What is ISO27001 in the UK?

ISO27001 is the international standard (ISO) for Information Security Management Systems (ISMS).

ISO 27001 has become one of the most widely adopted international standards for managing information security. It outlines the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS).

An Information Security Management System does what is says on the tin. It is designed to protect business information and ensure the Confidentiality, Integrity and Availability of business information.

Confidentiality, Integrity and Availability are the cornerstones of the ISO27001 standard.

So what does the ISO27001 Standard involve?

It’s important to understand what’s involved in creating a comprehensive ISMS that adheres to the standard. The ISO27001 standard is broken down into different sections, clauses and controls.

The key requirements of an ISMS are:

Information Security Policies

The foundation of any good ISMS is a set of formally defined information security policies. These outline the organisation’s approach, objectives and principles related to managing information security risks. Policies should cover topics like acceptable use of assets, access controls, encryption, monitoring, incident response etc.

Asset Management

A core activity is compiling and classifying an inventory of all information assets including devices. This involves identifying and documenting all information systems, data stores and flows, applications and other assets. A risk assessment is then conducted to determine the appropriate security controls for each asset based on its sensitivity and criticality to the organisation.

Human Resources Security

People play a crucial role in information security. ISO 27001 requires establishing security measures around employees, contractors, and third parties. This includes appropriate background checks, security terms in employment contracts, security awareness training, and disciplinary processes for policy breaches. We find most organisations already have the checks in place, the challenge is documenting them.

Physical and Environmental Security

This aspect focuses on preventing unauthorised physical access to facilities and protecting equipment from threats like fires, floods and power outages. Relevant safeguards include secure areas, entry controls, CCTV, alarms, fire suppression systems and more. For remote workers these physical security controls still need to be addressed.

Access Controls

Managing who can access which information systems and data is central to security. This involves identity management, user access management, authentication methods like passwords, network access controls, and more. Both technical and administrative access controls should be implemented.

Operational Security

Procedures must be established to ensure the correct functioning of information systems. This covers areas like change management, capacity planning, backup and recovery processes, logging and monitoring, malware protection, vulnerability management and secure configurations. Most organisations struggle the most with this section of the requirements, not because they don’t have it in place but because they need to document the controls.

Encryption

Encrypting sensitive data, both when stored and transmitted, is required to prevent unauthorised access. Suitable cryptographic algorithms and protocols should be selected based on the specific use case and level of confidentiality required.

Monitoring and Auditing

Activities in information systems must be tracked to identify potential security breaches. Regular internal audits should also be conducted to uncover vulnerabilities and non-conformities. Any incidents identified must be investigated and addressed through corrective actions.

Continual Improvement

The overarching goal should be to continually monitor the ISMS for effectiveness and make enhancements as needed. This is facilitated through key performance metrics, management reviews, user feedback surveys and keeping up to date with the evolving threat landscape. Most organisations we work with are continually improving the way they work, but fail to recognise the improvements being made.

Achieving ISO 27001 Certification

While implementing the standard’s requirements takes time and resources, the long-term benefits for information security are significant and it demonstrates to clients that your organisation takes information security seriously.

To learn more about pursuing ISO 27001, drop us an email or contact us through our contact form, we will be happy to help you understand what would work for your organisation. Get in touch today to start the journey!