ISO 27001 is the internationally recognised cyber security best practice specification for an information security management system (ISMS). ISO 27001 sets out the requirements for which an ISMS can be audited and certified.
ISO 27001 is part of the ISO 27000 family of standards, and specifies requirements which must all be followed. The other Standards in the ISO 27000 family are codes of practice which provide non-compulsory best practice guidelines which organisations may follow in whole or in part.
If you’re new to ISO27001, we recommend:
ISO 27001 sets out specific requirements for which an organisation’s ISMS can be audited and certified. The new standard ISO 27001:2013 was published on 25 September 2013 and is available at IT Governance EU.
The standard was published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). This standard replaces the previous version ISO/ IEC 27001:2005.
Download our free green paper on information security and ISO27001
This green paper contains an overview of Information Security and ISO27001, the information security standard, and is an ideal read for beginners.
Download our free green paper on information security and ISO27001 >>
ISO 27001 in Europe
According to a recent report conducted by ENISA on Security Certification Practices, companies in Europe stated that the main two reasons for adopting an Information Security Management System (ISMS) are for improving quality and for meeting the expectations of existing customers and gaining new ones. Respondents have also stated that ISMS represents a marketing and competitive advantage among the competition. The “big three” standards (ISO 20000, ISO 27001 and ISO 9001) are the most requested by companies. ISO 27001 certification has been classified as “the company’s main strategic business asset” and “a wealth of industry experience and knowledge” according to the report.
The Survey of Management System Standard Certifications conducted in 2012 by ISO states that European countries which have seen an increased demand in ISO27001 certification between 2011 and 2012 include Bulgaria (36%), Netherlands (34%), Romania (33%), Spain (20%), Italy (14%), Germany (13%) and Poland (17%).
Number of certificates in 2012
Number of certificates in 2011
Evolution in %
The argument for the deployment of a formal ISMS is fully developed in a The Case for ISO27001.
ISO 27001:2013 vs. ISO 27001:2005
ISO 27001:2013, the latest version of ISO 27001, presents certain key changes to ISO 27001:2005, of which the most prominent are:
- The Plan-Do-Check-Act (PDCA) model is no longer a requirement for ISO27001:2013 and organisations can apply any form of continual improvement method.
- Organisations required to use specific process models (e.g. COBIT, ITIL etc.) have reduced barriers to entry.
- There are changes to the structure of the standard.
- ISO27001:2013 is designed to better integrate with other ISO/IEC standards. Terms and definitions are standardised across the ISO27000 family.
- The standard is more flexible in general.
- The ISO31000 risk assessment link ties information security risk management into corporate risk management approaches.
- The roles of board and management/leadership are clearly delineated.
- The clauses and controls in Annex A have been restructured.
For all new product and service offerings related to the latest version, ISO27001:2013, please visit the ISO27001 (2013) shop.
ISO 27001 benefits
ISO 27001 ensures organisations are protected from information risks and threats which could otherwise lead to reputational damage, financial repercussions and the loss of assets. The standard provides companies with assurance and also helps to develop and enhance information security best practice. Benefits of ISO 27001 certification include:
- Winning and retaining business opportunities
- Protecting and enhance your reputation
- Building trust (internally and externally)
- Demonstrating compliance
- Satisfying audit requirements
- Improving efficiency
- Identifying vulnerabilities (new ‘unknowns’)
IT Governance EU has a wide range of ISO 27001 training courses. These training courses are led by experts in the ISO 27001 field, and provide comprehensive information on specified areas. Although the courses are held in London and Manchester (UK), we offer help in finding appropriate hotels close to the training venue. Alternatively, we also offer in-house training anywhere in the world. Please contact us for more details on this option.
If you would like to gain more knowledge about ISO 27001 and how to implement it in your organisation, then take a look at a number of our training courses:
Read more information about our training courses.
Implementing ISO 27001 with a Documentation Toolkit
Achieving ISO 27001 certification can be a time-consuming and complex project. The documentation required to create an ISMS can be up to 1,000 pages. However, gaining ISO27001 certification can be simplified.
Documentation toolkits provide all the pre-written documents you need to complete your ISO 27001 project. Often cheaper than a day’s consultancy, toolkits enable you to be the expert.
The No.3 Comprehensive ISO 27001 ISMS Toolkit has everything you need to carry out your own ISO 27001 project including informative and easily applied books, documentation templates, support guides and vsRisk, the definitive risk assessment tool.
Accelerate your ISO 27001 project and save time and money in the process with this toolkit >>
Gaining ISO 27001 certification provides internationally recognised proof that an organisation’s ISMS is fit for purpose, independently audited and verified.
See our comprehensive range of information, books and tools for achieving ISO 27001 certification.
You may also be interested in: