ISO 27001 is an internationally recognised Information Security Management System (ISMS) standard that helps organisations to protect their information assets such as customer data and employee information, against threats like data breaches, cyber-attacks and misuse. ISO 27001 can also help to provide stakeholders with assurance that an organisation is taking the necessary steps to secure and protect their information.

Although achieving ISO 27001 can be daunting, in this blog we’ll provide you with the essential information that will help you understand what it is, what the typical certification process looks like and share a few key things to consider.

What is an ISMS?

An information security management system (ISMS) is a framework of policies, procedures and controls used to manage an organisations informational assets to ensure its confidentiality, integrity and availability.

Clauses vs Controls

ISO 27001 is made up of two areas: clauses and controls.

Clauses outline the requirements for establishing, implementing, maintaining and continually improving an ISMS. These cover areas such as planning, leadership, Operation and Improvement. Clauses are mandatory and an organisation must ensure that all points are addressed.

Controls are the specific measures that can be implemented by an organisation to mitigate risks. Annex A has a list of 94 controls that an organisation can implement, dependent on their risk assessment and covered a variety of areas from physical and environmental, supplier relationships and access control

The Statement of Applicability

The Statement of Applicability (SoA) is an important document within the ISO 27001 process. If an organisation decides to not implement a control, a justification must be provided for its exclusion. A SoA is created once an organisation has mapped out the relevant controls that they will implement.

Risk Management

At its core, ISO 27001 is there to help an organisation manage information security risks. Risks should cover what the threat is, the likelihood of the threat occurring and what impact they would have. Controls can be mapped against a risk to help reduce the likelihood and impact against the organisation and is useful when creating the Statement of Applicability.

Versions

There are currently two versions of ISO 27001 – 2013 and 2022 – and organisations will need to ensure that they are aligned with the 2022 version by October 2025. Organisations that are currently using the old version will need to conduct a gap analysis to ensure that their Statement of Applicability and current controls are still relevant with the new version.

The Audit Process

There are two audits that occur: an internal audit and an external audit.

• Internal Audit: The internal audit is carried out either by the organisation itself or a third party (such as Predatech) on behalf of the organisation. Internal audits should adhere to the requirements outlined in Clause 9.2 and be objective and non-bias. Over the course of a year, an organisation should have audited all clauses and controls to ensure that the ISMS is delivering its objectives.
• External Audit: The external audit is conducted by an independent auditor who will confirm whether the organisation is compliant with the ISO 27001 standard. Certification audits occur every 3 years with surveillance audits conducted yearly in between to ensure ongoing compliance.

Before achieving certification, organisations will have a Stage One and Stage Two Audit. Stage One will confirm documentation and procedures, and Stage Two will monitor the effectiveness of the ISMS that has been implemented.

Non-Conformities and Corrective Actions

Throughout its lifecycle, an organisation’s ISMS will gain non-conformities. Non-conformities can be raised at any point, but in most cases, these will occur at internal and external audits. If a non-conformity is raised, a corrective action must be taken that prevents recurrence of the root cause. There are two types of non-conformities:

• Major non-conformities: The nonconformity significantly impacts the organisation’s ISMS and must be actioned within 30 days of the finding being published.
• Minor non-conformities: The nonconformity moderately impacts the organisation’s ISMS and must be actioned within 90 days of the finding being published.

Points to Consider

There are many other factors that should be considered when looking to implement and maintain ISO 27001. Before implementation, you should:

• Consider the cost effectiveness of gaining and maintaining ISO 27001. Gaining and maintaining certification can be a costly process and requires not only a financial investment but also a time commitment from key staff.
• Although this is largely dependent on what is currently in place, ISO 27001 can take up to 6 – 9 months for an organisation to implement.
• Having a framework already in place can help with the implementation or transition to ISO 27001. Cyber Essentials can be an effective foundation to build upon.
• Continual improvement is one of the Clauses for ISO 27001. Your organisation will need to be prepared to improve and adapt your ISMS to the latest threats and changes to your organisation’s environment.
• In most cases, ISO 27001 requires a change in culture. You will need to ensure that your organisation promotes awareness of information security and train your employees to understand what their roles and responsibilities are when it comes to information security.

Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing, Cyber Essentials/Cyber Essentials Plus assessments and ISO 27001 consultancy. What makes us different? We combine expert cyber security with great customer service and value for money. If you’d like to better understand your security posture, and how to strengthen it from attacks, please contact us for a free consultation.