ISO 27001: A guide to implementation and auditing

Information is one of your organisation’s most valuable assets. The objectives of information security are to protect the confidentiality, integrity and availability of data.

These fundamental elements of information security help to ensure that an organisation can protect against: 

  • Sensitive or confidential information being given away, leaked or otherwise exposed, both accidentally and deliberately; 
  • Personally identifiable information being compromised; 
  • Critical information being accidentally or intentionally modified without the organisation’s knowledge; 
  • Crucial business information being lost without a trace or hope of recovery; and 
  • Important business information being unavailable when needed. 

It should be the responsibility of all managers, information system owners or custodians, and users in general, to ensure that their information is appropriately managed and protected from the variety of risks and threats faced by every organisation.

ISO/IEC 27001:2017, Information security management systems – Requirements and ISO/IEC 27002:2017, Security techniques – Code of practice for information security controls provide a basis for organisations to develop an effective information security management framework.

They also minimise information security risks, maximising investment and business opportunities, while ensuring that information systems continue to be available and operational. 

ISO/IEC 27001 is a requirements standard that can be used for accredited third-party ISMS (information security management system) certifications.

Organisations going through the accredited certification route have their ISMS audited by an accredited certification body.

This ensures that they have appropriate management processes and systems in place and that these conform to the requirements specified in ISO/IEC 27001.  

ISO/IEC 27002, a guidance document, provides a comprehensive set of best practice controls for information security and implementation guidance.

Organisations can adopt these controls as part of the risk treatment process specified in the standard ISO/IEC 27001 to manage the risks they face to their information assets.  

To claim compliance with the ISO 27001 standard, the organisation needs to demonstrate that it has all the processes in place and provides appropriate objective evidence to support such claims.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified.

Evidence also needs to be provided that the associated risks have been knowingly and objectively accepted by those in management who have the executive responsibility and are accountable for making such decisions. 

Excluding any of the requirements specified in ISO/IEC 27001, Clauses 4–10 is not acceptable. 

The implementation of ISMS processes results in the organisation deploying a system of controls based on a risk management approach to manage its risks.

The organisation should have implemented an effective system of management controls and processes as part of its ISMS. It should be able to demonstrate this by providing evidence to the ISMS auditor (whether it be a first-, second- or third-party audit).

The organisation may not have a business case for a third-party audit, but to comply with ISO/IEC 27001, an internal ISMS audit process is mandatory.

Meeting ISO/IEC 27001 requirements

ISO/IEC 27001 has two main parts: 

  • The requirements for processes in an ISMS, which are described in Clauses 4–10 (the main body of the text); and 
  • A list of ISO 27001 Annex A controls. These controls are described in more detail in ISO/IEC 27002. 

The ISMS process requirements address how an organisation should establish and maintain its ISMS.

An organisation that wants to achieve ISO/IEC 27001 certification needs to comply with all of these requirements – exclusions are not acceptable. 

The ISMS controls listed in ISO/IEC 27001 Annex A are not mandatory. They are expected to be used as an aide-memoire to assist the organisation in identifying where it might have missed a risk or relevant security control in its risk assessment and creation of its risk treatment plan.

This is stated in ISO/IEC 27001 as follows:  

“The organisation shall […] produce a Statement of Applicability that contains the necessary controls… and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A. 

Information security policies (ISO/IEC 27001, A.5)

Management direction for information security (ISO/IEC 27001, A.5.1) 

“Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.” 

Policies for information security (ISO/IEC 27001, A.5.1.1) 

“A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.” 

Implementation guidance

Guidance on what an information security policy should contain can be found in ISO/IEC 27002, 5.1.1.  

ISO 27001 requires organisational policies to be simple and to the point. It may not be appropriate to combine every level of policy into one document.

In this case, the top-level information security policy can easily refer to more detailed policies, e.g., using hyperlinks.

Indeed, the top-level policy should normally be capable of expression within a single piece of paper. It might also be part of a more general policy document.

Top-level information security policies should be distributed and communicated to all staff, and to all relevant external parties, e.g., others regularly working on the organisation’s premises. 

The lower-level policies should be available to appropriate staff as needed, dependent on their job function and the associated security requirements, and classified accordingly.

The top-level information security policy and several, or all, of the lower-level policies could be delivered to staff within a security policy manual. 

The information security policies should be subject to version control and should be part of the ISMS documentation.

It should be ensured that all those with responsibilities for information security have access to all necessary policies.

Information security policies should also be made available to anyone with appropriate authorisation on request, and they should be protected from tampering and unintentional damage. 

When an information security policy is distributed outside the organisation, it should be redacted, with any sensitive information that might have been contained in it removed before such distribution. 

Auditing guidance

The top-level information security policy does not need to be extensive. Still, it should clearly state senior management’s commitment to information security, be under change and version control, and be signed by the appropriate senior manager.

The policy should at least address the following topics: 

  • A comprehensible definition of information security, its overall scope and objectives; 
  • The reasons why information security is important to the organisation; 
  • A statement of top management’s support for information security; 
  • A summary of the practical framework for risk assessment, risk management and for selecting control objectives and controls; 
  • A summary of the security policies, principles, standards and compliance requirements; 
  • A definition of all relevant information security responsibilities (see also below); 
  • Reference to supporting documentation, e.g. more detailed policies; and 
  • How non-compliances and exceptions will be handled. 

The auditor should confirm that the policy is readily accessible to all employees and all relevant external parties, and that it is communicated to all relevant persons, checking that they are aware of its existence and understand its contents.

The policy may be a stand-alone statement or part of more extensive documentation (e.g. a security policy manual) that defines how the information security policy is implemented in the organisation.

In general, most, if not all, employees covered by the ISMS scope will have some responsibility for information security, and auditors should review any declarations to the contrary with care. 

The auditor should also confirm that the policy has an owner who is responsible for its maintenance (see also and that it is updated appropriately following any changes affecting the information security requirements of the organisation, such as changes in the original risk assessment. 

Topic-specific policies that underpin the top-level policy should be clearly linked to the needs of their target group(s), and cover all topics that are necessary to provide a foundation for other security controls. 

This is an extract from ISO 27001 controls – A guide to implementing and auditing 

©IT Governance Publishing Ltd

A must-have resource to establish and maintain an ISMS

ISO 27001 controls – A guide to implementing and auditing is ideal for anyone implementing or auditing an ISO 27001 ISMS (information security management system), covering everything to help you fulfil the requirements of the Standard’s Annex A controls. Its auditing guidance explains what should be checked, and how, when examining the controls.

Now available in softcover, Adobe eBook and Adobe ePub. 

Purchase a copy >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.