Content overview

What is ISO 27001?

What is an ISMS?

What is the ISO 27001 Certification?

What is the ISO 27001:2022 standard?

Why is ISO 27001 important? Why should I consider getting an ISO 27001 Certification?

Who needs ISO 27001 Certification?

How hard is it to get ISO 27001 certified? 

How long does it take to get certified? 

Does the ISO 27001 Certification expire? 

What are the benefits of getting ISO 27001 certified? 

What are the certification steps? What exactly do I need to do to get ISO 27001 certified? 

Conducting a risk assessment

Implementing controls and a risk treatment plan to mitigate risks? 

Documenting your ISMS

What is an ISO 27001 audit, and why is it important?

Conducting internal audits: How to go about it? 

How long does it take to get ready for an ISO 27001 external audit?

What you can expect at an external audit

What are the ISO 27001 controls? 

The costs of ISO 27001 Certification

Is the investment worth it?

How to get started with ISO 27001 Certification? 

Why does an organisation need ISO 27001?

Typically, ISO 27001 sets out procedures and rules you need to follow to comply and obtain certification. Certification provides you with credibility among your stakeholders and helps you gain a competitive advantage. If you want to learn more about ISO 27001, read our complete guide on ISO 27001.

 

What is an ISMS and why is it important?

An ISMS is a system consisting of processes and technology that helps an organisation manage and protect its information. This system shapes an organisation's data privacy and data management structure and allows it to identify risks, such as data breaches, that attempt to enter the data management system. If you want to learn more about ISMS, read our comprehensive guide on ISMS.

It's necessary to have an up-to-date ISMS to meet the ISO 27001 requirements. As having one in today's day and age where information security is becoming increasingly important will help you navigate the world of data privacy with a greater level of understanding.

To start implementing an ISMS, an organisation will need to understand the requirements of ISO 27001 and their context. All aspects and criteria are essential when complying with ISO 27001.

 

So what are the ISO 27001 requirements?

Having analysed the fundamental considerations of adapting ISO 27001 standard requirements and also the purpose behind implementing an ISMS, let’s understand what the requirements are in the form of clauses under the ISO 27001 standard.

Consider that these requirements have to be complied with not only when preparing for the ISO 27001 certification process, but also through continuous compliance with ISO 27001 as it's not just about gaining the certification, but about setting up a strong information security policy.

Clause 4: Context of the organisation

4.1 - Understanding the organisational context

This clause acts as the base of an organisation's ISO 27001 implementation. Seemingly self-explanatory, it is understanding an organisation’s setting.

4.2 - Understanding the needs and expectations of interested parties

This requirement is completed after understanding the organisational context. Typically, after understanding Clause 4.1 and the goals of the organisation, it is possible to understand its potential stakeholders.

4.3 - Determining the scope of the ISMS

This step involves defining the scope of the ISMS, tailored specifically to the organisation. This is important as stakeholders will be able to understand what areas are and are not protected by the ISMS.

4.4 - Information Security Management System

This is where an organisation implements the ISMS. Once implemented, the organisation is required to continuously update and improve the system all while providing adequate training to employees.

Achieve your first ISO 27001 certification in as little as 3 months.


Your ISO 27001 certification process made simple.

Download your free guide
DG Seal ISO 27001

Clause 5: Leadership

5.1 - Leadership & commitment

This is where senior management and C-level executives of the organisation are expected to focus and show genuine interest in learning about information security. This ensures that they adapt to it so they lead junior management by example.

5.2 - Information security policy

Senior management and C-level executives are expected to create an information security policy. This policy document may be easy to create. However, it's what is inside the document that will play a role in relating to the ISMS–as this document will provide stakeholders the confidence to trust the organisation with the policy.

5.3 - Organisational roles, responsibilities & authorities

When implementing ISMS, senior management and C-level executives are expected to ensure roles, responsibilities and authorities are divided accordingly among employees.

Clause 6: Planning

6.1 - Actions to address risks and opportunities

Risk management plays a vital role in ISO 27001. Through risk management and risk assessment within the ISMS, organisations are able to identify risks and opportunities and assess the organisation's requirements.

6.2 - Information security objectives & planning to achieve them

Information security secures organisation's success and can be leveraged as a competitive advantage. That's why an organisation will need to know why they are implementing an ISMS in order to make processes quicker and more transparent along the way–and in line with their organisational goals. 

Clause 7: Support

7.1 - Resources

An organisation needs to provide adequate resources to itself when complying with ISO 27001. In addition to what is mentioned previously in clause 5.3, it's not compulsory that organisations must continuously supply staff to update, maintain and improve the ISMS, but resources must be placed where necessary.

7.2 - Competence

ISO 27001 urges that staff handling processes related to ISMS and ISO 27001 are required to have the relevant knowledge and continuous training in order to remain competent with the standard and information security as a whole.

7.3 - Awareness

Staff handling processes related to ISMS and ISO 27001 must be aware of and be continuously updated on information security policy within the organisation. This includes the benefits of the ISMS, methods of identifying risks and opportunities through risk assessments and risk management, and the possibilities of errors if the ISMS doesn't meet the organisation's security policy requirements.

7.4 - Communication

Staff handling processes related to ISMS and ISO 27001 must be able to understand terminology used in information security such as in the UK GDPR, ISMS, and ISO 27001 and other security standards, who they have to communicate with and how they should communicate.

7.5 - Documented information

ISO 27001 and other ISO standards are stringent about the legitimacy and accuracy of documentation they receive from the organisation.

Clause 8: Operation 

8.1 - Operational planning & control

It's important that an organisation has structural processes in place before and while implementing an ISMS and ISO 27001 such as what is mentioned above in clauses 6.1, 6.2 and 7.5. This provides scope for efficient processes and a clear path to success.

8.2 - Information security risk assessment

A security risk assessment identifies, evaluates, and implements important information security controls. It also focuses on preventing security weak spots in applications. These assessments must be performed at regular intervals as changes may be made within the ISMS and information security policy.

8.3 - Information security risk treatment

Avoiding, optimising, transferring, or keeping risk are some of the risk treatment options. The measures can be chosen from a list of security controls used by the organisation's ISMS.

Clause 9: Performance evaluation

9.1 - Monitoring, measurement, analysis, and evaluation

If an organisation is looking to become ISO 27001 certified, an auditor from the UKAS (United Kingdom Accreditation Service) for information security will be monitoring the established information security processes and controls, ISMS maintenance, and overall ISO 27001 compliance. Therefore, it's required for an organisation to constantly monitor, measure, analyse, and evaluate its ISMS.

9.2 - Internal audit

An organisation must conduct internal audits on a regular basis to ensure that the ISMS abides by the organisation's information security policy and meets the requirements of the ISO 27001 standard to become certified.

9.3 - Management review

Senior management and C-level executives are required to conduct management reviews at uniform intervals throughout the year. These management reviews should identify areas that can be improved in your organisation's ISMS and overall ISO 27001 standard.

Typically, while the reviews may only be required to be completed once or twice a year, it's advised that your organisation performs management reviews regularly–due to the constant evolution of threat actors and their toolkits.

Clause 10: Improvement

10.1 - Nonconformity and corrective action

If a nonconformity is spotted within the ISMS, the action that follows is a crucial part of ISMS improvement in an organisation. Both the nonconformity and the corrective action that followed must be documented.

10.2 - Continual improvement

An ISMS relies heavily on continuous improvement to achieve and maintain the adequacy and effectiveness of information security in respect to the organisation's objectives.

If an organisation complies with the above clauses and makes information security an important aspect of the organisation, it will play a vital role in obtaining ISO 27001 certification for itself.

Even though it's essential to comply with all the above requirements, it's not essential to comply with all ISO 27001 controls. A crucial aspect of ISO 27001 apart from its requirements, is assessing the exact controls that apply to a specific organisation.

What are ISO 27001 controls and how are they relevant to your organisation?

ISO 27001 controls fall under the Annex A of the standard, so they are referred to as Annex A controls. Annex A is comprised of 114 information security controls and goals under 14 categories that organisations need to consider when complying with ISO 27001 measures and implementing ISMS measures.

The 14 categories of Annex A are:

  • Information security policies

  • Organisation of information security

  • Human resources security

  • Asset management

  • Access control

  • Cryptography

  • Physical and environmental security

  • Operational security

  • Communications security

  • Systems acquisition, development and maintenance

  • Supplier relationships

  • Information security incident management

  • Information security aspects of business continuity management

  • Compliance

ISO 27001 Annex A is the most well-known annex of all ISO standards, as it offers an important tool for managing information security risks. If you want to learn more about ISO 27001: Annex A controls, read our comprehensive blog that breaks down the Annex A controls and provides a deeper understanding of how controls work within the ISO 27001 standard.

Annex A can also be thought of as a portfolio of information security controls from which you can choose – pick from the 114 measures listed in Annex A that are relevant to your organisation's environment. Once these controls have been chosen specifically for your organisation, you can start preparing the documentation for ISMS. 

 

What documents do you need to comply with ISO 27001?

Documentation is a crucial part of complying with the ISO 27001 standard, as regular audits are to be held by external parties such as the UKAS. When an organisation undergoes audits, the external auditors will need proof of all parts of ISO 27001 and ISMS implementation, which should be shown through documentation. 

The mandatory documents required for ISO 27001 are:

  • 4.3 The scope of the ISMS

  • 5.2 Information security policy

  • 6.1.2 Information security risk assessment process

  • 6.1.3 Information security risk treatment plan

  • 6.1.3 The Statement of Applicability

  • 6.2 Information security objectives;

  • 7.2 Evidence of competence

  • 5.5.1 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS

  • 8.1 Operational planning and control

  • 8.2 Results of the information security risk assessment

  • 8.3 Results of the information security risk treatment

  • 9.1 Evidence of the monitoring and measurement of results

  • 9.2 A documented internal audit process

  • 9.2 Evidence of the audit programmes and the audit results

  • 9.3 Evidence of the results of management reviews

  • 10.1 Evidence of the nature of the non-conformities and any subsequent actions taken

  • 10.1 g) Evidence of the results of any corrective actions

Each of these documents is covered by the ISO 27001 requirements outlined above. Each criteria must be followed and documented accordingly for an organisation to present during external audits.

Clause 6.1.3 The Statement of Applicability is one of the main documents that fall under the clause 6.1 Actions to address risks and opportunities.

 

What is the Statement of Applicability (SoA)?

When starting to implement ISMS controls and measures, you may come across the SoA which is mandatory and acts as the main link between a risk assessment and a risk treatment in an organisation.

The SoA is part of 6.1.3 of the primary ISO standards for ISO 27001, a component of the larger 6.1 requirements, which is focused on activities that address risks and opportunities and one of the first things an external auditor looks at when performing an audit. If you want to learn more about the SoA, read our article on Statement of Applicability in ISO 27001.

Using the SoA, an organisation may determine which ISO 27001 controls and policies are currently in place and compare them to the ISO 27001 Annex A controls.

 

How DataGuard can help you get ISO 27001 certified

Now that you understand IS0 27001, you can start implementing it. An ISO 27001 certification proves to your stakeholders that your organisation takes information security seriously.

It reduces uncertainty and the risks of having a compromised system, and enables your organisation to operate in an increasingly volatile cyberspace with the peace of mind that you are doing what you can to mitigate the risks of operating in a technical world.

Need help understanding ISO 27001 requirements and preparing for ISO 27001 compliant ISMS implementation? Schedule a call with our information security experts today. 

Get a quote