ISO 27001 Ultimate Guide

ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)

Stuart Barker

ISO/IEC 27001 The International Standard for Information Security

We are going to expose ISO 27001 and give you all the facts and knowledge that you need that will save you $10,000s.

Before you embark on your journey, hire someone or buy an online solution … you must read this.

Jump To

Let’s start with the basics and get the dry bit out of the way first.

What is ISO 27001?

ISO 27001 is the international standard for information security.

Information security is defined as confidentiality, integrity and availability of data.

What does that mean???

It means we make sure the right people, have the right access, to the right information when they need it.

ISO 27001 Defined

ISO 27001 sets out the specification for an Information Security Management System (ISMS). It IS a management system. A way to manage information security. It includes an annex, called Annex A which is a list of technical controls that you must consider and implement.

What is an Information Security Management System (ISMS)?

An Information Security Management System (ISMS) is a set of ISO 27001 policies, ISO 27001 mandatory documents, ISO 27001 procedures and ISO 27001 technical controls that protects your information. It has management structures in place that manage based on risk and manage continual improvement.

The information security management system can be built using the ISO 27001 Toolkit.

What is Annex A / ISO 27002?

There is an annex to the ISO 27001 called Annex A. Annex A is actually a standard in it’s own right called ISO 27002. ISO 27002 is a list of the technical controls that your organisation has implemented. You record this list of controls in your Statement of Applicability.

What is a Statement of Applicability (SoA)?

The Statement of Applicability is a mandatory document of the ISO 27001 standard. It lists out the controls of ISO 27001 Annex A / ISO 27002 and it records whether the control is applicable to you or not. If not it includes a reason why it does not apply to you.

What are ISO 27001 Policies?

ISO 27001 policies are statements of what you do. They are not statements of how you do it. How you do it is covered in process documents. You use policies to explain to people what is expected of them. The quickest way to get polices for ISO 27001 is to download the ISO 27001 Policy Templates Bundle.

What are the ISO 27001 Mandatory Documents?

The ISO 27001 Mandatory Documents are the documents that are required by the ISO 27001 standard. ISO 27001 works on the premise that if it is not written down, it does not exist. It is documentation heavy.

What ISO 27001 processes will I need?

You will need to document all of the processes that are going to be audited for your ISO 27001 certification. The list of controls is Annex is a great starting point for the required processes on top of which the processes for your product or service will also require documenting.

ISO 27001 Document Mark Up

The standard has very specific requirements when it comes to document mark up. What this means is that the documents that you produce should have version control, a classification, an owner, a last reviewed date as a minimum. The standard lays out clearly what is required.

ISO 27001 Risk Management

ISO 27001 is a risk based management system. This a great system. In a risk based system the controls that you have and the level of control that you put in place is down to you and the risk you are trying to mitigate. Compare this to a rule based system such as PCI DSS that tells you exactly what controls you MUST have in place and the exact level of that control.

You have much more flexibility in a risk based system. Applying controls you do not need or implementing to a level that exceeds the risk can cost you a lot of money. You do not want to get this wrong.

ISO 27001 Continual Improvement

Continual improvement is the process by which your organisation continues to improve its approach to information security. It is baked into the standard. It knows you wont get everything right at the beginning, that things change and that as time goes by you will work out how to do things better. You can identify these opportunities for continual improvement as part of the standard by finding them doing internal audits, finding them when incidents occur and things go wrong or just brain storming them and coming up with new ideas.

ISO 27001 Internal Audit

When you embark on ISO 27001 you embark on a commitment to being audited a lot. Internal audit means that you appoint someone independent to audit, go through, the standard and check that what you are doing meets the requirements of the standard still. The out put of this is continual improvement, in that you may need to make changes to come back up to the level of the standard but as it is internal it wont put your ISO 27001 certification at risk. Many companies will outsource internal audit and this is one of the biggest costs that you will bare if you do. You have to internally audit everything at least once every year and the usual approach is to break it down into chunks that you tackle each month over 12 months.

Compare this with external audit which is the certification audit. This does the same thing, again, but is much more formal and getting it wrong can put your hard earned ISO 27001 certification at risk.

ISO 27001 Truth Bombs

At the end of the day it is a certificate.

A bit of paper that your clients are asking, demanding and expecting of you.

It is a condition of doing business.

If there is a commercial reason to do it, you will do it. If there isn’t, you won’t.

It won’t make you more secure. It can. But it likely won’t.

It won’t stop you getting hacked. It can. But it likely won’t.

But it will open doors to new business.

Everything you need to know to get started with ISO 27001: Video

This video is absolutely everything you need to know to get started with ISO 27001. Watch this before you engage anyone. This will save you tens of thousands of costly mistakes.

Useful ISO 27001 Guides

The following ISO 27001 guides are a deeper dive into the topics so you can learn more.

ISO 27001 Policies Ultimate Guide
ISO 27001 Documents Ultimate Guide

The ISO 27001 Laid Bare: A deep dive on the ISO 27001 Clauses

Here we will take a deep dive on the ISO 27001 standard and each of the clauses that you will need to satisfy.

ISO 27001 Clause 4.1 Understanding the organisation and its context

The ISO 27001 Clause 4.1 requirement is to understand your own context and document how it might impact your information security management system. Specifically how it might impact the outcomes of your information security management system. By and large this is a quick and easy win and it sets out exactly what it wants from you.

More detail is provided in the Essential Guide to ISO 27001 Clause 4.1 

ISO 27001 Clause 4.1 Understanding the organisation and its context

ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties

The ISO 27001 clause 4.2 forms, as you would expect, part of ISO 27001 Clause 4 Context of Organisation. In clause 4.1 we looked at understanding the organisation and it’s context which broke down into identifying internal and external issues. Here we are going to look at the needs and the expectations of interested parties. Specifically we are looking at people that might have an interest in the effectiveness of the information security management and what their actual requirements are.

More detail is provided in the Essential Guide to IS 27001 Clause 4.2

ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties

ISO 27001 Clause 4.3 Determining the scope of the information security management system

This clause forms part of ISO 27001 Clause 4 Context of Organisation.  We have looked at ISO 27001 Clause 4.1 Understanding the Organisation and it’s context to identify internal issues, external issues in ISO 27001 Clause 4.2 we looked at interested parties and their needs. 

In ISO 27001 Clause 4.3 we are looking at determining the scope of the information security management system.

More detail is provided in the Essential Guide to ISO 27001 Clause 4.3

ISO 27001 Clause 4.3 Determining the scope of the information security management system

ISO 27001 Clause 4.4 Information security management system

Clause 4.4 which basically says, have an information security management system.

More detail is provided in the Essential Guide to ISO 27001 Clause 4.4

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

There are many aspects of ISO 27001 that ISO 27001 templates can help with and indeed there are many ISO 27001 mandatory documents. Leadership and commitment is one area that you will need both the templates and to actually get management and leadership buy in. This is a top down approach. It has to be seen as a top down approach.

More detail is provided in the Essential Guide to ISO 27001 Clause 5.1

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.2 Policy

The requirements is to have a set of information security policies which are provided in the ISO 27001 policy template bundle.

ISO 27001 Policy Bundle

ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities

The actual requirement is to make sure that roles, responsibilities and appropriate authority is assigned to people and that this is communicated. We document this as part of the communication plan and the requirement of the clause. 

We need to make sure that responsibility is assigned to someone for ensuring the standard is met and for reporting on the effectiveness and performance of the information security management system to the business leaders, which they refer to as ‘top management’.

More detail is provided in the Essential Guide to ISO 27001 Clause 5.3

ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.1.1

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information security risk assessment

The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.

This clause is all about risk assessment. The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process. 

That risk assessment process has to set out risk criteria which are the parameters of your risk management.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.1.2

ISO 27001 Clause 6.1.2 Information security risk assessment guide

ISO 27001 Clause 6.1.3 Information Security Risk Treatment 

The ISO 27001 standard requires an organisation to select appropriate risk treatment options based on the risk assessment results. 

This clause is all about risk treatment. The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and to treat those risks appropriately. It is, after all, a risk based management system. Not a rule based system. 

That risk treatment process has to set out risk criteria which are the parameters of your risk management.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.1.3

ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide

ISO 27001 Clause 6.2.1 Information Security Objectives and Planning to Achieve Them

The ISO 27001 standard requires an organisation to establish information security objectives at relevant functions and levels.

This clause is all about information security objectives and planning to meet those objectives. The ISO 27001standard for ISO 27001 certification wants you define and achieve information security objectives.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.2.1

ISO 27001 Clause 6.2.1 Information Security Objectives and Planning to Achieve Them Guide

ISO 27001 Clause 7.1 Resources

The ISO 27001 standard requires an organisation to provide the resources needed to establish, implement, maintain and continually improve the information security management system.

This clause is all about people. The ISO 27001 standard for ISO 27001 certification wants you to have the right people available for running ISO 27001. It is one of the ISO 27001 controls.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.1

ISO 27001 Clause 7.1 Resources Essential Guide

ISO 27001 Clause 7.2 Competence 

The ISO 27001 standard requires an organisation to have people that are competent to do the work for information security. Simple. 

This clause is all about people and their skills, experience and competency. The ISO 27001 standard for ISO 27001 certification wants you to have the right people with the right skills for running ISO 27001. It is one of the ISO 27001 controls.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.2

ISO 27001 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.3 Awareness is communicating and making people aware of the information security policy, how they contribute to information security and the consequences of not conforming to information security. The ISO 27001 standard for ISO 27001 certification wants you to let people know what you expect, educate them and processes in place for if things go wrong. It is one of the ISO 27001 controls.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.3

ISO 27001 Clause 7.3 Awareness Essential Guide

ISO 27001 Clause 7.4 Communication

The ISO 27001 standard requires an organisation to effectively communicate about Information Security. That feels a bit vague so it goes further. It wants you to set out the what, when, with whom, the process and method of communication and who will do it. 

More details is provided in the Essential Guide to ISO 27001 Clause 7.4

ISO 27001 Clause 7.4 Communication Essential Guide

ISO 27001 Clause 7.5.1 Documented Information

The ISO 27001 standard requires an organisation to document the information security management system. It works on the premise that if it is not written down then it does not exist. There is a lot of documentation required for ISO 27001. Compliance with the standard may not make you more secure. Often the ISO 27001 certification is about the minutia of documentation rather than whether you are actually secure. Unless you are buying an ISO 27001 document templates toolkit you are going to have a lot of ISO 27001 documents to create.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.5.1

ISO 27001 Clause 7.5.1 Documented Information Essential Guide

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

The ISO 27001 standard requires an organisation to document the information security management system, that the documentation is marked up with document markup and that documents are reviewed and approved.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.5.2

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information Essential Guide

ISO 27001 Clause 7.5.3 Control of Documented Information 

ISO 27001 Clause 7.5.3 Control of Documented Information is about ensuring that documents are available as needed are that they are appropriately protected.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.5.3

ISO 27001 Clause 7.5.3 Control of Documented Information Essential Guide

ISO 27001 Clause 8.1 Operational Planning and Control

The ISO 27001 standard requires an organisation to plan, implement and control the processes needed to meet the requirements of Information Security. 

So ISO 27001 Clause 8.1 Operational Planning and Control is all about processes.

More detail is provided in the Essential Guide to IS 27001 Clause 8.1

ISO 27001 Clause 8.1 Operational Planning and Control Essential Guide

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.2 Information Security Risk Assessment clause is all about risk assessment. Where we covered the planning in ISO 27001 Clause 6.1.2 here we look at the execution. The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and then execute it and make sure it gets done.

Mored detail is provided in the Essential Guide to ISO 27001 Clause 8.2

ISO 27001 Clause 8.2 Information Security Risk Assessment Essential Guide

ISO 27001 Clause 8.3 Information Security Risk Treatment 

ISO 27001 Clause 8.3 Information Security Risk Treatment requirement is for an organisation to implement the information security risk treatment plan and retain documented evidence of the results. It is all about risk treatment. Where we covered the risk treatment planning in ISO 27001 Clause 6.1.3 here we look at the execution. The ISO 27001 standard for ISO 27001 certification wants you to effectively treat and manage risks.

More details is provided in the Essential Guide to ISO 27001 Clause 8.3

ISO 27001 Clause 8.3 Information Security Risk Treatment Essential Guide

ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation

ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation requires an organisation to implement measures and monitors to evaluate the effectiveness of the information security management system. It is a requirement to maintain evidence of the results of measures and monitors.

More details is provided in the Essential Guide to ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation 

ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation Essential Guide

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.2 Internal Audit requires an organisation to conduct internal audits at planned intervals to ensure it is operating effectively.

Learn more in the Essential Guide to ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.2 Internal Audit Essential Guide

ISO 27001 Clause 9.3 Management Reviews

ISO 27001 Clause 9.3 Management Review requires an organisation to conduct a Management Review Meeting at regular intervals and follow a structure, defined agenda

Learn more in the Essential Guide to ISO 27001 Clause 9.3 Management Reviews

ISO 27001 Clause 9.3 Management Reviews Essential Guide

ISO 27001 Clause 10.1 Nonconformity and Corrective Action

ISO 27001 Clause 10.1 Nonconformity and Corrective Action is about effectively managing when things go wrong, correcting it and taking steps to make sure it does not happen again.

Learn more in the Essential Guide to ISO 27001 Clause 10.1 Nonconformity and Corrective Action

ISO 27001 Clause 10.1 Nonconformity and Corrective Action Essential Guide

ISO 27001 Templates

ISO 27001 templates can be a great way to save a lot of time and a lot of money. These ISO 27001 templates are proven to do just that.

ISO 27001 FAQ

What does ISO 27001 mean?

ISO 27001 is the name and designation given to the international standard for information security. It is an information security management system. It is a series of information security policies, information security documents, information security controls and processes for the management of information security. As a standard you can be assessed against it and a certificate can be issued to demonstrate that you meet the requirements of the standard.

What is the purpose of the ISO 27001 standard?

There are two goals for the ISO 27001 standard. The first goal is to provide a bench mark and frame work against which businesses can operate for best practice of information security protection. The second goal is to be able to demonstrate through independent certification that business meets the requirements of the international standard for information security and there by provide assurance that the business is operating to a certain level.

Does ISO 27001 cover GDPR?

ISO 27001 can provide a framework to satisfy aspects of GDPR, especially around principle 6 maintain adequate security. It does not make you GDPR compliant and it does not satisfy all of the requirements of the GDPR. Consider it as a complimentary standard and complimentary framework.

What is the current version of ISO 27001?

At the time of writing ISO/IEC 27001:2013 is the most current version of the standard and incorporates changes made in 2017.

How do I check if a company is ISO 27001 certified?

The easiest way is to request a copy of their most up to date certificate and scope statement. You can check the date of the certificate to ensure that it is valid. The certificate will tell you the name of the certification body. You can then search the certification body website for a register of companies that they have certified.

Is ISO 27001 a legal requirement?

In general no. It can be a requirement of a regulatory body or of a contract but it is not a legal requirement in the widest sense of law. Unlike the GDPR which is a law.

Is ISO 27001 mandatory?

ISO 27001 is only mandatory if an industry regulator mandates it or a contract between you and a customer or supplier mandates it. It is a framework based on risk and as such even the controls within the standard are not mandatory.

Who does ISO 27001 apply to?

The ISO 27001 standard and ISO 27001 certification apply to any business that wants to operate to it and demonstrate best practice for information security management. The number one reason we see a business adopt the ISO 27001 certification is for commercial gain and as a result of being asked for it by a customer on which a commercial contract rests.

Is ISO 27001 a framework?

Yes. ISO 27001 is a framework made up of policies, documents, controls and processes. It is a risk based framework with continual improvement at it’s heart. It requires top level, leadership commitment.

How much does ISO 27001 certification cost?

ISO 27001 certifications costs start at £3,600 and increase based on your company risk and company size.

Where do I find an ISO 27001 consultant?

You can find an ISO 27001 consultant at High Table – https://hightable.io/

How long does ISO 27001 take?

ISO 27001 certification takes 3 months from start to finish.

Is ISO 27001 expensive?

Yes, it can be. It is all relative. What is expensive for you may not be expensive for someone else. Expect the total cost of everything to come in at around £20,0000 to £25,0000.

What are the change changes to ISO 27001 in 2022?

ISO 27001 Annex A changed in 2022. For a list of the changes see here: https://hightable.io/the-ultimate-guide-to-iso-27002-changes-2022/

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is a management system and you can certify to ISO 270001.
ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.

ISO 27001 Strategy Session
ISO 27001 ISO 27001 Toolkit
ISO 27001 Policy Bundle

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Stuart Barker

About the Author

Stuart Barker

Stuart is an ISO 27001 Consultant and author of the ISO 27001 Templates Toolkit. Over 20 years he has helped hundreds of organisations with the ISO 27001 standard and getting them ISO 27001 certification with a 100% success rate.

Shopping Cart