ISO 27001 Management System Standard
The ISO 27001 standard details requirements for Information Security management systems and the aim of this standard is to help organisations review, identify and manage key information assets and data. Often considered an Information Technology standard, ISO 27001 is actually much broader and like other management system standards such as ISO 9001 in that the standard is primarily concerned with the management system. Where ISO 27001 differs is that it includes an Annex (Annex A) listing various controls which need to be considered in the risk treatment process.
The current version of the standard, ISO 27001:2022, is structured following Annex SL and therefore the clauses are very similar to the structure of ISO 9001 and other Annex SL standards. The standard requires a clearly defined organisational structure with roles and responsibilities defined with the involvement and commitment from top management. Other requirements of this standard are that documented information is controlled, risks and opportunities are considered and that actions to address risks and opportunities are identified and managed.
The standard requires quite a lot of documentation to be prepared including Information Security Policies and evidence that all the Annex A controls have been addressed in a statement of applicability. The risk assessment / risk treatment process may include review and consideration of IT infrastructure and systems and therefore may require some competent assessment / review of IT systems.
Meeting the requirements of this standard
There are quite specific documentation requirements for this standard and a full review of all the Annex A controls is required. A full review of information within the organisation, where it is stored, accessed and how it is disseminated as well as the controls in place to preserve the data and ensure it is protected from unauthorised access, is protected from accidental corruption or alteration and that the Information systems in place are robust and reliable to ensure availability of information when required for business continuity.
isoassured can assist with preparation of management systems to meet the requirements of this standard - check our ISO Consultancy page for details of how we can help with onsite consultancy, remote consultancy or by using of our alpha-Z documents package to meet the requirements of this standard.
ISO 27001 Certification process
We offer a simple, smart, certification process to provide independent confirmation that your organisation meets the requirements of the ISO 27001 standard and once an audit has been completed with a satisfactory outcome we issue an ISO27001 registration certificate and authorise the organisation to display our 'ISO 27001 Registered' logo.
Further details on our certification service are available on the ISO Certification page.
Benefits of ISO 27001 Certification
- Achieve better scores in pre-qualification questionnaires (PQQ's)
- Improved Systems for management and preservation of critical company information and data
- Improved appraisal of outsourced services and checks to protect company information and data
- Demonstration to suppliers / other interested parties that their information is protected and managed correctly
- Systems to ensure staff background checks completed as required
- Checks that IT infrastructure managed correctly with effective backup and disaster recovery systems in place
- Effective systems for monitoring and dealing with IT security incidents
- Ongoing checks and reviews of operational activities
- Systems for improvements and continual improvement of management systems
- ISO 27001 Registered Logo for use in marketing
- Enhanced systems for ongoing checks of IT security
- Checks that meeting applicable legal requirements such as Data Protection
ISO 27701 Security Techniques for Privacy Information Management - ISO 27001 Standard Extension
The ISO 27701 standard is an extension to the ISO 27001 / ISO 27002 standards and follows the structure of these standards with some additional requirements.
This extension requires the management system to cover all the additional requirements relating to the management and protection of Personally Identifiable Information (PII) and can be followed by PII controllers and processors.
ISO 27701 Certification process
We offer a simple, smart, certification process to provide independent confirmation that your organisation meets the requirements of the ISO 27701 standard with audit being completed at the same time as ISO 27001 audit or as a standalone audit. Once an audit has been completed with a satisfactory outcome this standard is also detailed on the ISO 27001 certificate and we authorise the organisation to display our 'ISO 27701 Registered' logo.
Further details on our certification service are available on the ISO Certification page.
Benefits of ISO 27701 Certification
- Achieve better scores in pre-qualification questionnaires (PQQ's)
- Improved Systems for management and protection of Personally Identifiable Information (PII)
- Demonstration to data subjects that their personal information is protected and managed correctly
- Ongoing checks and reviews of personal data processing activities
- ISO 27701 Registered Logo for use in marketing
- Checks that meeting applicable legal requirements such as GDPR