ISO 27001 is an international standard that outlines demands for an Information Security Management System (ISMS). Since organizations are all different an ISMS is always tailored to handle the organization's specific IT security needs.

Content on this page:

History

Why ISO 27001?

Certification

ISO 27001:2022

Guide to Information Security Risk Management with ISO 27005

Develop a Statement of Applicability according to ISO 27001:2013

Measuring the ISO 27001 ISMS efficiency with KPIs

History

ISO 27001 was released as the first standard in the ISO 27000-series of standards for information security or cybersecurity. It was first published in October 2005 and was revised in October 2013 to better accommodate the changing information security challenges and then again in 2022. The current version is called ISO 27001:2022.

 

ISO 27001 is related to ISO 27002 (aka. Annez A) which describes a "code of practice" (basically an instruction manual) surrounding what security measures an organization can choose to introduce. ISO 27002 was formerly known as ISO 17799 which was based on the British standard BS 7799-1. The current version is ISO 27002:2022.

Why would an organization choose ISO 27001?

Most organizations have several information security controls. However, if an organization does not have an ISMS the controls may not be aligned with the business needs of the organization. Complying with the ISO 27001 standard has a few benefits:

  • Trust: It provides confidence and assurance to clients and trading partners that your organization takes security seriously. This can also be used to market your organization.
  • Efficiency: Control selection is performed as a part of an ongoing risk treatment process.
  • Continual Improvement: ISO 27001 says you are to continually improve your organization's information security. It helps you to better determine the proper amount of security needed for your organization. Not too few resources were spent, not too many, but just the right amount.

ISO 27001 Certification

Organizations can apply for certification in accordance with ISO 27001. It is not possible to be ISO 27002 certified because it doesn't have any demands as such.

Click here to learn more about how neupartOne ISMS can help you with your information security challenges

ISO 27001:2012

A new version of ISO 27001 came out end of October 2022. Some interesting changes are:

  • Increased flexibility in your choice of risk method
  • Sharpened demands to the Information Security Management System context
  • Demands to monitoring and measuring getting its own section

Guide to Information Security Risk Management with ISO 27005

One of the governing elements in ISO 27001 is the requirement that information security is based on the actual risks to which the organization is exposed. As a whole, this activity is known as risk management. Central to risk management is the risk assessment, i.e., the identification and analysis of the risks, and risk treatment - thus the execution of measures to counter risks. We have published a guide in which we describe the method that we recommend organizations use to manage risk.

Download it here

How to develop a Statement of Applicability (SoA) according to ISO 27001:2012

In the new ISO 27001 (and in the previous versions as well), a key document is the Statement of Applicability, the SoA. It's new that your SoA is so closely aligned with your risk treatment process. It's also new that your organization is to appoint Risk Owners. The responsibility of a Risk Owner is to approve your risk treatment plan and your risk tolerance - sometimes referred to as risk appetite.

Your SoA describes what controls are part of your ISMS. It is a good thing that you have to justify both control inclusions and exclusions. As the SoA is or becomes such a central document in your ISMS, Neupart has produced a free guide on how to prepare and maintain your SoA most effectively.

Get your free copy here

Measuring the ISO 27001 ISMS efficiency with KPIs

Efficiency and productivity are discussed in many contexts. In information security management, it also makes sense to ensure processes are working effectively. But how do you actually measure whether your information security is effective and whether it is developing in the right direction?

Neupart has prepared a guide for this purpose. The guide focuses on the ISMS metrics (Information Security Management System) that measure the value and effectiveness of the processes that make up your ISMS. This enables you to show changes over time, in order to e.g. report improvements and efficiency to management.

Download your copy here