ISO 27001 Explained: Securing Information Effectively

In this article, you’ll be introduced to the BS EN ISO/IEC 27001 Information Security standard. We will cover what the standard is, its purpose, benefits and why it could make a difference to your organisation.

In this article we will cover:

• What is the meaning of ISO 27001?
• What is the purpose of ISO 27001?
• What are the benefits of ISO 27001 ?
• How to achieve ISO 27001 compliance
• ISO 27001:2013 and ISO 27001:2017, what are the differences?

What is the meaning of ISO 27001?

ISO 27001 is a widely known global standard created by the International Organization for Standardization or ISO. The standard deals with Information Security Management and can help your organizations to identify and manage information security risks. Its implementation can assist your organization in handling information security for the purpose of minimizing risks to the confidentiality, integrity, and availability of the information in your organization. Confidentiality, integrity and availability are often referred to as CIA.

The path you undergo to implement ISO 27001 standardization will put your organization on the right path to establishing and continually maintaining an efficient Information Security Management System or ISMS. Through the certification process you are asked to assess all risks to your organization’s information security and implement relevant policies and procedures to manage the risks identified.

Overall, the ISMS certification processes are a clearly defined set of processes that help organizations handle their sensitive information. ISMS lays out the actions to take in the event of a problem, allowing organizations to quickly analyze what went wrong and what must be done to reduce the risk of it happening again.

What is the purpose of ISO 27001?

In our ever-developing world, the news is often packed with stories of organizations suffering data breaches and their subsequent struggles with the loss of consumer data, confidence and fines. The General Data Protection Regulation (GDPR) has only strengthened this fallout, thanks to the Information Commissioner’s Office’s (ICO) power to leverage hefty fines on non-compliant organizations.

Aside from the consequences faced by organizations not complying with ISO security standards in an economic sense, ISO 27001 certification sends a strong message to consumers that they’re taking their security concerns and rights seriously. In other words, you can be seen as a trusted organization in consumers’ eyes due to the certification your organization has undergone. You are minimizing risk. The information security management systems that compliant organizations create, enabling them to be proactive in the face of information security risks. Organizations can anticipate and prevent security breaches before they occur, giving potential and existing consumers peace of mind.

History of ISO 27001

The ISO jointly published the ISO 27001 standard alongside the International Electrotechnical Commission or IEC. The latest version of the standard traces back to the British Standard Institution BSI 7799, published in 1995. The BSI 7799 was written by the DTI and was eventually transformed into the standard known today. The most accepted iteration of ISO 27001 is the ISO/IEC 27001:2017.

What are the benefits of ISO 27001?

There are a huge number of benefits to achieving ISO 27001 compliance for all organizations, including SMEs, MNCs and charitable organizations. The benefits are outlined below.

• ISO 27001 helps you reduce information security and privacy risks and breaches.
• Certification demonstrates compliance with regulations and a commitment to continually improving information security practices.
• Achieving certification helps save excess money and time in information security crises.
• ISO 27001 compliance helps boost your organization’s reputation to gain an edge over competitors and win new customers.

How to achieve ISO 27001 compliance?

From a high-level perspective, achieving ISO 27001 certification involves demonstrating that you have implemented sufficient processes for an information security management system to meet the standards of ISO 27001. Certification can only be achieved by an accredited certification body who are, broadly speaking, assessing the following three information security categories:

• Information confidentiality and, more specifically, whether adequate access controls are in place to prevent unauthorized access.
• Information integrity
• Information availability

Understanding the expectations of certification audits from a high-level perspective sets the tone for implementing security controls. It’s easy to understand that a certification body is assessing an ISMS’s practices, policies and procedures against the established standards of ISO 27001.

Despite the simplicity of looking at ISO 27001 certification from a high-level perspective, the intricate details of certification can be pretty daunting at first. The standard has two main ‘parts’ organizations must go through:

Part one: Eleven clauses (0 to 10)

The core of ISO 27001 certification consists of eleven clauses, from clause 0 to clause 10. The first three clauses, 0 to 3, set a base for certification and denote the general ‘metadata’ of the standard, including scope, references, terms and conditions. The remaining clauses, 4 to 10, require deeper consideration and outline the minimal compliance expectations for certification.

Clauses 4 to 10 are mandatory certification requirements and outline the processes, documents and policies necessary to function as a compliant system.

Part two: Annex A

The next part of the certification is built by the 114 Annex A Controls. This is a ‘catalogue’ of security controls, broken down into 14 categories that helps manage information security risks. Annex A is arguably one of the most notorious annexes of all ISO standards due to its extensive nature, which can make it seem quite intimidating at first. With Digital Octopii by your side, the controls can be selectively applied to your organisation based on risk assessments, making it a much easier process than it may initially seem.

To introduce the Annex A controls, the 14 overall categories are broken down below.

1. Annex A.5 Information security policies
2. Annex A.6: Organisation of information security
3. Annex A.7: Human resource security
4. Annex A.8: Asset management
5. Annex A.9: Access control
6. Annex A.10: Cryptography
7. Annex A.11: Physical and environmental security
8. Annex A.12: Operations security
9. Annex A.13: Communications security
10. Annex A.14: System acquisition, development and maintenance
11. Annex A.15: Supplier relationships
12. Annex A.16: Information security incident management
13. Annex A.17: Information security aspects of business continuity management

ISO 27001:2013 and ISO 27001:2017, what are the differences?

Suppose you’ve been looking at achieving ISO 27001 compliance for your organisation. You may have noticed two recent versions of the standard, ISO 27001:2013 and ISO 27001:2017. So, what is the difference?

The most recently published version of the information security management system standard is BS EN ISO/IEC 27001:2017. ISO and IEC introduced this iteration of the standard to indicate approval by CEN/CENELEC for the EN designation (European Standard). Its incorporation did not affect the 2013 iteration, and its changes do not directly introduce new requirements.