What a CEO should know about ISO 27001

Home / ISO 27001 / What a CEO should know about ISO 27001

Introduction

If you are a CEO or senior management looking to do ISO 27001 then this is everything you need to know. These are the facts no one else will tell you, and rather than the usual benefits and upsells we will cut straight to the nitty gritty and the reality of the ISO 27001 standard. Ready?

ISO 27001 is not an information security standard

The first shocking fact is that ISO 27001 is not an information security standard.

What it actually is: ISO 27001 is an information security management standard

And more than that: ISO 27001 is an information security risk management standard.

This is one of those facts that can blow your mind.

If the expectation is that this standard will tell you what security to put in place, set out some rules on what you need to do and make you more secure then you are sadly mistaken.

What is ISO 27001?

ISO 27001 is a very straightforward and easy to implement management system. It sets out how you manage information security in your organisation. At its heart is risk management and this is where it gets interesting.

If you are managing information security and you are managing risk, you will get your ISO 27001 certification.

Note here at no point have I referenced any technical requirements, or made reference to how you operate.

To be clear, this is about managing information security and managing risk.

If anyone says to you – we have to do X now because of ISO 27001 then they are probably mistaken.

It is very possible to have incredibly weak information security with little to no information security controls and still pass the audit and get certified.

I would not advise it, clearly. But it is possible.

What is the minimum you need to do?

The bare minimum you need to do is implement the basic ISO 27001 clauses from the standard – I even show you how to do it and give you step-by-step guides with videos, for free, in the ISO27001:2022 Reference Guide

In outline you are going to:

  • Define some roles
  • Allocate people
  • Write some policies
  • Do risk management
  • Audit and review yourself
  • Continually improve.

I have to re-state that it is not that hard.

ISO 27001 Toolkit

I don’t understand – how can I be insecure and still certify?

The answer is simple, this is about risk management. The only requirement on your actual security is that you are managing risk. Risk management is a beautiful thing because it allows you and encourages you and wants you to implement security to a level that is appropriate to you and proportionate to you.

You identify your risks and you implement the level of security you need.

And guess what?

If it turns out you don’t need or want to implement some security, you don’t have to. You can just accept the risk.

There is a middle ground here, for sure, but to answer the question of what is the bare miniimum you can get away with and still ‘pass’, the answer is shockingly straightforward.

The standard is pointless then?

I can see your perspective and it is not without it’s challenges. The level of how pointless it is for you is really down to your context. Let’s explore.

Clients Need

The main focus of having this standard as a CEO is going to be client need and commercial benefit. If someone won’t do business with you unless you have it then you have a choice. Get it and do business. Or don’t get it and move on to the next client opportunity.

What does having it actually tell my clients?

When you get ISO 27001 certification the only thing that it is telling your clients is that you are managing information security and you are managing your risks and this has been independently assessed as being true.

That is it.

What this translates to in reality is that anyone that does what I do for a living will follow up with further questions, document requests and audits of you to assess the actual level of security that you have implemented.

Those clients questionnaires are never going to stop.

Why does it cost so much?

You want the truth? People will charge you what they can. There is an entire industry that comes together to make this look and sound so hard that your only option is to seek outside help and the silver bullet services they offer and the premium price point they offer them.

They have their place.

This is about market forces, supply and demand and no one in an industry wanting to break ranks, so you get charged what they think they can charge you. Simple.

Is it worth doing?

It is worth doing. When you understand what it is, it is worth doing. Effectively managing information security and information security risk is valuable and those benefits are what most people will lead with.

When you understand this about managing then the value comes from that management.

Of course, you also get a certificate to stick on the wall and share with people.

ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing