IT GOVERNANCE | GREEN PAPER

mana

Information Security
and ISO 27001

An introduction

Protec Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | APRIL 2021
Introduction
In today’s information economy, it is extremely likely that many of your organisation’s
most critical assets are in digital form. Unfortunately, the convenience of the digital
world comes with a downside: the cyber security risks that are a constant fixture in
the news. Because these assets are both valuable and potentially vulnerable, you
should strive to protect them.
Taking a proactive approach to information security and cyber security will allow your
organisation to protect its data and intellectual capital. It will also help you comply
with data protection and cyber security laws across the globe, including the EU and UK
General Data Protection Regulations (EU GDPR and UK GDPR), Data Protection Act
(DPA) 2018 and Network and Information Systems (NIS) Regulations 2018.
To protect confidential and sensitive information – and to be seen to be protecting it –
more and more organisations are becoming certified to ISO 27001, which provides the
specification for a best-practice information security management system (ISMS). ISO
27001 describes specific controls to secure your information and information systems,
which will help you comply with data protection laws around the world, and other
legal or contractual requirements for information security and cyber security.
Furthermore, organisations seeking contracts with governments or large corporate
clients will increasingly find ISO 27001 to be a prerequisite for doing business.
Certification is seen as a powerful assurance of your commitment to meet your
security and data privacy obligations to customers and business partners, although
simply achieving compliance is already a very good start.
This paper will help you understand how ISO 27001 works, highlight some key
implementation points, and explore the benefits of implementing an ISMS and
achieving certification to the Standard.
2
Information security fundamentals – not just
technology
Most people think of information security as a technology issue. They believe that
anything to do with securing data or protecting computers from cyber threats is
something that only technology specialists – and specifically computer security
professionals – can deal with. This could not be further from the truth.
Within any organisation, information security decisions should be made by
management, not the IT team – these decisions are, after all, related to business risks.
An ISMS specifically recognises that the decision-making responsibility should sit with
senior management, and that the ISMS should reflect their choices and provide
evidence as to how effective the implementation has been.
However, security responsibilities lie not just with senior management, but with every
member of staff. All employees are a vital part of your defence, but may present a
significant vulnerability if you do not train them, particularly since criminals are
leaning towards phishing attacks, according to the Verizon 2020 Data Breach
Investigations Report.1 A mandatory staff awareness programme, along with
documented policies and procedures setting out responsibilities for protecting the
organisation’s information, can prove invaluable, helping mitigate the risk of a breach
and guiding staff in specific situations (including how to report a phishing email). Well-
communicated policies and procedures also clearly demonstrate your organisation’s
standpoints on security, which can in turn help embed a security culture.
The implication for an ISMS project is that it need not be led by a technology expert.
In fact, there are many circumstances in which that could prove counterproductive.
ISMS implementation projects are often led by quality managers, general managers,
or other executives who are in a position to develop something that has organisation-
wide influence and importance.
IT GOVERNANCE GREEN PAPER | APRIL 2021
ISO 27001 and ISO 27002
The ISO 27000 family of standards offers a set of specifications, codes of conduct and
best-practice guidelines for organisations to ensure strong information security
management. Of primary interest are ISO 27001 and ISO 27002.
ISO 27001 is a technology-neutral, vendor-neutral information security management
standard that offers the specification for an effective ISMS – it states what is expected
of an ISMS. This means that, in order to achieve certification or to pass an audit, your
ISMS must conform to these requirements.
ISO 27002, meanwhile, provides the code of conduct – recommended best practices
for selecting and implementing controls. Essentially, ISO 27002 is designed to assist
with effective ISO 27001 implementation.
Both standards are the essential starting point for an information security project.
More standards in the ISO 27000 family
Although ISO 27001 and ISO 27002 are the key standards, there are many others that
enable you to extend your ISMS in various ways, including:
• ISO 27005
ISO 27005 provides guidance for information security risk management in line
with ISO 27001, helping organisations take a risk-based approach to
information security.
3
• ISO 27018
Aligned to ISO 27002, ISO 27018 offers guidance on protecting personal data in
the Cloud as a data processor.
• ISO 27701
ISO 27701 defines extra requirements for an ISO 27001 ISMS to cover data
privacy, recognising that information security is a key aspect of effective privacy
management.
Linking to other management systems
The International Organization for Standardization (ISO) is recognised internationally
as an authority on management systems and best practice. The ISO 27000 family is
not the only set of international standards it offers – it has, for instance, also
published ISO 9001 and ISO 14001, the international standards for quality and
environmental management, respectively.
Organisations that have already implemented another ISO management system will
have a head start if they want to implement ISO 27001 – not just because they have
gained valuable experience when it comes to implementing, maintaining, continually
improving and auditing a management system, but because all those standards follow
the same high-level structure and core text, and have established common terms and
definitions. The standardised structure allows organisations to develop an ‘integrated
management system’ that incorporates the requirements of each standard,
streamlining day-to-day operation.
IT GOVERNANCE GREEN PAPER | APRIL 2021
Implementing an ISO 27001 ISMS
IT Governance takes a nine-step approach to implementing an ISMS, which is
discussed in more detail in Nine Steps to Success – An ISO 27001 Implementation
Overview. Here, we highlight some key points to consider as you implement an ISO
27001-compliant ISMS, which are also relevant for other management systems.
Governance
ISO 27001, as with many other management system standards, requires top
management to demonstrate its commitment to the ISMS. Securing that commitment
will help embed information security as part of the organisational culture and ensure
the necessary resources to make the project a success will be available.
This requirement clearly ties into governance: the board of directors or executive
managers are responsible for managing the business and controlling the risks.
Information and information processing assets may present risks that can seriously
impact business, so IT – and information security – governance is as vital as any other
kind.
4
Risk assessment
One of the most important elements of information security is risk assessment. Failing
to assess risks in a structured manner will make it hard to know and understand
exactly what risks your organisation faces, making it difficult to put effective security
measures in place.
It is also important to realise that every organisation has unique requirements, as they
are determined by its specific business model, objectives, unique selling points and
culture, as well as its risk appetite – something that one organisation sees as a threat,
another might see as an opportunity. Similarly, one organisation may be less prepared
to invest in defences against an identified risk than another. For this and other
reasons, every organisation that implements an ISMS must do so based on the results
of an information security risk assessment whose methodology, findings and
recommendations have been approved by top management.
Documenting the management system
One of the most time-consuming parts of an ISMS implementation project is
developing the documentation that sets out how the management system works, as
well as the documentation explicitly required by the Standard.
There are a number of approaches, from using external consultants to tackling it
yourself. The major argument for doing most of the drafting yourself (apart from
avoiding or reducing consultancy costs) is that you will develop a much greater depth
and awareness of how to implement and maintain security. By developing expertise
and experience, perhaps with the help of some training, any further such projects can
be dealt with quicker and with a greater degree of confidence.
Without previous experience, developing all the documentation required yourself can
be a daunting task. The templates contained in our ISO 27001 documentation toolkit
will give you a head start and help avoid trial-and-error dead ends.
IT GOVERNANCE GREEN PAPER | APRIL 2021 5

Continual improvement
An ISMS project can be complex, and implementation may well take many months or,
in some cases, years. ISO 27001 does not mandate specific project stages, but you
need to establish a continual improvement process, as the Standard requires evidence
of continual improvement. We recommend doing this early in the project to embed
the process and generate evidence that your ISMS is working effectively.

One common methodology is the Plan-Do-Check-Act (PDCA) model, which improves

business processes by means of a continuous feedback loop. First, you plan what you
intend to do, then execute (or do) that plan. Next, you check the performance of your
new arrangements and decide if they are achieving what you had intended or can be
further enhanced. Finally, you act upon those decisions, beginning another PDCA cycle
as you implement the improvements.

Once controls, processes, etc. are implemented, their performance must be

measured. Comparing these measurements against what was intended will identify
any deviations or improvement opportunities. These can then be reported to
management for a decision regarding the correct action to take.
IT GOVERNANCE GREEN PAPER | APRIL 2021 6

The market value of ISO 27001 certification Choosing a certification body

An ISO 27001-compliant ISMS will help you protect your organisation’s data, as well as
meet relevant contractual and legal requirements. Both points make implementing
ISO 27001 a financially prudent decision. However, merely implementing an ISMS
does not offer the distinct market value that achieving ISO 27001 certification would.
Organisations that have already achieved certification against another management
system standard such as ISO 9001 or ISO 14001 should seek ISO 27001 certification
from the certification body they are currently using and are happy with (if that body is
accredited for ISMS certification). Your experience of the certification (and
implementation) process will be invaluable to the ISMS project.

ISO 27001 certification is valuable and visible proof of your organisation’s willingness
to meet internationally accepted data and information security standards. Achieving
this certification is not simply marketing: as well as complying with data protection
and cyber security laws in the UK and globally, the ability to prove that your
organisation complies with the Standard is likely to open worldwide business
opportunities, as it is an increasingly common contractual requirement.
If ISO 27001 is your organisation’s first management system, choose a certification
body listed on the United Kingdom Accreditation Service (UKAS) website – all of them
will provide a widely accepted certification/registration service.3 Do not use an
unaccredited certification body, as any certificate it awards is unlikely to be
recognised by other parties.

It should be noted that many markets have already shown a desire for ISO 27001
certification, with more than 36,000 organisations worldwide having achieved
certification as of December 2019.2

What about certifying to ISO 27002?

It is possible for an organisation to follow the guidance from ISO 27002 because the
good practice identified is universally applicable. However, ISO 27002 was not
designed to be the basis of a certification scheme, so does not specify requirements
an ISMS must comply with to qualify for certification. Those requirements, the
specification for an effective ISMS, are contained in ISO 27001.

In short, an organisation can adopt ISO 27002’s guidance, but cannot get an outside Speak to an expert
body to verify that it is doing this correctly.

However, organisations can and should use ISO 27001 and ISO 27002 together to
design an ISMS that is in line with the specification (ISO 27001) while following the
guidance of the code of practice (ISO 27002) before seeking external, independent
ISO 27001 certification.
.
IT GOVERNANCE GREEN PAPER | APRIL 2021
Useful ISO 27001 resources
IT Governance offers a unique range of ISO 27001 products and services, including standards, documentation toolkits, training courses and professional consultancy
services.
ISO/IEC 27001:2013 Standard
ISO 27001 is the international standard that sets out the
specification for establishing, implementing, maintaining and
continually improving a best-practice ISMS.
Certified ISO 27001 ISMS Foundation Training Course
Learn about ISO 27001 best practice and find out how to
achieve compliance with the Standard with this popular
Foundation course. Learn in person, or choose from Live
Online or self-paced online formats.
ISO 27001 FastTrack™ 20
Put your ISO 27001 project into the hands of an experienced
consultant. Specially formulated for small businesses with 20
employees or fewer, this service will help you achieve ISO
27001 certification in just three months for a one-off fee.
ISO 27001 Live Online Consultancy
This service provides quick, expert online consultancy support
on specific issues whenever you need guidance with your ISO
27001 implementation.
7
ISO 27001 Toolkit
Achieve ISO 27001 compliance with this toolkit, containing
more than 140 pre-written, customisable documentation
templates, including policies, procedures, work instructions
and records.
Certified ISO 27001 ISMS Lead Implementer Training
Course
Gain the skills to support your organisation in effectively
planning, implementing, managing, monitoring and
maintaining an ISMS in this three-day course.
ISO 27001 Certification – Get a Lot of Help Package
A specially formulated combination of bestselling tools and
trusted resources in this DIY package helps you manage your
ISO 27001 implementation project from start to finish.
View all our ISO 27001
products and services
IT GOVERNANCE GREEN PAPER | APRIL 2021 8

Other papers you may be interested in

IT GOVERNANCE | GREEN PAPER IT GOVERNANCE | GREEN PAPER

Implementing an ISMS Risk Assessment

and ISO 27001

The nine-step approach September 2019

Protect Comply Thrive Protect Comply Thrive

Implementing an ISMS – The nine-step approach Risk Assessment and ISO 27001
IT GOVERNANCE GREEN PAPER | APRIL 2021
IT Governance solutions
IT Governance is your one-stop shop for cyber security and IT governance, risk
management and compliance (GRC) information, books, tools, training and
consultancy.
Our products and services are designed to work harmoniously together so you can
benefit from them individually or use different elements to build something bigger
and better.
Books
We sell sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide practical
advice for staff taking part in IT governance projects, suitable for all levels of
knowledge, responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly
and adopt best practice using customisable template policies, procedures, forms and
records.
Visit www.itgovernance.co.uk/documentation-toolkits to view and trial our toolkits.
9
Training
We offer training courses from staff awareness and foundation courses, through to
advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our training team organises and runs in-house and classroom training courses all year
round, as well as Live Online and self-paced online training courses, covering a
growing number of IT GRC topics.
Visit www.itgovernance.co.uk/training for more information.
Consultancy
We are an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate
your IT GRC projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk and compliance management straightforward
and affordable for all, enabling organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/shop/category/software for more information.
 IT Governance is the one-stop shop for cyber security, cyber risk
and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training or software.

t: +44 (0)333 800 7000

e: [email protected]
w: www.itgovernance.co.uk

A GRC International Group PLC subsidiary

Unit 3, Clive Court, Bartholomew’s Walk

Cambridgeshire Business Park, Ely
Cambs., CB7 4EA, United Kingdom

IT Governance Ltd

@ITGovernance

/it-governance

@ITGovernanceLtd

© 2003–2021 GRC International Group PLC | Acknowledgement of Copyrights | GRC International Group Trademark Ownership Notification
Endnotes
1
Verizon, “2020 Data Breach Investigations Report”, May 2020, https://enterprise.verizon.com/resources/reports/dbir/.
2
ISO, “The ISO Survey – ISO Survey 2019”, December 2019, https://www.iso.org/the-iso-survey.html.
3
UKAS, “Who’s Accredited?”, accessed April 2021, https://www.ukas.com/find-an-organisation/browse-by-category/?cat=2572.