ISO 27001

What is ISO 27001?

• ISO/IEC 27001:2013 (also known as ISO27001) is the
international standard for information security. It sets out
the specification for an information security management
system (ISMS).
• The information security management system standard’s
best-practice approach helps organisations manage their
information security by addressing people, processes
and technology.
• Certification to the ISO 27001 Standard is recognised
worldwide as an indication that your ISMS is aligned with
information security best practice.
 ISO 27001 benefits
• ISO 27001 is the only auditable international standard that
defines the requirements of an information security management
system (ISMS). An ISMS is a set of policies, procedures,
processes and systems that manage information risks, such as
cyber attacks, hacks, data leaks or theft.
• Certification to ISO/IEC 27001 demonstrates that an organisation
has defined and put in place best-practice information security
processes. Not all organisations choose to get certified but use
ISO 27001 as a framework for best practice.
 ISO 27001 benefits

1.  Win new business and sharpen your competitive edge

2. Avoid the financial penalties and losses associated with data
breaches
3. Protect and enhance your reputation
4. Comply with business, legal, contractual and regulatory
requirements
5. Improve structure and focus
6. Reduce the need for frequent audits
7. Obtain an independent opinion about your security posture
 ISO standards development process

ISO standards follow a six-step development

process before publication:
•Proposal stage (obligatory)
•Preparatory stage
•Committee stage
•Enquiry stage (obligatory)
•Approval stage
•Publication stage (obligatory)
 ISO standards development process

At each stage in a standard’s development it is given an

abbreviation to denote its status. Common abbreviations
include:
•PWI: Preliminary work item
•NP/NWIP: New proposal/new work item proposal
•AWI: Approved new work item
•WD: Working draft
•CD: Committee draft
•FCD: Final committee draft
•DIS: Draft international standard
•FDIS: Final draft international standard
•PRF: Proof of a new international standard
•IS: International standard
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.5 – Information security policies (2
controls)
This annex is designed to make sure that policies
are written and reviewed in line with the overall
direction of the organization's information security
practices.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.6 – Organisation of information security (7
controls)
This annex covers the assignment of responsibilities for
specific tasks. It’s divided into two sections, with Annex
A.6.1 ensuring that the organisation has established a
framework that can adequately implement and maintain
information security practices
Meanwhile, Annex A.6.2 addresses mobile devices and
remote working. It’s designed to ensure that anyone who
works from home or on the go – either part-time or full-time
– follows appropriate practices.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.7 – Human resource security (6 controls)
•The objective of Annex A.7 is to make sure that employees
and contractors understand their responsibilities.
•It’s divided into three sections:
•Annex A.7.1 addresses individuals’ responsibilities before
employment.
•Annex A.7.2 covers their responsibilities during employment.
•Annex A.7.3 addresses their responsibilities when they no
longer hold that role because they’ve left the organisation or
changed positions.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.8 – Asset management (10 controls)
•This annex concerns the way organisations identify information assets
and define appropriate protection responsibilities.
•It contains three sections. Annex A.8.1 is primarily about organisations
identifying information assets within the scope of the ISMS.
•Annex A.8.2 is about information classification. This process ensures
that information assets are subject to an appropriate level of defence.
•Annex A.8.3 is about media handling, ensuring that sensitive data isn’t
subject to unauthorised disclosure, modification, removal or destruction.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.9 – Access control (14 controls)
•The aim of Annex A.9 is to ensure that
employees can only view information that’s
relevant to their job.
•It’s divided into four sections, addressing the
business requirements of access controls,
user access management, user
responsibilities and system and application
access controls, respectively.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.10 – Cryptography (2 controls)
•This annex is about data encryption and the management
of sensitive information. Its two controls ensure that
organisations use cryptography effectively to protect data
confidentiality, integrity and availability.
Annex A.11 – Physical and environmental security (15
controls)
•This annex addresses the organisation’s physical and
environmental security. It’s the most extensive annex in the
Standard, containing 15 controls separated into two
sections.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.11 – Physical and environmental security (15
controls)
•This annex addresses the organisation’s physical and
environmental security. It’s the most extensive annex in the
Standard, containing 15 controls separated into two sections.
•The objective of Annex A.11.1 is to prevent unauthorised physical
access, damage or interference to the organisation’s premises or
the sensitive data held therein.
•
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.11 – Physical and environmental
security (15 controls)
•Meanwhile, Annex A.11.2 deals specifically with
equipment. It’s designed to prevent the loss, damage or
theft of an organisation’s information asset containers –
whether that’s, for example, hardware, software or physical
files.
Annex A.12 – Operations security (14 controls)
•This annex ensures that information processing facilities
are secure and is comprised of seven sections.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.12 – Operations security (14 controls)
•Annex A.12.1 addresses operational procedures and
responsibilities, ensuring that the correct operations are in
place.
•Annex A.12.2 addresses malware, ensuring that the
organisation has the necessary defences to mitigate infection
risk.
•Annex A.12.3 covers organisations’ requirements when it
comes to backing up systems to prevent data loss.
•Annex A.12.4 is about logging and monitoring. It’s designed to
make sure that organisations have documented evidence
when security events occur.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.12 – Operations security (14 controls)
•Annex A.12.5 addresses organisations’ requirements
when it comes to protecting the integrity of operational
software.
•Annex A.12.6 covers technical vulnerability management
and is designed to ensure that unauthorised parties don’t
exploit system weaknesses.
•Finally, Annex A.12.7 addresses information systems and
audit considerations. It’s designed to minimise the
disruption that audit activities have on operation systems.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.13 – Communications security (7
controls)
•This annex concerns the way organisations protect the
information in networks.
•It’s divided into two sections. Annex A.13.1 concerns network
security management, ensuring that the confidentiality, integrity
and availability of information in those networks remain intact.
•Meanwhile, Annex A.13.2 deals with information security in
transit, whether it’s going to a different part of the organisation,
a third party, a customer or another interested party.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.14 – System acquisition, development and
maintenance (13 controls)
•The objective of Annex A.14 is to ensure that
information security remains a central part of the
organisation’s processes across the entire lifecycle.
•Its 13 controls address the security requirements for
internal systems and those that provide services over
public networks.
•
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.15 – Supplier relationships (5
controls)
•This annex concerns the contractual agreements
organisations have with third parties.
•It’s divided into two sections. Annex A.15.1 addresses the
protection of an organisation’s valuable assets that are
accessible to or affected by suppliers.
•Meanwhile, Annex A.15.2 is designed to ensure that both
parties maintain the agreed level of information security
and service delivery.
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.16 – Information security incident management (7 controls)
•This annex is about how to manage and report security incidents. This process
involves identifying which employees should take responsibility for specific actions,
thus ensuring a consistent and effective approach to the lifecycle of incidents and
responses.
Annex A.17 – Information security aspects of business continuity
management (4 controls)
•The aim of Annex A.17 is to create an effective system to manage business
disruptions.
•
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.17 – Information security aspects of business
continuity management (4 controls)
•It’s divided into two sections. Annex A.17.1 addresses
information security continuity – outlining the measures
that can be taken to ensure that information security
continuity is embedded in the organisation’s business
continuity management system.
•Annex A.17.2 looks at redundancies, ensuring the
availability of information processing facilities.
•
 ISO 27001 controls list: the 14 control
sets of Annex A
Annex A.18 – Compliance (8 controls)
•This annex ensures that organisations identify
relevant laws and regulations. This helps them
understand their legal and contractual
requirements, mitigating the risk of non-
compliance and the penalties that come with that.
•
 ISO 27001 implementation process

• https://www.itgovernance.co.uk/
implementing_iso27001
 ISO 27001 implementation process

1. Familiarise yourself with ISO 27001 and ISO 27002

2. Assemble a project team and initiate the project 
3. Conduct a gap analysis
4. Scope the ISMS
5. Initiate high-level policy development and other key ISO 27001 documentation
6. Undertake a risk assessment
7. Select and apply controls
 ISO 27001 implementation process

8. Develop risk documentation

9. Conduct staff awareness training
10. Assess, review and conduct an internal audit
11. Opt for a certification audit
 ISO 27001 Training and Qualifications

• Minimise information security risk, obtain industry-leading qualifications

and gain the practical skills to implement and audit ISO 27001.
• IT Governance is the world’s leading provider of classroom and online
ISO 27001 training. 
• IBITGQ (the International Board for IT Governance Qualification) is a
not-for-profit association dedicated to providing global training,
certificated qualifications and continuing professional development for
information security, data privacy, business continuity and IT governance
professionals.
•
 ISO 27001 Risk Assessments

Five simple steps to an effective ISO 27001 risk assessment

•Establish a risk management framework
•Identify risks
•Analyse risks
•Evaluate risks
•Select risk treatment options
 ISO 27001 Risk Assessments

Applying information security controls in the risk assessment

Compiling risk reports based on the risk assessment
ISO 27001 requires the organisation to produce reports based on
the risk assessment for audit and certification purposes. The
following two reports are the most important:
•Statement of Applicability (SoA)
•Risk treatment plan (RTP)
 ISO 27001 Risk Assessments

• How an ISO 27001 risk assessment works

• An ISMS is based on the outcomes of a risk assessment. Businesses
need to produce a set of controls to minimise identified risks.
• Controls recommended by ISO 27001 are not only technological
solutions but also cover people and organisational processes. There
are 114 controls in Annex A covering the breadth of information security
management, including physical access control, firewall policies,
security staff awareness programmes, procedures for monitoring
threats, incident management processes and encryption.
•
 ISO 27001 Risk Assessments

• Risk assessment standards

Several other information security and risk assessment
standards support ISO 27001:
• ISO/IEC 27005:2011 – Guidance for information security
risk management.
• ISO/IEC 31010:2009 – International standard for risk
assessment techniques.
 Thank you!
Any Question?