Introduction to ISO 27001

INTRODUCTION
TO ISO 27001
An overview of the standard.

To begin at the beginning.

Information security is increasingly becoming a prerequisite to doing business.
With the constant evolution of global threats and the assault on information and its protection,
information security is becoming a battlefield we all share.
Protecting sensitive data from breaches, cyber-attacks, and other threats is essential for
maintaining trust and operational integrity in an organisation. Lose that trust, and you'll suffer
for it. Just ask Equifax, Yahoo, Sony, and Marriott International, among many other big names.
Like anything in life, we convince ourselves that it’ll never happen to us. It’s something that will
happen to others. Until it does. And frankly, in this day and age, it’s just a matter of when, not if.
So, wouldn’t it be better to take preventative measures and have plans for how to react when
things do go wrong?
ISO 27001 is an internationally recognised information security management system (ISMS)
standard. It provides a framework for managing and protecting information assets.
The best thing about ISO 27001 is that it’s flexible and can be adapted to any style or size of
organisation, depending on how that organisation views risk. You can apply it to a service or
business unit rather than the whole organisation.
This document explores ISO 27001's fundamental concepts, explore its structured approach to
information security, and elucidate its relationship with ISO 27002.
Additionally, we will provide an overview of the clauses within ISO 27001 and discuss the
essential control groups outlined in Annex A.
By understanding these elements, organisations can better navigate the complexities of
information security and implement effective measures to safeguard their data.

1
 Introduction to ISO 27001

The CIA Triad of Information Security

Before we start, we often talk about information security, and there are 3 key aspects commonly
attributed to managing it.

The "CIA" triad is a foundational model in information security, representing the three core
principles that guide efforts to protect information.

These principles are Confidentiality, Integrity, and Availability (CIA).

Each plays a crucial role in ensuring comprehensive security measures.

• Confidentiality - Ensuring that information is accessible only to those authorised to have

access.
• Integrity - Maintaining the accuracy and completeness of information.
• Availability - Ensuring that information and resources are accessible when needed.

These three principles work together to provide a balanced approach to information security,
protecting data from various threats while ensuring it remains usable and reliable.

Information Security Management System (ISMS)

Let's start with a term that comes up a lot. The "Information Security Management System" or,
as it is commonly known, the ISMS.
The ISMS is a holistic approach to managing information security encompassing policies,
processes, and systems. Consider it all the policies, procedures, records, documentation that
forms your ISO 27001 body of work.
The ISMS is different for all organisations, but is designed to protect the confidentiality, integrity,
and availability of information within an organisation.

Components of an ISMS
The description in ISO 27001 of 'what is an ISMS' is determined by several key clauses in the
standard, which we will go through shortly, but in essence, the big building blocks are aligned to
the clauses of the standard. Effectively they are;
• Context of the Organization - Understanding the internal and external issues that can
affect the ISMS and identifying the needs and expectations of interested parties.
• Leadership - Establishing top management commitment, assigning ISMS roles and
responsibilities, and ensuring communication.
• Planning - Addressing risks and opportunities, setting information security objectives,
and planning to achieve them.

2
 Introduction to ISO 27001

• Support - Providing necessary resources, ensuring competence, raising awareness, and

maintaining documented information.
• Operation - Implementing and managing the processes and controls necessary to
achieve the information security objectives.
• Performance Evaluation - Monitoring, measuring, analysing, and evaluating the ISMS
performance, including internal audits and management reviews.
• Improvement - Managing nonconformities and taking corrective actions to continuously
improve the ISMS.

Importance and Benefits of an ISMS

So, why have an ISMS?
Why not just have 'controls' and be done with it?
Well, having an ISMS that aligns with a standard has several benefits;
• Risk Management - A structured approach to identifying and mitigating risks helps
organisations protect their information assets and minimise the impact of security
incidents.
• Customer Trust - Demonstrating an ISMS shows commitment to information security,
which can enhance customer trust and confidence. It is very common for external
organisations to ask for evidence relating to the ISMS.
• Operational Efficiency - By standardising and streamlining security processes, an ISMS
can improve operational efficiency and reduce the likelihood of security breaches.
• Compliance - An ISMS can help organisations meet regulatory and contractual
requirements related to information security.
• Continuous Improvement - An ISMS promotes a culture of continuous improvement,
with regular reviews and updates to security practices based on changing threats and
business needs.
It's important to realise that under ISO 27001, the ISMS is not a one-time project but an ongoing
process that evolves with the organisation's needs and the changing threat landscape and
maturity.
The ISMS doesn't have to be perfect on day one, but it does need to be aware of its weaknesses
and work towards improving them.
It requires commitment from all levels of the organisation, from top management to individual
employees.

3
 Introduction to ISO 27001

Risk Assessment and Treatment

Risk assessment and treatment are core components of ISO 27001, which aim to identify,
evaluate, and address risks to information security within an organisation.
A risk methodology and then putting controls in place to manage those risks is at the heart of the
ISMS.

Risk Assessment
Typically, risk assessment will involve the following steps;
1. Establish Context - Define the risk assessment's scope, including the ISMS's boundaries
and the organisational context.
2. Risk Identification - Identify potential risks that could affect information assets'
confidentiality, integrity, and availability. This involves identifying threats, vulnerabilities,
and the potential impact on the organisation.
3. Risk Analysis - Assess the identified risks to determine their likelihood and potential
impact. This analysis helps prioritise risks based on their severity.
4. Risk Evaluation - Compare the risk analysis results against established risk criteria to
determine which risks require treatment. This involves determining the organisation's risk
tolerance and deciding which risks are acceptable and which need mitigation.

Risk Treatment Options

Once the assessment is complete, attention turns to how you address the risk, or perhaps you
accept it. Options might include;

1. Risk Avoidance - Avoiding activities that expose the organisation to risk. This might
involve changing processes, discontinuing certain operations, or avoiding particular
projects.

2. Risk Reduction - Implementing controls to reduce the likelihood or impact of risks. This
could include technical controls, such as firewalls and encryption, and organisational
controls, such as policies and procedures.

3. Risk Sharing - Transferring or sharing the risk with another party, such as through
insurance or outsourcing.

4. Risk Retention - Accepting the risk when the cost of mitigation is higher than the
potential impact or when the risk is deemed low enough to be acceptable.

Either way, each significant risk will require a treatment plan clearly outlining how you will
manage it (see the next section).

4
 Introduction to ISO 27001

Documentation and Monitoring of Risks

Almost all formal systems of certification and auditing work on a simple principle;
Say what you're going to do. Do it. Show that you've done it.
So, documentation regarding policies, procedures, records, etc., is an integral part of the ISMS.
Some of the notable ones are;
• Statement of Applicability (SoA) - This document lists the controls selected to treat the
identified risks, justifying their inclusion and noting any exclusions from Annex A of ISO
27001 (a list of controls). It also includes the implementation status of each control. As
we go forward, I have much more to say about the SoA, as it's a crucial and significant
part of ISO 27001. Indeed, I consider it the second half; part one is the ISMS and part two
is the Statement of Applicability.
• Risk Treatment Plan - This plan outlines the steps for implementing selected controls,
including responsibilities, resources, and timelines.
• Monitoring and Review - Continual monitoring and periodic review of the risk
assessment and treatment processes are crucial. This ensures that the ISMS remains
effective and adapts to changing threats and organisational needs. Regular audits, both
internal and external, are part of this process.

Structure of ISO 27001

ISO 27001, as a standard, is about 26 pages long and not a challenging read. If you don't have a
copy, I strongly suggest you get one to read the clauses and requirements yourself.
I cannot print the clauses and contents verbatim here because of copyright issues, but I can talk
about them and paraphrase them.
27001 is structured into ten main clauses, which provide a comprehensive framework for
establishing, implementing, maintaining, and continually improving an Information Security
Management System (ISMS).
Here's an overview of the standard's clause structure and the purpose of each section:

1. Scope (Background on the standard)

This clause defines the scope of the standard, specifying the requirements for an ISMS
that can be used to manage information security risks tailored to the organisation's
needs.

5
Introduction to ISO 27001

2. Normative References (Background on the standard)

This section references other standards and documents essential for applying ISO
27001, such as ISO/IEC 27000, which provides an overview and vocabulary for
information security management systems.
3. Terms and Definitions (Background on the standard)
This clause lists the key terms and definitions used in the standard, ensuring a common
understanding of terminology.
4. Context of the Organisation
This clause focuses on understanding the organisation's context, including internal and
external issues, and the needs and expectations of interested parties. It ensures that the
ISMS is tailored to the specific environment and requirements of the organisation.

Subclauses include;

• Understanding the Organisation and its Context - Identify external and internal
issues relevant to the organisation's purpose and how they affect its ability to achieve
the intended outcomes of the ISMS.
• Understanding the Needs and Expectations of Interested Parties - Determine
stakeholders' requirements, such as customers, regulators, and employees.
• Determining the Scope of the ISMS - Define the boundaries and applicability of the
ISMS.

• Information Security Management System - Establish, implement, maintain, and

continually improve the ISMS in accordance with the standard's requirements.

5. Leadership
Leadership plays a crucial role in the success of the ISMS. This clause requires top
management to demonstrate commitment to the ISMS, establish an appropriate
information security policy, and assign roles and responsibilities for information security.

Subclauses include;

• Leadership and Commitment - Top management must demonstrate leadership and

commitment to the ISMS.
• Information Security Policy - Establish an appropriate policy that includes
objectives and demonstrates a commitment to continual improvement.
• Organisational Roles, Responsibilities, and Authorities - Ensure that roles and
responsibilities for information security are assigned and communicated.

6. Planning
This clause addresses the actions needed to manage risks and opportunities related to
information security. It involves setting information security objectives and planning how

6
Introduction to ISO 27001

to achieve them. Planning also includes considerations for changes to the ISMS to
ensure they are managed in a controlled manner.

Subclauses include;

• Actions to Address Risks and Opportunities - Determine risks and opportunities

and plan actions to address them.
• Information Security Objectives and Planning to Achieve Them - Establish
measurable information security objectives and plan how to achieve them.
• Planning of Changes - Plan changes to the ISMS in a controlled manner.

7. Support
Support involves the resources, competence, awareness, communication, and
documented information necessary for the effective operation of the ISMS. This clause
ensures the organisation has the necessary support structure to maintain and improve
the ISMS.

Subclauses include;

• Resources - Determine and provide the resources needed for the ISMS.
• Competence - Ensure that personnel are competent based on appropriate
education, training, or experience.
• Awareness - Ensure that personnel know the ISMS and their roles within it.
• Communication - Determine the need for internal and external communication
relevant to the ISMS.
• Documented Information - Control the creation, updating, and control of
documented information required by the ISMS.

8. Operation
Operational planning and control are covered in this clause. It requires the organisation
to plan, implement, and control the processes needed to meet ISMS requirements and
achieve information security objectives.

Subclauses include;

• Operational Planning and Control - Plan, implement, and control the processes
needed to meet ISMS requirements and achieve information security objectives.
• Information Security Risk Assessment – As explored earlier, an organisation must
look at and assess the risks it faces.
• Information Security Risk Treatment – The assessments then feed into creating risk
treatment plans to manage the risks.

9. Performance Evaluation

7
 Introduction to ISO 27001

Performance evaluation involves monitoring, measuring, analysing, and evaluating the

ISMS to ensure it performs effectively. This clause also includes internal audit and
management review requirements to ensure continuous improvement.

Subclauses include;

• Monitoring, Measurement, Analysis, and Evaluation - Monitor and measure the

performance of the ISMS.
• Internal Audit - Conduct internal audits to ensure the ISMS is effectively
implemented and maintained.
• Management Review - Review the ISMS to ensure its continuing suitability,
adequacy, and effectiveness.

10. Improvement
This clause focuses on continual improvement of the ISMS. It requires the organisation to
address nonconformities and take corrective actions. Continual improvement ensures
the ISMS remains effective and relevant over time.

Subclauses include;
• Nonconformity and Corrective Action - Address nonconformities and take
corrective actions.
• Continual Improvement - Continually improve the suitability, adequacy, and
effectiveness of the ISMS.

Annexes
Annex A: Information Security Controls Reference
I warned you earlier about Annex A, the Statement of Applicability (SoA).
Annex A provides a comprehensive list of 93 controls that can be used to manage information
security risks.
Typically, we create a spreadsheet or list of the controls and then explain how we meet them.
These controls are organised into four categories: organisational, people, physical and
technical.
It is worth noting that while some information security standards like NIST 800-53 are absolutely
prescriptive regarding the types of firewall, encryption, and other controls you need to use, ISO
27001 asks you to define which controls apply to your organisation and to what level. So, it's
very much up to you to respond to each control with a justification for how you feel you meet it.

Let's take a look at them.

8
 Introduction to ISO 27001

A.5 Organisational Controls

Intent: These controls focus on establishing a robust information security governance

framework within the organisation.

Examples:

• Information security policies: Creating and maintaining policies to guide activities.

• Roles and responsibilities: Defining and assigning information security roles and
responsibilities within the organisation.
• Management commitment: Ensuring top management supports and actively promotes
information security.
A.6 People Controls

Intent: These controls are designed to manage and mitigate human-related risks by ensuring
that employees, contractors, and third-party users understand their roles and responsibilities in
information security.

Examples:

• Screening: Conducting background checks on employees and contractors before hiring.

• Training and awareness: Providing regular information security training and awareness
programs.
• Disciplinary process: Implementing a formal disciplinary process to address
information security breaches caused by employees.
A.7 Physical Controls

Intent: These controls protect the organisation's physical premises and assets from
unauthorised physical access, damage, or interference.

Examples:

• Physical entry controls: Implementing security measures like access cards and
biometrics to restrict entry to sensitive areas.
• Equipment security: Ensuring equipment is physically protected from theft or damage.
• Supporting utilities: Safeguarding power and telecommunications infrastructure to
ensure continuous operation.
A.8 Technological Controls

Intent: These controls focus on implementing and managing technology to protect information
assets from security threats.

Examples:

9
 Introduction to ISO 27001

• Access control: Managing who has access to information systems and data.
• Cryptography: Using encryption to protect data confidentiality and integrity.
• System acquisition, development, and maintenance: Ensuring security is considered
throughout the lifecycle of information systems.

Relationship with ISO 27002

ISO 27001 and ISO 27002 are closely related standards within the ISO/IEC 27000 family, both
focused on information security management.
While ISO 27001 provides the requirements for establishing, implementing, maintaining, and
continually improving an Information Security Management System (ISMS), ISO 27002 provides
detailed guidelines on the controls listed in Annex A of ISO 27001.
You don't need a copy of 27002 to implement 27001, but it doesn't hurt.
Here's a closer look at how these two standards interconnect and complement each other.

Differences and Connections

ISO 27001: Requirements for an ISMS

• Scope - ISO 27001 outlines the requirements for creating and managing an ISMS,
focusing on risk management and continuous improvement.

• Mandatory Requirements—It provides a set of mandatory requirements that

organisations must follow to achieve certification. These include defining an information
security policy, conducting risk assessments, managing risks, and implementing
controls.
• Annex A Controls - ISO 27001 includes Annex A, which lists the controls to mitigate
identified risks. However, it does not provide detailed guidance on implementing these
controls.
ISO 27002: Guidelines for Controls

• Scope - ISO 27002 serves as a supplementary standard to ISO 27001, providing detailed
guidelines on selecting, implementing, and managing the controls listed in Annex A of
ISO 27001.

• Implementation Guidance - It offers best practices and specific advice on effectively

implementing each control. This includes detailed descriptions, objectives, and
implementation guidance for each control.

10
 Introduction to ISO 27001

• Flexibility - While ISO 27002 provides comprehensive guidance, it is more flexible and
can be used by organisations that are not necessarily seeking ISO 27001 certification but
still wish to improve their information security practices.

Conclusion
Understanding the fundamentals of the ISO 27001 standard is essential for any organisation
aiming to enhance its information security posture.
I seriously recommend getting a copy and reading it through. It's surprisingly light and easy to
read.
The standard provides a structured approach to managing sensitive information by
implementing an Information Security Management System (ISMS).
By following the guidelines and controls outlined in ISO 27001, organisations can ensure their
information assets' confidentiality, integrity, and availability.
Key Takeaways
• Comprehensive Framework: ISO 27001 offers a comprehensive framework for
managing information security risks through structured clauses and controls.
• Risk Management: The standard emphasises the importance of risk assessment and
treatment, enabling organisations to proactively manage threats and vulnerabilities.
• Integration with ISO 27002: ISO 27001's relationship with ISO 27002 provides detailed
guidance on implementing controls, ensuring that organisations adopt best practices.

• Continuous Improvement: ISO 27001 promotes a culture of continuous improvement,

helping organisations adapt to evolving threats and regulatory requirements.

By implementing ISO 27001, organisations protect their information assets and build trust with
customers, partners, and stakeholders.

It demonstrates a commitment to information security and provides a competitive advantage in

business, where it is increasingly seen as a 'must have' and a barrier to business if you don't.

Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit
https://www.iseoblue.com/terms.

11
Introduction to ISO 27001

12