The ISO/IEC 27001 Standard for Information Security

ISO/IEC 27001 is the international standard on information security. It was established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to stipulate the framework for implementing Information Security Management Systems (ISMS) in an organized and risk-effective way. 

For this article, we’ll mostly refer to ISO 27001, but know that we’re referring to both ISO/IEC 27001. Got it?

Let’s begin!

What is ISO 27001?

ISO 270001 was established based on the three principles of the CIA triad. These are:

• Confidentiality. That only authorized personnel, according to the organization’s discretion, should have access to the information.
• Integrity. That the information in custody of the authorized persons should be accurate and consistent and reliable.
• Availability. Information should be readily available to the authorized persons when they need it.

An important clarification that’s needed here is that information security (InfoSec) is the focus of ISO 27001 — not the wider tech or security industries. This is because in whatever form it comes, information is vital, whether it’s technical information or personal or financial. This means that any organization or company, in any industry, can be certified with ISO 27001. 

You’ll find most companies hiring third-party vendors to handle it for them (more on this later) or even having a learning budget for someone in the company to get the certification and implement the requirements. It’s also why implementation takes longer — it covers every aspect of the company that handles information or data, rather than just the activities in the IT department. 

Since this standard also covers system changes and updates, its requirements have been periodically updated since it’s establishment in 2005. The most recent version went out in October 2022: the ISO/IEC 27001:2022. This comes with a couple major changes:

• Updates to the security controls in Annex A versions the earlier 2013 version.
• Transition timeline is set to three years, which means that existing certificates need to be transitioned to the new version before November 2025.

How does ISO 27001 work?

If you imagine ISO 27001 as random documents given to organizations or a shiny logo displayed on their website, then you’ve got the wrong idea about ISO 27001. Though we define it and refer to it as a standard, it’s more like a playbook for organizations. 

ISO 27001 works by finding and eliminating risks (risk assessment and risk treatment) in your company’s infrastructure through safeguards. These safeguards are referred to as controls within the ISO 27001 framework — there are 93 controls.

So, it’s left to the organization implementing the standards to specify the controls they’ll implement, in a document called the Statement of Applicability (SoA). 

We can say that ISO 27001 is not prescriptive, instead it guides. Which is why it’s better described as a framework. You take what you need that suits your business needs and apply it. This is why the security controls are essential — but not mandatory. The standard operates at a global level and wasn’t created for one niche or a particular business model.

Importance & benefits of ISO/IEC 27001

The strength of your ISMS relies on the strength of the systems put in place to protect them, which is why ISO/IEC 27001 takes the crown as the gold standard for ISM globally.

Since it’s handled by the International Organization for Standardization, ISO/IEC 27001 comes with different benefits for the organizations, and stakeholders that abide by its requirements. Some of which include…

Guarantees cyber resilience

There has been a rise in cyberattacks thanks to massive digitalization. The World Economic Forum’s Global Cybersecurity Outlook report based on their survey of over 120 cyber leaders advices companies to build cyber resilience to show their commitment to information security for clients and customers. 

Abiding by the ISO 27001 standards shows commitment to handling ISMS and beefing up cyber security in case of any attack. Especially as the framework helps organizations to:

• Identify risks.
• Handle problems.
• Guarantee the efficiency of ISMS by holding it up to the highest standard.

Checks organizational processes and work culture 

Since ISO 27001 prescribes a more holistic framework for handling ISMS, its methodology cuts across people, processes and technology — no holds barred when it comes to keeping the InfoSec architecture safe. So, processes must be reviewed for loopholes and to ensure compliance with the ISO standard.

Employees will also be trained to handle information that gets to their table to maintain its integrity and confidentiality. Also, the leadership won’t be excluded from staying compliant even in their supervisory duties. All of this will lead to:

• An improved work culture for all.
• Better security awareness will prevent employee-related cyber accidents.
• Workflow clarity on managing information-related issues which will impact productivity.

Ensure stakeholder and customer satisfaction

Demonstrating your organization’s dedication to InfoSec by implementing ISO 27001 and upholding its standards gives your customers and stake holders less issues to worry over. The thoroughness of this framework in covering every aspect of infosec gives customers more reason to trust your company’s ability to handle their needs. In turn, this guarantees:

• Better control over your business
• Quality service and product delivery

Keeps the business compliant

Defaulting on regulatory and legal policies gives your organization a bad look. And since ignorance of the law is not an excuse, you’ll need to stay pro-active to avoid getting entangled in such mess.

ISO 27001 also covers this aspect by highlighting what needs to be done regarding compliance. The upside to this too is you get to save funds that could have been spent getting out of a regulatory crisis.

(See if compliance as a service is right for you.)

Increases sales & improves marketing

Because this framework is so well-respected, the validation the ISO 27001 brings can be a significant marketing moment for companies. For starters, it bestows trust, which is important to get people to close the deal with you. It can serve as a competitive advantage, too, if your competitors are yet to be certified. 

Doing this can attract customers to your business. For example, you can send out a press release announcing your organization’s ISO 27001 certification. Take a look at Splunk’s very own news about ISO 2700 certification — going all the way back to 2016!

ISO 27001 requirements

ISO 27001 is divided into two parts: Clauses and Annex A.

Clauses

These clauses are 11 in total, but our focus is on clauses 4-10 which stipulate the mandatory requirements for implementation. There, we find the structure of the ISO 27001 which is:

• Clause 4: Context of the organization. Here you define the organizational structure, and everything related to the market, political and economic conditions of the company.
• Clause 5: Leadership. ISO 27001 implementation depends on the goals of the organization. So this clause mandates you consult with the management to ensure alignment and clarification on roles and responsibilities
• Clause 6: Planning. Since the goal of ISO 27001 is risk assessment, a risk treatment plan has to be in place that fits the clauses mentioned above, and will deliver the best results for the organization.
• Clause 7: Support. ISO 27001 thrives on the right structure. Which includes resources, personnel and documentation. 
• Clause 8: Operation. What do all of the above look like in action? That’s what this clauses focuses on. There must be processes for ensuring the success of your plans when they are put to the test.
• Clause 9: Performance Evaluation. With your ideas in action, work still goes on. Monitoring, measurement and analysis has to be done to prevent and nip issues in the bud.
• Clause 10: Improvement. This is the point where you start modifying your actions.

Annex A

It’s in Annex A we find the 93 different security controls mentioned earlier. These controls are further divided into four parts:

• Organizational controls (37) for establishing processes and documentation.
• People controls (8) for management of human resources.
• Physical controls (14) for handling work equipment.
• Technological controls (34) for IT and communication controls.

How to earn ISO/IEC 270001 certification? 

Individuals and organizations can choose to get certified by fulfilling the ISO requirements. This certification is usually handled by an external body — the ISO is responsible solely for creating the standards.

ISO 27001 certification for individuals

People who intend to get certified often do so as a way of getting one leg up the career ladder and to validate their ability to handle (audit, manage and protect) ISMS. This skill will make you valuable in any InfoSec space. With this certification, you can even become an ISO/IEC 27001 lead implementer or ISO/IEC 27001 lead auditor. 

(You might be interested in other security certifications, too.)

ISO 27001 certification for organizations

To earn organization-level certification, your org must be audited by an ISO 27001 consultant (they mainly work freelance) or independent body before you can claim this title. A note on the language used around certification:

• Following the requirements of ISO 27001 means your company is compliant.
• Only if you are verified by an independent and accredited body is your organization said to be ISO 27001 certified. 

The process for getting this done is capital intensive and can take from three months to a year, depending on the size of your organization. Your organization will be audited on the following:

• Risk assessment plan
• Risk treatment plan (RTP)
• Organization's information security policy
• Statement of Applicability (SoA)
• Technology in use

Plus other documentation. Everything has to be accounted for — down to the purchase of a new device in the company or even a change in the leadership structure.

Challenges with certifying

Becoming compliant or going further towards certification in this ISO is not easy. Considering all the requirements above, plus additional factors such as:

• The cost for external body or consultant in charge of the certification.
• The periodic updates and checks that will be done even after the certification has been issued.

Little wonder why smaller companies shy away from getting theirs and why it’s a thing of pride for those who have.

ISO/IEC 27001 helps your organization stay compliant

As your business tries to stay resilient, staying up to date with industry trends and technology is one way of getting this done. ISO 27001 helps you stay relevant at a global level and keeps your organization safe from compliance and cyber issues.

At Splunk, implementing the ISO 27001 has helped us guarantee the confidentiality, integrity and availability of information assets.