Book a free consultation

ISO/IEC 27001 – Information Security Management

Table of Contents

ISO/IEC 27001 Information Security Management Systems

What is ISO/IEC 27001?

ISO/IEC 27001 is an international standard for organisations to use in establishing Information Security Management Systems (ISMS).

This standard belongs to a family of ISO/IEC 27000 standards that enable organisations in all sectors, regardless of their size, to secure their information assets from the risk of breach, corruption or loss by bad actors and other threats.

Whist there are over 30 standards in the ISO/IEC 27000 family, with many of these broken down into multiple parts to address specific controls and guidelines, ISO/IEC 27001 specifically is the most popular Information Security standard. It is this standard that organisations will often seek certification to demonstrate to internal and external stakeholders that its InfoSec risks have been identified and are being actively managed.

Further to ISO/IEC 27001, organisations wishing to establish an ISMS will draw upon guidance from other standards in this family, including:

  • ISO/IEC 27000: Information security — Security techniques — Information security management systems — Overview and vocabulary
  • ISO/IEC 27002: Information security, cybersecurity and privacy protection — Information security controls
  • ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks
  • ISO/IEC 27009: Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements
  • ISO/IEC 27014: Information security, cybersecurity and privacy protection — Governance of information security
  • ISO/IEC 27035: Information technology — Information security incident management
  • ISO/IEC 27039: Information technology — Security techniques — Selection, deployment and operations of intrusion detection and prevention systems (IDPS)
  • And plenty more (description on Wikipedia page – ISO/IEC 27000 Series)

Depending upon the sector(s) that an organisation operates within, it may draw upon any number of standards for its ISMS, as well as relevant regulations governing its operations.

Why is Information Security so Important?

The consequences of poor information security management have been widely exposed as a result of recent breaches experienced by Optus and Medibank Private.

This can include:

  • Loss of access to organisational data.
  • Stolen confidential information, which may belong to customers (exposing them to further risk).
  • Loss of customers due to lost confidence in your organisation.
  • Corruption of information that is held ransom by external parties.
  • Financial losses if breaches open the organisation up to the risk of fraud.
  • Downtime to business operations leading to productivity loss.
  • Regulator investigations into data breaches (e.g. OAIC investigation into Optus).
  • Fines and penalties for noncompliance with governing regulations, such as the Australian Privacy Act (1988), or the European Union General Data Protection Act (GDPR).
  • Public scrutiny and reputational damage.
    Class-action law suits from victims who have been impacted and demand compensation.

Elements of an Information Security Management System

The ISO/IEC 27001 standard is structured into two separate parts:

  • Clauses 0 – 10: These clauses are largely structured consistent with the ISO High Level Structure (HLS) that other popular management system standards (e.g. ISO 9001 for Quality Management Systems) are based.
    • This permits the standard to reflect its own intent and purpose, as well as to support the integration of the ISMS with other organisational management systems.
  • Annex A: The Annex A to ISO/IEC 27001 provides a list of information security controls that are to be reviewed in order to determine their applicability to the organisation.
    • An organisation seeking ISO/IEC 27001 certification will be required to produce a document (Statement of Applicability) that demonstrates whether these controls are applicable to the organisation, with justification for their exclusion.
    • The 2022 updates to ISO/IEC 27001, and its companion standard ISO/IEC 27002, have reduced the number of controls from 114 to 93 (from the 2013 version of the standard), though the organisation may identify additional controls relevant to its operations.

Developing and Implementing an ISMS

The decision to develop and implement an ISMS is not one to be taken lightly. This will require the full commitment of organisational senior management, and a budget that not only provides for the ISMS design, but its ongoing maintenance.

Whilst larger organisations may have the internal resources and expertise to tackle an ISMS project on their own, many small to medium sized businesses are not likely to have this luxury and will need the support of external consultants or specialists.

The time taken to develop the ISMS will be based on a number of factors including:

  • The size and complexity of the organisation, including its geographical spread of operations.
  • The scope of the intended ISMS, as it may not involve the entire organisation.
  • The ability for key organisational stakeholders to commit their time to the ISMS project.

Learn more about how DBell Consulting can assist you with your Information Security Management System requirements.

Book an online consultation to discuss your needs.

Share the Post:
Related Posts
total fire ban and hot work
Total Fire Bans and Hot Work

A Total Fire Ban (TFB) is declared on days when fires are most likely to threaten lives and property. This is because of predicted extreme fire weather or when there are already widespread fires and firefighting resources are stretched.

Read More