ISO 27001 Explained

May 1, 2024

As the risks associated with cyber attacks and data breaches continue to increase, information security has become a critical issue for every business.


IS027001 is the international standard that provides the specification for an Information Security Management System, also known as an ISMS. An ISMS is a systematic approach consisting of people, processes, and technology that supports your business by protecting and managing all your information through a risk management process.


As the mainstay of the 27000 series, ISO27001 provides a globally recognised framework for structuring best security practice management. These standards help organisations keep information assets secure by offering a set of specification, codes, conducts and best practice guidelines to ensure strong information security management.


However, it is important to note that ISO 27001 will only provide the specification of an effective ISMS whereas 27002 will provide the code of conduct, guidance, and best practices to effectively implement your ISMS.


An ISMS, particularly one that confirms to ISO 27001, can help organisations complying with laws, such as GDPR, or the Network and Information Systems Regulations, also known as the NIS Regulations. 


ISO 27001 focuses on protecting 3 key aspects of information -

Confidentially - Separating information into various collections that are organised by who needs access to the information and how sensitive that information actually is.

Integrity – Protecting data from deletion or modification from any unauthorised party, and when an authorised person makes a change that should not have been made, the damage can be reversed.

Availability - Authentication mechanisms, access channels and systems all have to work properly for the information they protect and ensure it's available when it is needed.

Effective cyber security is a journey rather than a destination. This is a picture that the ISO 27001 standard paints

- Jon Coss, JC Cyber Security Services

ISO 27001 is one of the most recognised information security standards in the world. The standards in place are there to support organisations managing their security posture in a consistent and cost-effective way - it’s technology and vendor neutral while being applicable to all organisations, regardless of size, type, or nature.

As certification with ISO 27001 is not mandatory - not all organisations may choose to achieve it. However, there are many benefits to becoming certified:

  • It’s a proven, externally validated proof of your organisation’s willingness to confirm to internationally accepted information standards
  • Your assets are safeguarded
  • Improved management control
  • Meeting customer/supplier criteria
  • Customer and regulator confidence
  • Demonstrable information security provision
  • Business continuity
  • Compliance with legal requirements
  • A more cyber aware workforce
  • Cycle of continual improvement
  • Reduced cost (less risk of facing fines)
  • Provides a competitive advantage

ISO27001 Controls

Organisations are instructed to compare the controls they currently have in place, with the best-practice controls provided in ‘Annex A’ to determine their current security posture. Any identified controls that are missing can then be implemented or improved to ensure ISO 27001 criteria is met. Complying allows your organisation to apply for certification. If certain controls within Annex A do not seem applicable to your business, and you are looking to become ISO 27001 certified, you must document the reason to why you believe they are not applicable.


There are 114 best-practice controls in Annex A that are split in to 14 categories. We will briefly describe these 14 categories.

Annex A.5 – Information security policies

  • Ensures policies are written and reviewed in line with the overall direction of your businesses information security practices.

Annex A.6 – Organisation of information security

  • Covers the assignment of responsibilities for certain tasks
  • Having an established framework for implementing and maintaining information security practices
  • Managing the best practice for mobile devices and remote working staff

Annex A.7 – Human resource security

  • Covers employees and contractors so staff can have a full understanding of their responsibilities
  • Covers staff’ responsibility pre-employment
  • Covers staff responsibility during employment
  • Covers staff responsibility post-employment

Annex A.8 – Asset management

  • Concerns identifying information assets within the scope of the ISMS
  • Ensures that assets are subject to the correct level of defence
  • Handling media
  • Ensuring that data is not subject to unauthorised access, modification, or destroyed

Annex A.9 – Access control

  • Ensures that information available to employees are relevant to their job role only
  • Divided in to four sections addressing business access control requirements, user responsibilities and application access control.

Annex A.10  – Cryptography

  • Data encryption and the management of sensitive data
  • Designed to ensure organisations use cryptography both properly and effectively
  • Protect data confidentially, integrity and availability

Annex A.11 – Physical and environmental security

  • Procedures that can prevent unauthorised physical access, damage or interference to an organisations premises or information held within
  • Deals with preventing the loss, damage, or theft of business equipment that manages business assets

Annex A.12 – Operation Security

  • Used to ensure the facilitates that process information are secure
  • Operational procedures and responsibilities
  • Ensuring that the appropriate defences and safeguards are in place to mitigate infection from malware
  • Establishes back-up requirements so data is not lost
  • Logging and monitoring processes so that evidence can be collected when a event occurs
  • Technical vulnerability management so third-party threat-actors cannot exploit systems
  • Requirements regarding the integrity of software-packages
  • Information systems and audit consideration so minimal business disruption occurs during an auditing process

Annex A.13 – Communications security

  • Network security management and ensuring confidentially, integrity, and availability of information regarding the information your networks process
  • Managing the security of information in transit with other departments within your organisation or with third parties and customers

Annex A.14 – System acquisition, development, and maintenance

  • Covers information security regarding process life cycle and ensuring it remains a central part of the organisation

Annex A.15 – Supplier relationships

  • Covers contractual agreements with third parties
  • Addresses the protection of valuable business assets that suppliers have access to
  • Ensures both parties maintain the same level of information security

Annex A.16 – Information security incident management

  • Managing and reporting cyber security incidents
  • Identifying which employees should take responsibility for specific actions
  • Ensuring a consistent and effective approach concerning incident response

Annex A.17 – Information security aspects of business continuity management

  • Having an effective system that manages any business disruptions

Annex A.18 – Compliance

  • Ensures you can identify relevant laws and regulations your organisation must comply with
  • Any contractual agreements that must be met
  • Mitigating risk of non-compliance and the fines that accompany them

Only A quarter of large businesses (24%) adhere to ISO 27001

- Department for Digital, Culture, Media and Sport

Getting started with ISO 27001

It is important to ensure business continuity – ensuring a hassle-free transition can be extremely beneficial for your organisation. However, not implementing controls correctly can have major implications in the future, so it is important to get it right the first time around.
If you’d like a helping hand with becoming ISO 27001 compliant, we at JC Cyber Security Services are happy to guide you through the process, and instruct the best method of implementation, specifically tailored to your business needs and requirements. Not only are we happy to advise, but we are also able to help implement systems that have been identified to be missing or weak.

How to get ISO 27001 certified?

Once you have met the various requirements requested by ISO 27001, the next step is to seek certification. Certification is the procedure where an external certification body provides written assurance that an organisations ISMS confirms to the requirements of ISO 27001. The process involves going through a certification audit: where an expert from a certification body visits your business to examine your ISMS. If they are satisfied, they will award a certificate.

Follow Us

Be the first to know

You might also like

DAST in DevOps: Why It Matters

October 14, 2024
DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. According to a recent survey, almost 80% of CIOs expressed concerns about the difficulty of discerning trusted elements from untrusted ones within DevOps environments. In particular, the pressure to deliver services at a faster pace sometimes prompts DevOps teams to take security shortcuts, resulting in potentially costly repercussions. These include data breaches, application downtime, and compliance violations.  So, how can you strike a balance between the demand for agile DevOps practices and the need to maintain robust security measures?

Why DAST Testing is Important

October 4, 2024
Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. Applications fuel the engine of the world’s economy, but enterprises can encounter substantial hurdles when striving to retain a competitive advantage in a rapidly changing digital landscape. Businesses must continuously pursue inventive solutions, even as they contend with sophisticated adversaries looking to exploit opportunities to disrupt operations, compromise vital information, and inflict harm. According to recent research, approximately 17% of cyberattacks aim to exploit vulnerable web applications. Yet, 98% of web applications are susceptible to attacks that can lead to malware infection or redirect users to malicious websites. All the while, 72% of these vulnerabilities result from coding errors. Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs.  This is because DAST tools operate without access to the application’s source code. Instead, they emulate genuine attacks, akin to those carried out by real hackers, to identify security weaknesses. This “black box” testing method examines the application from an external perspective, scrutinises its runtime behaviour, and observes how it reacts to simulated attacks. These simulations help evaluate whether the application exhibits vulnerabilities and if it is potentially susceptible to malicious attacks.

The Evolution of Hacking

September 25, 2024
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today. Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all.  In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.
More Posts