What is ISO 27001?

Written By Tom Gell

Overview

ISO 27001 is the internationally recognised standard for information security management. It provides organisations with a systematic approach to managing sensitive information and ensuring its ongoing confidentiality, integrity, and availability.

The Foundation: The ISMS

At its core, ISO 27001 is about building and maintaining an Information Security Management System (ISMS). This isn't just another set of policies to file away - it's a living, breathing framework for managing your organisation's information security risks.

Your ISMS encompasses:

  • Establishing clear security objectives and controls

  • Understanding the risk your business faces

  • Implementing appropriate security measures

  • Operating security processes effectively

  • Monitoring system performance

  • Reviewing outcomes and effectiveness

  • Maintaining security standards

  • Continually improving based on measured results

The Control Framework

On top of your overall ISMS, ISO 27001's ‘Annex A’ provides 93 controls across four essential areas:

1. Organisational Controls

  • Information security policies

  • Business processes and procedures

  • Risk management frameworks

  • Clear roles and responsibilities

2.  People Controls

  • Security awareness and training

  • Access control and management

  • Human resource security

  • Clear security responsibilities

3.  Physical Controls

  • Facility security requirements

  • Equipment protection

  • Physical access management

  • Environmental security

4. Technological Controls

  • System and network security

  • Encryption and technical safeguards

  • Security monitoring and logging

  • Technical vulnerability management

The Risk-Based Approach

The most valuable aspect of ISO 27001 is its risk-based methodology. Rather than mandating every control for every organisation, it requires you to:

  1. Do your risk assessment

  2. Look at Annex A as a helpful suggestion box

  3. Pick controls that make sense for YOUR business

  4. Document your choices

  5. Get on with actually being secure

So for some organisations, some of the controls might be excluded, as they just aren’t relevant to their risks. No network cables? No need for a policy on network cables.

Tom Gell

Translating ISO 27001 into human language for fast-growing companies. Former public sector leader who helped scale a startup to £1M ARR by making compliance digestible. Now on a mission to prove security certification doesn't require a 400-page policy manual or a PhD in bureaucracy. Powered by coffee and clarity.

https://www.isoserious.com
Previous

Why Companies Get Certified