You may have heard a lot about ISO27001 but it’s often difficult to know where to start if you’re a beginner in information security, governance risk and compliance (GRC) or if you’re just looking to improve your security as a business owner.

We want to make this topic as easy as possible to understand so that you can make some informed choices about the journey towards ISO27001 super stardom!

We’re so passionate about this topic that we even wrote a book on the topic, called “The Real Easy Guide to ISO27001”. So here is a little sneak peek at what it contains, along with some additional thoughts.

What is ISO27001?

ISO27001:2022 is an approach to implementing an information security management system (ISMS). ISO27001 will not solve all your information security concerns, risks, and issues, but it will improve your security if you engage fully with it. Vitaly, ISO27001 states what you SHALL do to implement the ISMS. It is crucial to note this point.

When ISO27001 says you SHALL have a policy, it’s clear what you must do, right?

But ISO27001, in simple terms, is a framework for implementing information security controls. Think for a moment about what ISO27001 is. It is an approach to implementing an information security management system. It provides everything you need to implement an effective way to manage all the security controls you implement within your organisation.

This is why the argument that ISO27001 isn’t as good as other control systems (like NIST, SANS, Cyber Essentials, etc) isn’t a fair comparison. They are simply a set of controls. While ISO27001 contains a series of controls (in Annex A), it is a framework for an ISMS.

It might be easier to think of ISO27001 as a recipe for implementing good security practices. Like any recipe, it depends on what you want to cook (or bake), your tastes (or needs), and how many people you’re catering for that ultimately dictates what you will put in, what you leave out, and how long it will all take. As stated above, you cannot implement ISO27001 using a 'cookie cutter' approach, as this phrase implies a standard method that someone can replicate multiple times with identical outcomes.

However, whilst the shape of a cookie may be the same, what goes into a cookie can vary significantly based on the wants and needs of the consumer, so they are still individual (please tell us you’re as hungry as we are right now! 😂).

Ok, enough with the metaphors. Let’’ get serious right now.

Some would argue that security is not a product; It’s a process, and they are right. Security is all about ongoing risk management, identification, assessment, and analysis. ISO27001 is the same (as it is a risk-based system). You might say that ISO27001 has a finite focus; You either are or are not ISO27001 certified.

Whereas ‘being secure’ is an infinite outcome, because there is no end to the process and there are an infinite number of ways to become secure (or insecure!).

However, for implementation, address ISO27001 certification as a project, with a precise start date and delivery date, determining when you will achieve formal ISO27001 certification. Therefore, ISO27001 is both a project and a process. This means you can utilise your project management skills to help you achieve ISO27001, but be aware that the hard work begins once the certificate is in place! Be aware that you can lose the certificate if you do not maintain and continually improve the ISMS, as the auditors will conduct annual audits.

The structure of the standard

The standard is made up from two parts;

·        The Information Security Management System (ISMS) Clauses 4 to 10

·        The Annex A Controls.

Is it an easy document to read? No, because it’s a standard(!) This isn’t a “Jack Reacher” novel! It’s a set of requirements that you need to implement so that you can demonstrate you have achieved a prescribed level of security.

The ISMS Clauses

You might think of the Clauses as ‘chapters’ in the book, but each must be read through and addressed so that you can evidence that you’ve implemented the requirements. These are;

1.      Scope: The intended boundaries and applicability of the standard.

2.      Normative references: Citations of other standards or documents referenced in the standard.

3.      Terms and definitions: Clear and consistent terminology used throughout the standard.

4.      Context of the organisation: Understanding the internal and external factors that can influence its management system.

5.      Leadership: Emphasising the role of top management in driving the management system’s effectiveness.

6.      Planning: Setting objectives, risks, and opportunities and determining how to achieve the intended outcomes.

7.      Support: Providing the necessary resources, communication, and documentation to support the management system.

8.      Operation: Executing processes to achieve the intended outcomes and address risks and opportunities.

9.      Performance evaluation: Monitoring, measuring, analysing, and evaluating the performance of the management system.

10.   Improvement: Continuously improving the effectiveness of the management system.

The Annex A Controls

The Annex A controls is where most people come unstuck with the standard, because these are controls which you need to assess and decide if they are applicable to your business.

What you need to know is that there are 93 controls which encompass…

·        Organisational Controls

·        People Controls

·        Physical Controls

·        Technical Controls

Where should you start?

This is a beginner's guide to ISO27001, so I don’t want to delve too deeply into the controls and clauses. We provide a detailed look into each of the controls and clauses in other blogs, so take a look at these and dig as deep as you can.

What you need to do first of all is buy a copy of the following documents;

·        ISO27001:2022 – The standard

·        ISO27002:2022 – Guidance on what is needed for ISO27001

Once you have read these two documents you’ll be in a better position to know what is required.  From there, you can perform your own Gap Analysis and assess where you have gaps in your knowledge, policies or procedures. 

Yes you can use Consultants Like us to help you. But it’s perfectly acceptable and possible for you to make an informed decision once you understand what the standards are looking for.

If this is something you’d like help with then get in touch, or go read our ISO27001 FAQs page to see the kind of services we provide and the questions we get asked about most.