The ISO 27001 standard is the most globally recognised data protection framework, and since May 2018, having a data protection framework in place is mandatory.
We are the experts in information security. We’re highly experienced ISO 27001 consultants (and 27002 and 9001 consultants!) and specialists. While most ISO 27001 consultants work to their own system, we build ours around you. Hire us to put an ISO 27001 programme in place for your organisation built around your needs and requirements.
The underlying principles behind the ISO 27001 standard are the availability, confidentiality and integrity of information assets. The standard is constructed to give requirements an organisation needs to fulfil in order to identify information assets, assess risks to those assets, to address those risks and to subsequently review, manage and improve the management system in order to give a level of confidence to interested parties that the information remains secure.
The structure is now exactly the same as ISO 9001 hence the links point toward our ISO 9001 section, these sections will now be completed with reference to requirements of both standards.
The main documentary requirement differences are to establish and maintain a Statement of Applicability referencing the controls laid out in ISO 27002 (formerly ISO 17799/BS7799) and a Risk Assessment document identifying information assets and how the risks to these assets are mitigated using the same controls. A Statement of Applicability can be a lengthy comprehensive document and the Risk Assessment the same. These form the cornerstone around which your Information Security Management System (ISMS) operates.
Various policies and procedures will need to be documented – I will state these from within the control sections. These are specific to an information security control. Additionally, procedures need to exist to control the Information Security Management System (ISMS) which surround the areas of how you manage a cycle of improvement, typically a Plan, Do, Check, Act cycle. This will involve identification of issues through risk assessments, incidents, KPIs and audit, turning those into management information, constructing actions plans to correct/prevent further issues and checking for effectiveness.
ISO 27001 2013
The new ISO 27001 standard is now published each of these sections describe the requirements of ISO 27001:2013. This is our synopsis of the requirements, because what most people are looking for is not a copy of the standard, but more information on what it means for them. That said, we do strongly recommend that you buy your own copy from your local supplier, as this is only our interpretation – see the link below to the BSI website for your own copy. We cannot be held liable for omission / errors as this is not intended to be a reproduction of the original.
This site is intended as a tool for helping people comply with and use the ISO 27001 standard as a tool to protect the information stored within their business, not as a definitive source. If you are unsure, looking for guidance, would like to help our visitors or wish to add to these pages please contact us or comment below. We want to help you make information security and continual improvement your business, all the time, not just when a customer or auditor turns up for a look around your business. The new standard is laid out as below:
ISO 27001 summary
Section Four – Context of the Organisation
Section Five – Leadership
- 5.1.1 Leadership & Commitment
- 5.1.2 Customer Focus
- 5.2.1 Establishing Information Security Policy
- 5.2.2 Communicating Information Security Policy
- 5.3 Organisational roles, responsibility and authorities
Section Six – Planning
- 6.1 Actions to address risks and opportunities
- 6.2 Information Security Objectives and planning to achieve them
- 6.3 Planning of changes
Section Seven – Support
Section Eight – Operation
- 8.1 Operational Planning & control
- 8.2 Requirements for products and services
- 8.3 Design and Development
- 8.4 Control of external processes, products and services
- 8.5 Production and Service Provision
- 8.6 Release of products and services
- 8.7 Control of Non Conforming outputs
Section Nine – Performance evaluation
Section Ten – Improvement
Extracts from ISO 27001: 2013 reproduced with the
permission of BSI under licence number 2003SK/003.
Hard copies of this standard and the British Standards adopted
version BS EN ISO 27001: 2013
are available from:
Buy ISO 27001:2013 standard
BSI Customer Services
389 Chiswick High Road
London W4 4AL
(Tel +44 (0) 20 8996 9001).
2000 – 2016 Activa Consulting Ltd