ISO 27001: A guide to implementation and auditing

Personal information is an organisation’s most valuable asset. It’s essential for a variety of activities, from marketing and sales to providing tailored services.

But if organisations are to process and use this information, they must be able to protect it from unauthorised use. This includes the threat of:

  • Sensitive or confidential information being given away, leaked or otherwise exposed, either accidentally and deliberately; 
  • Personally identifiable information being compromised; 
  • Critical information being accidentally or intentionally modified without the organisation’s knowledge; 
  • Crucial business information being lost without a trace or hope of recovery; and 
  • Important business information being unavailable when needed. 

Organisations looking to address those risks should take a look at ISO 27001. It’s the international standard that describes best practice for information security management, and contains a framework that can be adjusted to suit organisations of any size and sector.

In addition to protecting against an array of information security risks, ISO 27001 can give organisations a competitive advantage. By receiving a third-party audit, they can gain proof of effective information security practices, which they can use to reassure customers and clients.

To do this, the organisation must demonstrate that it has all the processes in place and provides appropriate objective evidence to support such claims.

Meeting ISO/IEC 27001 requirements

ISO/IEC 27001 has two main parts: 

  • The requirements for processes in an ISMS, which are described in Clauses 4–10 (the main body of the text); and 
  • A list of ISO 27001 Annex A controls. These controls are described in more detail in ISO/IEC 27002. 

The ISMS process requirements address how an organisation should establish and maintain its ISMS.

An organisation that wants to achieve ISO/IEC 27001 certification needs to comply with all of these requirements – exclusions are not acceptable. 

The ISMS controls listed in ISO/IEC 27001 Annex A are not mandatory. They are expected to be used as an aide-memoire to assist the organisation in identifying where it might have missed a risk or relevant security control in its risk assessment and creation of its risk treatment plan.

This is stated in ISO/IEC 27001 as follows:  

“The organisation shall […] produce a Statement of Applicability that contains the necessary controls… and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A. 

Information security policies (ISO/IEC 27001, A.5)

Management direction for information security (ISO/IEC 27001, A.5.1) 

“Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.” 

Policies for information security (ISO/IEC 27001, A.5.1.1) 

“A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.” 

Implementation guidance

Guidance on what an information security policy should contain can be found in ISO/IEC 27002, 5.1.1.  

ISO 27001 requires organisational policies to be simple and to the point. It may not be appropriate to combine every level of policy into one document.

In this case, the top-level information security policy can easily refer to more detailed policies, e.g., using hyperlinks.

Indeed, the top-level policy should normally be capable of expression within a single piece of paper. It might also be part of a more general policy document.

Top-level information security policies should be distributed and communicated to all staff, and to all relevant external parties, e.g., others regularly working on the organisation’s premises. 

The lower-level policies should be available to appropriate staff as needed, dependent on their job function and the associated security requirements, and classified accordingly.

The top-level information security policy and several, or all, of the lower-level policies could be delivered to staff within a security policy manual. 

The information security policies should be subject to version control and should be part of the ISMS documentation.

It should be ensured that all those with responsibilities for information security have access to all necessary policies.

Information security policies should also be made available to anyone with appropriate authorisation on request, and they should be protected from tampering and unintentional damage. 

When an information security policy is distributed outside the organisation, it should be redacted, with any sensitive information that might have been contained in it removed before such distribution. 

Auditing guidance

The top-level information security policy does not need to be extensive. Still, it should clearly state senior management’s commitment to information security, be under change and version control, and be signed by the appropriate senior manager.

The policy should at least address the following topics: 

  • A comprehensible definition of information security, its overall scope and objectives; 
  • The reasons why information security is important to the organisation; 
  • A statement of top management’s support for information security; 
  • A summary of the practical framework for risk assessment, risk management and for selecting control objectives and controls; 
  • A summary of the security policies, principles, standards and compliance requirements; 
  • A definition of all relevant information security responsibilities (see also below); 
  • Reference to supporting documentation, e.g. more detailed policies; and 
  • How non-compliances and exceptions will be handled. 

The auditor should confirm that the policy is readily accessible to all employees and all relevant external parties, and that it is communicated to all relevant persons, checking that they are aware of its existence and understand its contents.

The policy may be a stand-alone statement or part of more extensive documentation (e.g. a security policy manual) that defines how the information security policy is implemented in the organisation.

In general, most, if not all, employees covered by the ISMS scope will have some responsibility for information security, and auditors should review any declarations to the contrary with care. 

The auditor should also confirm that the policy has an owner who is responsible for its maintenance (see also and that it is updated appropriately following any changes affecting the information security requirements of the organisation, such as changes in the original risk assessment. 

Topic-specific policies that underpin the top-level policy should be clearly linked to the needs of their target group(s), and cover all topics that are necessary to provide a foundation for other security controls. 

This is an extract from ISO 27001 controls – A guide to implementing and auditing 

©IT Governance Publishing Ltd

A must-have resource to establish and maintain an ISMS

ISO 27001 controls – A guide to implementing and auditing is ideal for anyone implementing or auditing an ISO 27001 ISMS (information security management system), covering everything to help you fulfil the requirements of the Standard’s Annex A controls.

Its auditing guidance explains what should be checked, and how, when examining the controls.

Now available in softcover, Adobe eBook and Adobe ePub.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.