).
Free PDF download: Information Security and ISO 27001 – An introduction
Find out how ISO 27001 can help you meet your legal and regulatory obligations.
What is ISO 27001 certification?
ISO 27001 certification demonstrates that your organization has invested in the people, processes, and technology (e.g., tools and systems) to protect your organization’s data and provides an independent, expert assessment of whether your data is sufficiently protected.
Certification is achieved through an accredited certification body. It provides evidence to your consumers, investors, and other interested parties that you are managing information security according to international best practices.
ISO 27001 compliance is becoming increasingly important as regulatory requirements (such as the GDPR, HIPAA, and CCPA) pressure organizations to protect their consumer and personal data.
How do ISO 27001 audits work?
Certification can be obtained once a certification body has conducted an external audit. Auditors will review the organization’s practices, policies, and procedures to assess whether the ISMS meets the requirements of the Standard.
Certification usually lasts for three years, but organizations have to conduct routine internal audits as a continual improvement process.
Once certified, a certification body will usually conduct an annual assessment to monitor compliance.
What is an ISMS (information security management system)?
An ISMS is a defined, documented management system that consists of a set of policies, processes, and systems to manage risks to organizational data to ensure acceptable levels of information security risk. Ongoing risk assessments help identify security threats and vulnerabilities that need to be managed through a set of controls.
Having an established ISO 27001-compliant ISMS helps you manage the confidentiality, integrity, and availability of all corporate data in an optimized and cost-effective way
To find out more about what an ISMS is, download our free PDF
ISO 27001 and risk management
Risk management forms the foundations of an ISMS. Routine risk assessments help to identify specific information security risks. ISO 27001 recommends, a set of controls that can be applied to manage and reduce information security risks.
ISO 27001 controls and requirements
ISO 27001 consists of 114 controls (included in Annex A and expanded on in ISO 27002) that provide a framework for identifying, treating, and managing information security risks.
A summary of the ISO/IEC 27001: 2013 controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resources security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operational security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Download our free infographic “The 14 control sets of Annex A” for more information
The management clauses of ISO/IEC 27001:2013
In addition to the controls, ISO 27001 compromises ten management system clauses that guide an ISMS's implementation, management and continual improvement.
- 1, 2, and 3: Scope, normative references, and terms and definitions
- 4: Context of the organization
- 5: Leadership
- 6: Planning
- 7: Support
- 8: Operation
- 9: Performance evaluation
- 10: Improvement
ISO 27001 consulting services
In addition to training, software and compliance tools, IT Governance provides specialist ISO 27001 consulting services to support compliance with the Standard. This includes an ISO 27001 gap analysis and resource determination, scoping, risk assessments, strategy, and more.
Get help with your ISO 27001 certification project
Contact us today to speak to an advisor about your ISO 27001 requirements, including conducting an ISO 27001 gap analysis, training, supporting your risk management process, or fast-tracking your ISO 27001 compliance project.
Get in touch
How to implement ISO 27001
Implementing ISO 27001 entails various steps, such as scoping the project, obtaining senior leadership commitment to secure the necessary resources, conducting a risk assessment, implementing the required controls, developing the appropriate internal skills, creating policies and procedures to support your actions, implementing technical measures to mitigate risks, conducting awareness training for all employees, continually monitoring and auditing the ISMS, and undertaking the certification audit.
View our ISO 27001 compliance checklist and solutions
The benefits of ISO 27001 certification
ISO 27001 is a globally recognized information security standard, with more than 40,000 organizations certified. It helps organizations align their data security measures to an established and trusted benchmark.
Protect your data, wherever it lives
An ISO 27001-compliant ISMS helps protect all forms of information, whether digital, paper-based, or in the Cloud.
Defend against cyber attacks
Implementing and maintaining an ISMS will significantly reduce your organization’s cyber security and data breach risks.
Reduce information security costs
Thanks to an ISMS's risk assessment and analysis approach, organizations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work.
Respond to evolving security threats
ISO 27001-compliant organizations are more capable of responding to evolving information security risks due to the risk management requirements of the Standard.
Establish an information security culture
With ISO 27001 embedded in the organization’s culture, employees are more aware of information security risks, and security measures are wide-reaching across all facets of the organization.
Meet contractual obligations
Certification demonstrates your organization’s commitment to information security. It provides evidence that you have formally committed to complying with information security measures.
Ready to simplify your security? Let’s get started
Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.
How IT Governance can help you
- Our implementation methodology has been honed over 15 years
- We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799)
- We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else
- We guarantee certification (provided you follow our advice!)
- You benefit from real-world practitioner expertise, not just academic knowledge
- We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide
- We’ve helped more than 800 consultancy clients achieve certification to and compliance with ISO 27001
- We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization
- Our pricing and proposals are completely transparent, so you won’t get any surprises
- We can help small organizations prepare for ISO 27001 certification in three months
- We have a large selection of ISO 27001 free resources to assist you in your ISO 27001 implementation journey