ISO 27001

ISO 27001

Overview

ISO 27001 Information Security Management Systems is an international standard for information security. ISO 27001’s best-practice approach helps organisations manage their information security by addressing people, processes, and technology.

ISO 27001 sets out the specification for an information security management system (ISMS) and consists of two parts:

  1. The first part includes mandatory requirements that focus on ensuring an Information Security Management System (ISMS) has been developed. An ISMS includes a range of policies and supporting standards, objectives, resource support and governance programs such as reviewing security controls, managing non-compliance and ensuring continual improvement. This part has a strong focus on ensuring board and top level management provide approach support to the ISMS.
  2. The second part is called Annex A or 27002 and this is list of controls that are used by auditors to measure an organisation when applying for certification. An organisation will stipulate which controls are in scope of their ISMS, during the audit process in a document called the Statement of Applicability (SoA), typically most are.

The ISO/IEC 27000 family of standards are developed and maintained by a group of experts in the field grouped under a task force called JTC1. JTC 1 is the standards development environment where experts come together to develop worldwide Information and Communication Technology (ICT) standards for business and consumer applications. The standards set out under the ISO 27000 family propose a risk based approach to managing information security. Some organisations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification. Accredited third parties provide certification services.

Break down of requirements

15 sections, 35 sub-sections, 114 controls

Best suited for

Any business who wishes to implement risk-based security program and/or achieve ISO 27001 Certification. The standards set out under the ISO 27000 family propose a risk based approach to managing information security. Some organisations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.

Can a business be certified or assessed against this standard?

Businesses can pay for an independent review of their information security program to achieve certification against this standard. Certifications last for 3 years and require surveillance assessment to be conducted in year 1 or 2.

Who can assess or audit a business against this standard?

Accredited ISO certification providers

Governed by

International Organization for Standardization (ISO)

Region focus

Global

How Assuredly can help you align to this standard or framework?

By conducting an InfoSecAssure ISO 27001 Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to abroad range of tools and templates to uplift controls required to achieve their certification.

Discover the power of InfoSecAssure, your ultimate ally in safeguarding your business! Unveil a seamless journey towards ISO 27001 compliance as our platform offers expert guidance throughout the assessment process. Unravel vital insights into control requirements, conduct efficient control testing, and grasp the exact evidence an auditor seeks. Behold the magic of instant dashboard feedback, unveiling your outstanding achievements. Additionally, create meticulously detailed reports that seamlessly align findings with risks and controls. Join InfoSecAssure today and unlock the realm of security and success for your business!

Book a free demonstration or talk to one of our team today to uncover how we can help ensure you align to standards while also understanding your risks and knowing what action to take to keep your business secure.