How to implement ISO 27001

For any organisation with limited time and money, deciding what to protect is the starting line. You need to know how much security to apply to build an effective Information Security Management System (ISMS).ISO 27001 Annex A 5.12 Classification of information is the first step in this process. It is not just a paperwork exercise. It […]

After conducting hundreds of ISO 27001 audits, I can tell you that information classification is where theory meets reality. It is the one foundational control that causes a cascade of failures across an entire ISMS when done poorly. But if you get it right, you build the strategic bedrock for a security program that works

Introduction: The Critical Importance of Getting Your Assets Back What is the biggest security vulnerability your organisation faces when a trusted person leaves? You might be busy disabling their badge access, but the real danger is often walking out the door in a briefcase. Failing to manage the return of assets is a boring but

The biggest security risk when a trusted person leaves is not the key card they hand back. It is the encrypted USB drive in their bag that holds your next product roadmap. This challenge keeps security leaders and CEOs up at night. The real weakness is not just about cutting off system access. It is

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets is the backbone of a defensible security culture. It goes beyond firewalls and encryption to manage the human element. It sets clear ground rules for how everyone in your organisation handles company data. At its core, this control removes plausible deniability. You cannot hold

Information security standards often feel heavy and abstract. However, ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets, is where theory meets real life. This control manages the most critical part of your security programme: your people. This guide moves away from confusing jargon. Instead, we provide a practical ISO 27001

If you have ever tried to clean a garage, you know the golden rule: you cannot organize what you do not know you have. The same logic applies to information security. You cannot secure your customer data, your intellectual property, or your financial records if you don’t actually know where they are. This is the

We have all been there. The project is running late, the budget is tight, and the “Go Live” date is immovable. Then, 48 hours before launch, someone asks, “Wait, is this GDPR compliant?” or “Did we pen-test this?” Panic ensues. Delays happen. Or worse, you launch anyway and hope for the best. ISO 27001 Annex

In the old days of information security, the strategy was often “build a high wall and hope for the best.” You installed a firewall, an antivirus, and locked the server room door. Today, that isn’t enough. Bad actors are constantly evolving their tactics, and if you are waiting for them to knock on your door

In the world of information security, the lone wolf dies, but the pack survives. That is essentially the philosophy behind ISO 27001 Annex A 5.6: Contact with Special Interest Groups. While Annex A 5.5 tells you to keep a list of people who can arrest or fine you (authorities), Annex A 5.6 is about keeping

Imagine the worst-case scenario: It is 2 AM on a Saturday. You have just discovered a massive data breach. Ransomware is spreading through your servers, and customer data is leaking. In that moment of panic, do you know exactly who you are legally required to call? If your answer is “I’d Google it,” you are

Understanding Annex A 5.4: It Starts at the Top If you’ve ever worked in an office where the boss ignored the very rules they forced everyone else to follow, you know exactly why ISO 27001 Annex A 5.4 exists. This control is all about “walking the talk.” It requires management to ensure that all employees

If you have ever watched a heist movie where two people need to turn keys simultaneously to open a vault, you already understand the core concept of ISO 27001 Annex A 5.3. In the world of information security, this is known as Segregation of Duties (SoD), and it is one of the most effective ways

If you have ever tried to organise a group dinner where nobody knew who was bringing the drinks, who was cooking, or who was cleaning up, you already understand why ISO 27001 Annex A 5.2 exists. In the world of information security, leaving tasks to “someone” usually means they get done by “no one.” Annex

Achieving ISO 27001 certification requires more than just implementing technical controls; it demands a fundamental shift in organisational culture. ISO 27001 Clause 7.3 Awareness sits at the heart of this transformation. It’s a mandatory requirement that moves beyond simply ticking a box for compliance and focuses on embedding a deep, pervasive, and security-conscious mindset across

In the world of information security, it’s easy to get lost in the technical details of firewalls, encryption, and access controls. However, the international standard for information security management, ISO 27001, places significant emphasis on a decidedly human element: awareness. Clause 7.3 is not simply a requirement for mandatory training that can be ticked off

Navigating the landscape of ISO 27001 can often feel like a complex compliance exercise. However, at its core, the standard is a framework for building a robust and effective security program. Clause 6.2, which deals with “Information security objectives and planning to achieve them,” is a perfect example of this. In simple terms, this clause

Navigating the clauses of ISO 27001 can sometimes feel like a pure compliance exercise. However, Clause 6.2, which deals with information security objectives, is different. It’s the “why” behind your entire Information Security Management System (ISMS). This clause is not about ticking a box; it’s about setting clear, actionable goals that align security efforts with

In the world of information security, uncontrolled change is the silent antagonist responsible for a staggering number of operational failures. It is a stark figure, cited by sources like Gartner, that nearly 70% of service outages and audit failures originate not from sophisticated cyberattacks, but from uncontrolled or undocumented changes. This is precisely why ISO

Using data for testing is a classic double-edged sword. On one hand, realistic testing is absolutely essential for developing robust, reliable systems. On the other, it can create significant security vulnerabilities if not managed with precision and care. Copying sensitive production data into less-secure test environments opens the door to data breaches, regulatory penalties, and

In the role of Lead Auditor, I have witnessed well-intentioned security audits inadvertently trigger system crashes and data breaches. The very act of verifying defences can introduce new risks if not managed with surgical precision. This is the specific challenge that ISO 27001 Annex A 8.34, “Protection of information systems during audit testing, is designed

Most businesses today run on a complex web of connections. You have your office internet (ISP), your cloud providers (AWS/Azure), your VPNs for remote workers, and perhaps even third-party managed firewalls. If any of these “pipes” are compromised or fail, your business stops. ISO 27001:2022 Annex A 8.21, “Security of network services,” is the control

Let’s face it, the days of everyone sitting in a secure office behind a castle moat of firewalls are long gone. Today, your “office” is just as likely to be a kitchen table, a coffee shop, or a seat on a train. While this flexibility is great for productivity, it is a nightmare for security.

If your organisation was a medieval castle, privileged access rights would be the master keys that open every door, the drawbridge, and the treasury. In the wrong hands—whether it’s a malicious hacker or just a well-meaning employee who clicks the wrong button—these keys can bring the whole kingdom crashing down. This is why ISO 27001:2022

We have all heard the phrase “knowledge is power.” In the world of information security, however, knowledge—or rather, access to it—is a liability. If everyone in your company can read the CEO’s emails or edit the payroll database, you don’t have a security system; you have an open house. This is where ISO 27001:2022 Annex

If you are a technology company, your source code is likely your most valuable asset. It is the “crown jewel” that drives your revenue, contains your intellectual property, and holds the secrets to how your business operates. Yet, in many organisations, access to this code is treated with surprisingly little care—often stored in repositories where

Think of your network like a submarine. If a submarine has a hull breach, it doesn’t sink immediately because it is divided into watertight compartments. You can seal off the flooded section and keep the rest of the ship operational. ISO 27001:2022 Annex A 8.22, “Segregation of networks,” brings this exact logic to your information

We have all seen the headlines. A massive data breach occurs, and it turns out the “hacker” didn’t use some sophisticated zero-day exploit or crack a complex encryption algorithm. They just guessed the password “Password123” or bought a stolen credential on the dark web. Authentication is the front door to your organisation’s data. If you

We have all been there. You try to log on to a website the moment a big sale starts or concert tickets are released, and the screen just spins. The site crashes. It’s frustrating for the user, but for the business, it is a disaster. It means lost revenue, damaged reputation, and angry customers. In

In the digital age, malware is the wolf constantly circling the door. From ransomware that locks up your entire business to spyware that silently siphons off sensitive data, the threat is real, constant, and evolving. If you are pursuing ISO 27001 certification, you can’t just install a free antivirus and call it a day. ISO

Let’s be honest: software has bugs. From the operating system on your laptop to the firmware on your smart fridge, nothing is perfect. In the world of cybersecurity, these bugs are “technical vulnerabilities,” and hackers love them. They are the open windows in your otherwise locked house. ISO 27001:2022 Annex A 8.8 is the control

We have all been there. A server isn’t connecting to an application, so a helpful sysadmin temporarily disables the firewall “just to test.” It works, everyone is happy, and they move on to the next ticket. Six months later, you suffer a breach because that firewall was never turned back on. This phenomenon is called

We are all guilty of being digital hoarders. Whether it is that “draft_v1_final_REAL.docx” from three years ago or a customer database from a project that ended in 2019, we tend to keep data “just in case.” But in the world of information security, holding onto data you don’t need isn’t just clutter—it’s a liability. This

The internet is the world’s biggest library, but it is also the world’s biggest minefield. For every useful research site or SaaS tool your employees need, there are a dozen others hosting malware, phishing kits, or illegal content. ISO 27001:2022 Annex A 8.23, “Web filtering,” is a new control introduced in the 2022 update to

We live in a world where data is the new oil, but unlike oil, you can’t just store it in a barrel and forget about it. If you are handling Personal Identifiable Information (PII), financial records, or sensitive health data, you are holding a ticking time bomb. One wrong move, one exposed database, and you

We have all been there. That split-second of panic when you realise you’ve accidentally hit “Reply All” on a sensitive email, or the sinking feeling when you hear about a USB drive left on a train. In the world of information security, these aren’t just embarrassments; they are data leaks. With the update to ISO

We have all been there. That sinking feeling when a file you were working on vanishes into the digital ether, or worse, a server crash takes your entire customer database with it. In the modern threat landscape, where ransomware is more of a “when” than an “if,” your backup strategy is effectively your insurance policy.

We have all been there. You are in the middle of a critical transaction, a presentation, or a data upload, and suddenly—darkness. A server crash, a power outage, or a network failure brings everything to a grinding halt. In the world of information security, this isn’t just an annoyance; it is a business continuity disaster.

Imagine a plane crash where the investigators arrive at the scene, only to find the black box is missing—or worse, it was never turned on. That is the exact scenario you face in information security if you don’t have proper logging in place. When a breach happens (and it’s often a case of when, not

Security is not a “set it and forget it” exercise. You can build the highest walls and the strongest gates, but if you don’t have a security guard watching the cameras, you won’t know someone has climbed over until it’s too late. This is the core principle behind ISO 27001:2022 Annex A 8.16. While Annex

Imagine trying to solve a crime where every witness gives you a different timeline. One says the event happened at 2:00 PM, another swears it was 2:15 PM, and the security camera says 1:30 PM. It would be a nightmare, right? In the digital world, this is exactly what happens when your servers and devices

In the world of IT security, there are some tools that act like master keys. They can bypass passwords, edit protected files, and change how operating systems behave. These are your “privileged utility programs.” While they are incredibly useful when things go wrong, they are also a massive risk if they fall into the wrong

We’ve all been there. You need a quick tool to convert a file or a little plugin to make a task easier, so you just download it and install it. It seems harmless enough, right? But in the world of information security, that casual “click-and-install” culture is a massive vulnerability waiting to happen. This is

If you have ever stared at a network diagram and wondered how on earth you are going to get it past an auditor, you are not alone. Network security is often seen as the beast of information security—complex, technical, and constantly changing. But with the update to ISO 27001:2022, the new control Annex A 8.20

In the world of information security, cryptography is your final line of defence. If the firewalls fail, the passwords are guessed, and the physical doors are breached, encryption is the only thing standing between a hacker and your sensitive data. It turns readable assets into useless gibberish for anyone without the key. ISO 27001:2022 Annex

If you were building a bank vault, you wouldn’t build the walls first and then try to figure out where to drill the holes for the locks. You would design the security into the blueprints from day one. This is exactly what ISO 27001:2022 Annex A 8.25 is about. Annex A 8.25, titled “Secure development

There is an old carpenter’s adage: “Measure twice, cut once.” In the world of software, this translates perfectly to security. If you wait until an application is fully built to ask, “Is this secure?”, you have already lost the battle. Fixing a security flaw in a finished product is infinitely more expensive and painful than

If you have ever tried to add a basement to a house after it was already built, you know exactly why ISO 27001 Annex A 8.27 exists. Trying to “bolt on” security after a system has gone live is expensive, messy, and rarely effective. This control is here to ensure that you design your digital

In the modern digital landscape, software is eating the world, but vulnerabilities are eating software. If your organisation develops its own code—whether it is a core product, a customer portal, or just internal scripts—you are essentially a software company. And that means you have a target on your back. ISO 27001:2022 Annex A 8.28, “Secure

Building secure software is a lot like building a bridge. You wouldn’t just bolt the steel beams together and hope for the best; you would stress-test every joint and run simulations before letting a single car drive across. ISO 27001:2022 Annex A 8.29, “Security testing in development and acceptance,” is the part of the standard

Outsourcing your software development is a fantastic way to access talent and speed up delivery, but it can also be a security nightmare. When you hand over the keys to your code to a third party, you aren’t just outsourcing the work—you are outsourcing a significant amount of risk. ISO 27001:2022 Annex A 8.30, “Outsourced

Imagine a chef trying to invent a new spicy soup recipe in the same pot that is currently serving customers in the dining room. One wrong move with the chilli powder, and the dinner service is ruined. In the world of information security, this is exactly what ISO 27001:2022 Annex A 8.31 tries to prevent.

If you have ever seen a software update crash a critical server on a Friday afternoon, you already know why ISO 27001 Annex A 8.32 exists. In the world of information security, “change” is often a synonym for “risk.” Whether it is patching a vulnerability, upgrading a database, or even changing a physical lock on

When businesses rush to get a new feature out the door, the first thing that often gets compromised is security in the testing phase. Developers need data to test with, and the easiest path is often just copying a slice of the live production database. But this convenience is a massive security trap. ISO 27001:2022

When you are working toward ISO 27001:2022 certification, much of your focus is usually on keeping hackers out. But what happens when the “intruder” is actually an auditor or a technical tester you’ve invited into the building? This is where Annex A 8.34 comes into play. ISO 27001:2022 Annex A 8.34, titled “Protection of information

Embarking on the ISO 27001 certification journey is a significant strategic decision. At its core lies Clause 7.1: Resources, a mandatory requirement that compels an organisation to determine and provide the assets, people, and budget needed for a successful Information Security Management System (ISMS). Think of Clause 7.1 as the bedrock of your security posture.

An ISO 27001 project typically fails for one of two reasons: a lack of management commitment or a lack of resources. Clause 7.1 is where you solve the second problem before it begins. This mandatory requirement forces your organisation to formally identify and provide the people, tools, and budget needed for a successful Information Security

You cannot achieve ISO 27001 certification if your team lacks the necessary expertise. It is that simple. ISO 27001 Clause 7.2, the “Competence” clause, is a mandatory requirement ensuring the people managing your information security possess the right skills, knowledge, and experience. This isn’t just about ticking a box; it’s about building a team capable

Successfully implementing an Information Security Management System (ISMS) hinges on the capabilities of your people. ISO 27001 Clause 7.2, “Competence,” is a mandatory requirement that ensures the right people with the right skills are managing your information security. While it may sound complex, the core principle is simple: you must prove that your team is

The 2022 update to the ISO 27001 standard introduced a pivotal new requirement: Clause 6.3, Planning of Changes. While new to the text, this clause formalises what has long been considered a best practice in information security. It ensures that modifications to your Information Security Management System (ISMS) are deliberate, controlled, and safe. This guide

The 2022 update to the ISO 27001 standard introduced a specific new requirement: Clause 6.3, Planning of changes. If this is your first encounter with this clause, there is no cause for alarm. While the clause is a new, explicit addition, the core concept of managing changes in a planned, controlled manner is a fundamental

If there is one clause that separates a paper-based ISMS from a living, breathing one, it is ISO 27001 Clause 5.3. Get this wrong, and accountability evaporates. Get it right, and you build the very foundation of your security culture. This mandatory requirement focuses on defining and assigning information security roles, responsibilities, and authorities. It

In my 30 years as an ISO 27001 Lead Auditor, I have witnessed countless organisations struggle with a foundational control: policies. Many overcomplicate them into unusable encyclopaedias or treat them as a mere tick-box exercise. Both approaches fail audits. Policies are not just paperwork; they are the official voice of management, setting the clear direction

ISO 27001 Annex A 5.1 is a fundamental control for information security management. It focuses on that critical first step: establishing clear, effective policies. These policies form the bedrock of your Information Security Management System (ISMS), defining your organisation’s intent and direction. The purpose of this guide is to provide a straightforward ISO 27001 Annex

The ISO 27001 Clause 4.4 implementation checklist is designed to help an ISO 27001 Lead Implementer to implement ISO 27001 Clause 4.4 The Information Security Management System (ISMS) The 10 point ISO 27001 implementation plan sets out how to implement, the challenges faced and the solutions to adopt. How to implement ISO 27001 Clause 4.4