ISO 27001 – the Information Security Management Standard
What is ISO 27001?
ISO/IEC 27001:2022 (ISO 27001) is the international standard for an ISMS (information security management system).
As well as helping organisations maintain the confidentiality, integrity and availability of their information assets, the Standard can help organisations achieve their regulatory compliance objectives concerning data privacy and information security.
For instance, the technical and organisational security measures required by laws such as the GDPR (General Data Protection Regulation) can all be implemented as part of ISO 27001 compliance.
Organisations can achieve independently audited certification to the Standard to demonstrate that their ISMS follows international best practice.
ISO 27001 certification is increasingly seen as a powerful assurance to your customers and business partners of your commitment to meet your obligations.
What are the benefits of ISO 27001?
Legal compliance
An ISO 27001-certified ISMS can help your organisation meet the requirements of various data protection laws around the world, including the EU GDPR, UK GDPR and DPA (Data Protection Act) 2018.
Demonstrates information security best practice
ISO 27001 certification will cost a fraction of a SOC 2 audit and demonstrates the existence of advanced security processes and procedures.
Win and retain business
Certification to ISO 27001 shows that your organisation is committed to the security of its information and can help you gain a competitive advantage, building stakeholder trust and customer loyalty.
Continual improvement
The certification process helps the whole organisation focus on continually improving its information security processes.
Avoid the costs associated with a data breach
Certification to ISO 27001 is the benchmark for information and data security management, allowing your organisation to avoid the losses that accompany non-compliance with data protection requirements.
Your organisation is not always protected by technical security measures
Technical security measures such as firewalls, antivirus software and other technological approaches have a limited ability to protect a complete information system.
ISO 27001 provides the specification for an ISMS and sets out guidelines for optimal information security management.
An ISMS presents a holistic approach to information security, providing protection on three levels: people, processes and technology.
ISO 27001 and risk assessments
Ensuring the security measures you implement are relevant to the risks you face is critical to ensuring your ISMS functions effectively.
Clause 6.1.2 of ISO 27001:2022 explains that the information security risk assessment process must:
- Establish and maintain certain information security risk criteria;
- Ensure that repeated risk assessments “produce consistent, valid and comparable results”;
- Be applied “to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”;
- Identify the owners of those risks; and
- Analyse and evaluate information security risks according to certain criteria.
You must also “retain documented information about the information security risk assessment process”.
Many organisations use ISO 27001 as the ‘gold standard’ for designing a comprehensive set of security controls. An ISMS based on ISO 27001 demonstrates the extent to which cyber and information risks are being controlled.
There are five stages to an information security risk assessment:
Establish a methodology
For risk assessments to be “consistent, valid and comparable” every time they’re carried out, the process you use must be objective, transparent and auditable. You should therefore establish a formal methodology that will produce consistent results each time, even when followed by different risk assessors.
Identify risks
A risk has three components:
- An asset that has value and requires protection.
- A threat that can affect it.
- A vulnerability that allows the threat to affect the asset.
Assets can be split into multiple types, such as information and data, hardware and software, systems and storage, and so on. This will ensure that everything of value to your organisation is identified and their owners defined.
Assets may have multiple threats, which can in turn affect them via multiple vulnerabilities. It is important to consult with asset owners to ensure that the risks identified are relevant and adequate – and not excessive.
This is also the time to identify the controls that you already have in place so that you do not waste time unnecessarily duplicating efforts. Existing controls should also be checked to determine whether they work properly or need to be removed, replaced, modified or supported by other controls.
Analyse risks
For each risk you identify, you should be able to assess the likelihood of each threat exploiting each individual vulnerability, and assign them a score or value.
Risks are the product of impact and likelihood.
Evaluate risks
You should then evaluate the risks to establish where they fit in terms of your risk appetite. Only once you’ve done this can you decide the appropriate way to treat each risk and the order in which they should be treated.
It’s particularly important to identify whether the risk falls within or outside your predetermined level of acceptable risk.
Select risk treatment options
Once all risks have been scored and prioritised, you must decide how to handle and manage them. For each risk, we recommend the following options:
- Modify – normally by implementing security controls that will reduce likelihood or impact.
- Retain – accept that the risk falls within your established risk acceptance criteria, or via extraordinary decisions.
- Avoid – end the activity or circumstance causing the risk, for example by not carrying out the activity.
- Share – generally by insuring or outsourcing. Although you would typically still suffer the effect, you can share the risk with someone better able to mitigate it.
You can then use Annex A of ISO 27001 to select appropriate security controls and produce an SoA (Statement of Applicability) that:
- Identifies the controls you’ve selected;
- Explains why you’ve selected them;
- States whether they’ve been implemented; and
- Explains why any controls have been omitted.
Find out more about ISO 27001 risk assessments by downloading our free white paper.