What is ISO 27001?
ISO/IEC 27001:2013 (also known as ISO27001) is the international standard that describes best practice for an ISMS (information security management system).
Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice and provides an independent, expert verification that information security is managed in line with international best practice and business objectives.
ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013.
Purchase the newest (2013) version of the ISO 27001 standard today.
ISO 27001 and ISO 27002 2022 updates
ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.
Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).
For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates
Download your copy of ISO 27001:2022 here
Download your copy of ISO 27002:2022 here
Speak to an ISO 27001 expert
Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard. We can support you throughout your project, from implementation to certification. Speak to one of our experts for more information on how we can help you.
What is an ISMS?
An ISMS is a systematic approach consisting of processes, technology and people that helps you protect and manage all your organisation’s information through effective risk management.
At the heart of an ISO 27001-compliant ISMS are business-driven risk assessments, which means you will be able to identify and treat security threats according to your organisation’s risk appetite and tolerance.
Find out how to implement an ISMS
ISO 27001 clauses and controls
ISO 27001 has ten management system clauses. Together with its control set from Annex A (which lists 114 controls), they support the implementation and maintenance of an ISMS, as shown in the infographic below.
- Normative references
- Terms and definitions
- Planning and risk management
- Performance evaluation
ISO/IEC 27001: 2013 controls
The Standard doesn’t mandate that all 114 controls be implemented. Instead, the risk assessment should define which controls are required, and a justification provided as to why other controls are excluded from the ISMS.
Below are the list of control sets.
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Download our free guide to ISO 27001
This free green paper helps you understand how ISO 27001 works, highlights key implementation points, and explores the benefits of implementing an ISMS and achieving ISO 27001 certification.
ISO 27001 benefits
Protect your data, wherever it lives
An ISO 27001-compliant ISMS helps protect all forms of information, whether digital, paper-based or in the Cloud.
Increase your attack resilience
Implementing and maintaining an ISMS will significantly increase your organisation's resilience to cyber attacks.
Reduce information security costs
Thanks to the risk assessment and analysis approach of an ISMS, organisations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work.
Respond to evolving security threats
Constantly adapting to changes both in the environment and inside the organisation, an ISMS reduces the threat of continually evolving risks.
Improve company culture
The Standard’s holistic approach enables employees to readily understand risks and embrace security controls as part of their everyday working practices.
Meet contractual obligations
Certification demonstrates your organisation’s commitment to information security and provides a valuable credential when tendering for new business.
Learn more about the advantages of ISO 27001 certification
How to achieve ISO 27001 compliance
Implementing an ISO 27001-compliant ISMS involves:
- Scoping the project;
- Securing management commitment and budget;
- Identifying interested parties, and legal, regulatory and contractual requirements;
- Conducting a risk assessment;
- Reviewing and implementing the required controls;
- Developing internal competence to manage the project;
- Developing the appropriate documentation;
- Conducting staff awareness training;
- Reporting (e.g. the Statement of Applicability and risk treatment plan);
- Continually measuring, monitoring, reviewing and auditing the ISMS; and
- Implementing the necessary corrective and preventive actions.
Read about our complete approach to implementing an ISMS
How IT Governance can help you
- Our approach has been honed over 15+ years.
- We are known as global authorities of ISO 27001 - our management team led the world’s first ISO 27001 certification project.
- We offer everything you need to implement an ISO 27001-compliant ISMS – from standards, books, free resources, webinars, documentation templates and gap analysis tools to consultancy, training, staff awareness courses and compliance software.
- If you follow the advice of our consultants, you are assured of a 100% guarantee of successful certification.
- You benefit from real-world practitioner expertise, not just academic knowledge.
- We can help small organisations achieve ISO 27001 certification in 3 months.
- We offer clear and transparent pricing.
Let’s get started with your ISO 27001 project
Having led the world’s first ISO 27001 certification project, we’ve been at the forefront of the cyber security initiative. Let us share our expertise and support you on your journey to certification.