What is the meaning of ISO 27001?

First, it is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information
technology — Security techniques — Information security management systems —
Requirements.”
It is the leading international standard focused on information security, published by the
International Organization for Standardization (ISO), in partnership with the International
Electrotechnical Commission (IEC). Both are leading international organizations that develop
international standards.

ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC
27000 series.

What is the purpose of ISO 27001?

ISO 27001 was developed to help organizations, of any size or any industry, to protect their
information in a systematic and cost-effective way, through the adoption of an Information
Security Management System (ISMS).

Why is ISO 27001 important?

Not only does the standard provide companies with the necessary know-how for protecting their
most valuable information, but a company can also get certified against ISO 27001 and, in this
way, prove to its customers and partners that it safeguards their data.

Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in
this way, prove their skills to potential employers.

Because it is an international standard, ISO 27001 is easily recognized all around the world,
increasing business opportunities for organizations and professionals.

What are the 3 ISMS security objectives?

The basic goal of ISO 27001 is to protect three aspects of information:

• • Confidentiality: only the authorized persons have the right to access information.
• • Integrity: only the authorized persons can change the information.
• • Availability: the information must be accessible to authorized persons whenever it is
needed.
What is an ISMS?
An Information Security Management System (ISMS) is a set of rules that a company needs to
establish in order to:

1. identify stakeholders and their expectations of the company in terms of information

security
2. identify which risks exist for the information
3. define controls (safeguards) and other mitigation methods to meet the identified
expectations and handle risks
4. set clear objectives on what needs to be achieved with information security
5. implement all the controls and other risk treatment methods
6. continuously measure if the implemented controls perform as expected
7. make continuous improvement to make the whole ISMS work better
This set of rules can be written down in the form of policies, procedures, and other types of
documents, or it can be in the form of established processes and technologies that are not
documented. ISO 27001 defines which documents are required, i.e., which must exist at a
minimum.

Why do we need ISMS?

There are four essential business benefits that a company can achieve with the implementation of
this information security standard:

Comply with legal requirements – there is an ever-increasing number of laws, regulations, and
contractual requirements related to information security, and the good news is that most of them
can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to
comply with them all.
Achieve competitive advantage – if your company gets certified and your competitors do not,
you may have an advantage over them in the eyes of those customers who are sensitive about
keeping their information safe.
Lower costs – the main philosophy of ISO 27001 is to prevent security incidents from happening
– and every incident, large or small, costs money. Therefore, by preventing them, your company
will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller
than the cost savings you’ll achieve.
Better organization – typically, fast-growing companies don’t have the time to stop and define
their processes and procedures – as a consequence, very often the employees do not know what
needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such
situations, because it encourages companies to write down their main processes (even those that
are not security-related), enabling them to reduce lost time by their employees.
How does ISO 27001 work?
The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the
information in a company. This is done by finding out what potential problems could happen to
the information (i.e., risk assessment), and then defining what needs to be done to prevent such
problems from happening (i.e., risk mitigation or risk treatment).

Therefore, the main philosophy of ISO 27001 is based on a process for managing risks: find out
where the risks are, and then systematically treat them, through the implementation of security
controls (or safeguards). ISO 27001 requires a company to list all controls that are to be
implemented in a document called the Statement of Applicability.

What are the requirements for ISO 27001?

The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – this means
that all those requirements must be implemented in an organization if it wants to be compliant
with the standard. Controls from Annex A must be implemented only if declared as applicable in
the Statement of Applicability.

The requirements from sections 4 through 10 can be summarized as follows:

Clause 4: Context of the organization – defines requirements for understanding external and
internal issues, interested parties and their requirements, and defining the ISMS scope.
Clause 5: Leadership – defines top management responsibilities, setting the roles and
responsibilities, and contents of the top-level Information Security Policy.
Clause 6: Planning – defines requirements for risk assessment, risk treatment, Statement of
Applicability, risk treatment plan, and setting the information security objectives.
Clause 7: Support – defines requirements for availability of resources, competencies, awareness,
communication, and control of documents and records.
Clause 8: Operation – defines the implementation of risk assessment and treatment, as well as
controls and other processes needed to achieve information security objectives.
Clause 9: Performance evaluation – defines requirements for monitoring, measurement,
analysis, evaluation, internal audit, and management review.
Clause 10: Improvement – defines requirements for nonconformities, corrections, corrective
actions, and continual improvement.
What are the 14 domains of ISO 27001?
There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The
sections cover the following:

A.5. Information security policies: The controls in this section describe how to handle
information security policies.
A.6. Organization of information security: The controls in this section provide the basic
framework for the implementation and operation of information security by defining its internal
organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of
information security, like project management, use of mobile devices, and teleworking.
A.7. Human resource security: The controls in this section ensure that people who are under the
organization’s control are hired, trained, and managed in a secure way; also, the principles of
disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g.,
information, processing devices, storage devices, etc.) are identified, that responsibilities for their
security are designated, and that people know how to handle them according to predefined
classification levels.
A.9. Access control: The controls in this section limit access to information and information
assets according to real business needs. The controls are for both physical and logical access.
A.10. Cryptography: The controls in this section provide the basis for proper use of encryption
solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security: The controls in this section prevent unauthorized
access to physical areas, and protect equipment and facilities from being compromised by human
or natural intervention.
A.12. Operations security: The controls in this section ensure that the IT systems, including
operating systems and software, are secure and protected against data loss. Additionally, controls
in this section require the means to record events and generate evidence, periodic verification of
vulnerabilities, and make precautions to prevent audit activities from affecting operations.
A.13. Communications security: The controls in this section protect the network infrastructure
and services, as well as the information that travels through them.
A.14. System acquisition, development and maintenance: The controls in this section ensure that
information security is taken into account when purchasing new information systems or
upgrading the existing ones.
A.15. Supplier relationships: The controls in this section ensure that outsourced activities
performed by suppliers and partners also use appropriate information security controls, and they
describe how to monitor third-party security performance.
A.16. Information security incident management: The controls in this section provide a
framework to ensure the proper communication and handling of security events and incidents, so
that they can be resolved in a timely manner; they also define how to preserve evidence, as well
as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this
section ensure the continuity of information security management during disruptions, and the
availability of information systems.
A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory,
regulatory, and contractual breaches, and audit whether information security is implemented and
is effective according to the defined policies, procedures, and requirements of the ISO 27001
standard.
A closer look at these domains shows us that managing information security is not only about IT
security (i.e., firewalls, anti-virus, etc.), but also about managing processes, legal protection,
managing human resources, physical protection, etc.

What are the ISO 27001 controls?

The ISO 27001 controls (also known as safeguards) are the practices to be implemented to reduce
risks to acceptable levels. Controls can be technical, organizational, legal, physical, human, etc.

How many controls are there in ISO 27001?

ISO 27001 Annex A lists 114 controls organized in the 14 sections numbered A.5 through A.18
listed above.

How do you implement ISO 27001 controls?

Technical controls are primarily implemented in information systems, using software, hardware,
and firmware components added to the system. E.g. backup, antivirus software, etc.
Organizational controls are implemented by defining rules to be followed, and expected
behavior from users, equipment, software, and systems. E.g. Access Control Policy, BYOD
Policy, etc.
Legal controls are implemented by ensuring that rules and expected behaviors follow and enforce
the laws, regulations, contracts, and other similar legal instruments that the organization must
comply with. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.
Physical controls are primarily implemented by using equipment or devices that have a physical
interaction with people and objects. E.g. CCTV cameras, alarm systems, locks, etc.
Human resource controls are implemented by providing knowledge, education, skills, or
experience to persons to enable them to perform their activities in a secure way. E.g. security
awareness training, ISO 27001 internal auditor training, etc.
ISO 27001 mandatory documents
ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented
information that are needed to become compliant.

ISO 27001 requires the following documents to be written:

• • Scope of the ISMS (clause 4.3)

• • Information Security Policy and Objectives (clauses 5.2 and 6.2)
• • Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
• • Statement of Applicability (clause 6.1.3 d)
• • Risk Treatment Plan (clauses 6.1.3 e and 6.2)
• • Risk Assessment Report (clause 8.2)
• • Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
• • Inventory of Assets (control A.8.1.1)
• • Acceptable Use of Assets (control A.8.1.3)
• • Access Control Policy (control A.9.1.1)
• • Operating Procedures for IT Management (control A.12.1.1)
• • Secure System Engineering Principles (control A.14.2.5)
• • Supplier Security Policy (control A.15.1.1)
• • Incident Management Procedure (control A.16.1.5)
• • Business Continuity Procedures (control A.17.1.2)
• • Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)
And these are the mandatory records:

• • Records of training, skills, experience and qualifications (clause 7.2)

• • Monitoring and measurement results (clause 9.1)
• • Internal Audit Program (clause 9.2)
• • Results of internal audits (clause 9.2)
• • Results of the management review (clause 9.3)
• • Results of corrective actions (clause 10.1)
• • Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)
Of course, a company may decide to write additional security documents if it finds it necessary.

To see a more detailed explanation of each of these documents, download the free white
paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).
What is “ISO 27001 certified”?
A company can go for ISO 27001 certification by inviting an accredited certification body to
perform the certification audit and, if the audit is successful, to issue the ISO 27001 certificate to
the company. This certificate will mean that the company is fully compliant with the ISO 27001
standard.

An individual can go for ISO 27001 certification by going through ISO 27001 training and
passing the exam. This certificate will mean that this person has acquired the appropriate skills
during the course.

How long is ISO 27001 valid for once certified?

Once a certification body issues an ISO 27001 certificate to a company, it is valid for a period of
three years, during which the certification body will perform surveillance audits to evaluate if the
organisation is maintaining the ISMS properly, and if required improvements are being
implemented in due time.

Which companies are ISO 27001 certified?

The ISO.org website provides a general overview of certified organizations, categorized by
industry, country, number of sites, etc. You can find the ISO Survey at this
link: https://www.iso.org/the-iso-survey.html.
To check if a particular company is ISO 27001-certified, you have to contact the certification
body, because there is no official centralized database of certified companies.

What are the ISO 27000 standards?

Because it defines the requirements for an ISMS, ISO 27001 is the main standard in the ISO
27000 family of standards. But, because it mainly defines what is needed, but does not specify
how to do it, several other information security standards have been developed to provide
additional guidance. Currently, there are more than 40 standards in the ISO27k series, and the
most commonly used ones are as follows:

ISO/IEC 27000 provides terms and definitions used in the ISO 27k series of standards.
ISO/IEC 27002 provides guidelines for the implementation of controls listed in ISO 27001
Annex A. It can be quite useful, because it provides details on how to implement these controls.
ISO/IEC 27004 provides guidelines for the measurement of information security – it fits well
with ISO 27001, because it explains how to determine whether the ISMS has achieved its
objectives.
ISO/IEC 27005 provides guidelines for information security risk management. It is a very good
supplement to ISO 27001, because it gives details on how to perform risk assessment and risk
treatment, probably the most difficult stage in the implementation.
ISO/IEC 27017 provides guidelines for information security in cloud environments.
ISO/IEC 27018 provides guidelines for the protection of privacy in cloud environments.
ISO/IEC 27031 provides guidelines on what to consider when developing business continuity for
Information and Communication Technologies (ICT). This standard is a great link between
information security and business continuity practices.

What is the current version of ISO 27001?

As of the publication date of this article, the current version of ISO 27001 is ISO/IEC
27001:2013.

The first version of ISO 27001 was released in 2005 (ISO/IEC 27001:2005), the second version
in 2013, and the standard was last reviewed in 2019, when the 2013 version was confirmed (i.e.,
no changes were needed).

It is important to note that different countries that are members of ISO can translate the standard
into their own languages, making minor additions (e.g., national forewords) that do not affect the
content of the international version of the standard. These “versions” have additional letters to
differentiate them from the international standard, e.g., NBR ISO/IEC 27001 designates the
“Brazilian version,” while BS ISO/IEC 27001 designates the “British version.” These local
versions of the standard also contain the year when they were adopted by the local
standardization body, so the latest British version is BS EN ISO/IEC 27001:2017, meaning that
ISO/IEC 27001:2013 was adopted by the British Standards Institution in 2017.

What is the difference between ISO 27001 and 27002?

ISO 27001 defines the requirements for an Information Security Management System (ISMS),
while ISO 27002 provides guidance on the implementation of controls from ISO 27001 Annex A.

In other words, for each control, ISO 27001 provides only a brief description, while ISO 27002
provides detailed guidance.

What is the difference between NIST and ISO 27001?

While ISO 27001 is an international standard, NIST is a U.S. government agency that promotes
and maintains measurement standards in the United States – among them the SP 800 series, a set
of documents that specifies best practices for information security.

Although they are not the same, the NIST SP 800 series and ISO 27001 can be used together for
implementation of information security.
 Is ISO 27001 mandatory?
In most countries, implementation of ISO 27001 is not mandatory. However, some countries have
published regulations that require certain industries to implement ISO 27001.

To determine whether ISO 27001 is mandatory or not for your company, you should look for
expert legal advice in the country where you operate.

What are the ISO 27001 controls?

Public and private organizations can define compliance with ISO 27001 as a legal
requirement in their contracts and service agreements with their providers. Further, as
mentioned above, countries can define laws or regulations turning the adoption of ISO 27001
into a legal requirement to be fulfilled by the organizations operating in their territory.

What are the costs roughly?

Nevertheless, we eventually end up with an estimate for how much ISO 27001 may cost in
their particular environment.  While we spend a lot of time drilling down on the areas
highlighted above, we also draw extensively on experiences over the last 3 or 4 years taking
clients through the certification process.
Looking across these projects an “average” customer looks about like this:

 75 employees

 Processes sensitive data subject to PII/PHI laws regulations

 Co-locate their services at two disparate data centers

 Provides software (SaaS) integral to their service offering

 Has a control environment that, while previously subject to external review, would
still be best referred to as immature and non-fully documented; i.e., a Capability Maturity
Model (CMM) of 2

 Has a “CSO” that is very technical but is not well versed in ISO 27001/ISO 27002 (i.e.,
a CISSP rather than a CISA or CISM)

 Is experiencing pressure from clients for third party attestation – often specifically
asking for ISO 27001 certification

 Needs to achieve a certificate (without overly disrupting “business as usual”) in a 12-

month time frame

 Require a fair degree of ISO-27001 consulting to prep for the certification audit
 Assuming the above more or less holds true, the “external” costs to become ISO 27001
certified may look as follows:

 Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk

Treatment Plan, Gap Assessment, Phase II Remediation Plan)

 Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar

selection, ISMS Artifact development, Risk Management Committee, Incident Response,
Internal ISMS Audit, On-site Certification Audit Support)

 Certification Audit: $10,000

 Total cost for ISO 27001 certificate: $48,000

Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to
maintain your certificate.  You will also need to conduct an Internal ISMS Audit each year –
which the “average” company usually outsources to a third party. So, figure your year 2 and
year 3 costs are likely to be as follows:

 Surveillance Audit: $7,500

 Internal ISMS Audit: $7,000

A word of caution – your costs may vary notably.  We have clients that have spent as
little as $5,000 and as much as $70,000 on pre-certification consulting.  As an FYI, I used
$1,500 per man-day in my estimates, as I have seen rates anywhere between $1,400 and
$1,800 for a “true” ISO-27001 consultant.