ISO 27001 Explained

Aug 24, 2021

As the risks associated with cyber attacks and data breaches continue to increase, information security has become a critical issue for every business.


IS027001 is the international standard that provides the specification for an Information Security Management System, also known as an ISMS. An ISMS is a systematic approach consisting of people, processes, and technology that supports your business by protecting and managing all your information through a risk management process.


As the mainstay of the 27000 series, ISO27001 provides a globally recognised framework for structuring best security practice management. These standards help organisations keep information assets secure by offering a set of specification, codes, conducts and best practice guidelines to ensure strong information security management.


However, it is important to note that ISO 27001 will only provide the specification of an effective ISMS whereas 27002 will provide the code of conduct, guidance, and best practices to effectively implement your ISMS.


An ISMS, particularly one that confirms to ISO 27001, can help organisations complying with laws, such as GDPR, or the Network and Information Systems Regulations, also known as the NIS Regulations. 


ISO 27001 focuses on protecting 3 key aspects of information -

Confidentially - Separating information into various collections that are organised by who needs access to the information and how sensitive that information actually is.

Integrity – Protecting data from deletion or modification from any unauthorised party, and when an authorised person makes a change that should not have been made, the damage can be reversed.

Availability - Authentication mechanisms, access channels and systems all have to work properly for the information they protect and ensure it's available when it is needed.

Effective cyber security is a journey rather than a destination. This is a picture that the ISO 27001 standard paints

- Jon Coss, JC Cyber Security Services

ISO 27001 is one of the most recognised information security standards in the world. The standards in place are there to support organisations managing their security posture in a consistent and cost-effective way - it’s technology and vendor neutral while being applicable to all organisations, regardless of size, type, or nature.

As certification with ISO 27001 is not mandatory - not all organisations may choose to achieve it. However, there are many benefits to becoming certified:

  • It’s a proven, externally validated proof of your organisation’s willingness to confirm to internationally accepted information standards
  • Your assets are safeguarded
  • Improved management control
  • Meeting customer/supplier criteria
  • Customer and regulator confidence
  • Demonstrable information security provision
  • Business continuity
  • Compliance with legal requirements
  • A more cyber aware workforce
  • Cycle of continual improvement
  • Reduced cost (less risk of facing fines)
  • Provides a competitive advantage

ISO27001 Controls

Organisations are instructed to compare the controls they currently have in place, with the best-practice controls provided in ‘Annex A’ to determine their current security posture. Any identified controls that are missing can then be implemented or improved to ensure ISO 27001 criteria is met. Complying allows your organisation to apply for certification. If certain controls within Annex A do not seem applicable to your business, and you are looking to become ISO 27001 certified, you must document the reason to why you believe they are not applicable.


There are 114 best-practice controls in Annex A that are split in to 14 categories. We will briefly describe these 14 categories.

Annex A.5 – Information security policies

  • Ensures policies are written and reviewed in line with the overall direction of your businesses information security practices.

Annex A.6 – Organisation of information security

  • Covers the assignment of responsibilities for certain tasks
  • Having an established framework for implementing and maintaining information security practices
  • Managing the best practice for mobile devices and remote working staff

Annex A.7 – Human resource security

  • Covers employees and contractors so staff can have a full understanding of their responsibilities
  • Covers staff’ responsibility pre-employment
  • Covers staff responsibility during employment
  • Covers staff responsibility post-employment

Annex A.8 – Asset management

  • Concerns identifying information assets within the scope of the ISMS
  • Ensures that assets are subject to the correct level of defence
  • Handling media
  • Ensuring that data is not subject to unauthorised access, modification, or destroyed

Annex A.9 – Access control

  • Ensures that information available to employees are relevant to their job role only
  • Divided in to four sections addressing business access control requirements, user responsibilities and application access control.

Annex A.10  – Cryptography

  • Data encryption and the management of sensitive data
  • Designed to ensure organisations use cryptography both properly and effectively
  • Protect data confidentially, integrity and availability

Annex A.11 – Physical and environmental security

  • Procedures that can prevent unauthorised physical access, damage or interference to an organisations premises or information held within
  • Deals with preventing the loss, damage, or theft of business equipment that manages business assets

Annex A.12 – Operation Security

  • Used to ensure the facilitates that process information are secure
  • Operational procedures and responsibilities
  • Ensuring that the appropriate defences and safeguards are in place to mitigate infection from malware
  • Establishes back-up requirements so data is not lost
  • Logging and monitoring processes so that evidence can be collected when a event occurs
  • Technical vulnerability management so third-party threat-actors cannot exploit systems
  • Requirements regarding the integrity of software-packages
  • Information systems and audit consideration so minimal business disruption occurs during an auditing process

Annex A.13 – Communications security

  • Network security management and ensuring confidentially, integrity, and availability of information regarding the information your networks process
  • Managing the security of information in transit with other departments within your organisation or with third parties and customers

Annex A.14 – System acquisition, development, and maintenance

  • Covers information security regarding process life cycle and ensuring it remains a central part of the organisation

Annex A.15 – Supplier relationships

  • Covers contractual agreements with third parties
  • Addresses the protection of valuable business assets that suppliers have access to
  • Ensures both parties maintain the same level of information security

Annex A.16 – Information security incident management

  • Managing and reporting cyber security incidents
  • Identifying which employees should take responsibility for specific actions
  • Ensuring a consistent and effective approach concerning incident response

Annex A.17 – Information security aspects of business continuity management

  • Having an effective system that manages any business disruptions

Annex A.18 – Compliance

  • Ensures you can identify relevant laws and regulations your organisation must comply with
  • Any contractual agreements that must be met
  • Mitigating risk of non-compliance and the fines that accompany them

Only A quarter of large businesses (24%) adhere to ISO 27001

- Department for Digital, Culture, Media and Sport

Getting started with ISO 27001

It is important to ensure business continuity – ensuring a hassle-free transition can be extremely beneficial for your organisation. However, not implementing controls correctly can have major implications in the future, so it is important to get it right the first time around.
If you’d like a helping hand with becoming ISO 27001 compliant, we at JC Cyber Security Services are happy to guide you through the process, and instruct the best method of implementation, specifically tailored to your business needs and requirements. Not only are we happy to advise, but we are also able to help implement systems that have been identified to be missing or weak.

How to get ISO 27001 certified?

Once you have met the various requirements requested by ISO 27001, the next step is to seek certification. Certification is the procedure where an external certification body provides written assurance that an organisations ISMS confirms to the requirements of ISO 27001. The process involves going through a certification audit: where an expert from a certification body visits your business to examine your ISMS. If they are satisfied, they will award a certificate.

Follow Us

Be the first to know

You might also like

Types of Hackers – The 6 Hats Explained

08 Apr, 2024
‘Hacking’ refers to activities performed by a threat actor (a ‘hacker’) that seeks to compromise digital services, such as computers, smartphones, and networks. Hackers are usually characterised as only being unlawful, motivated by financial gain, information gathering, or even just for the thrill of having a challenge.
Different Penetration Testing Types

Different Types of Penetration Testing

01 Apr, 2024
Penetration testing is a form of an ethical hacking simulation conducted in accordance with industry guidelines, which aims to closely mimic real-world targeted attacks that organisations face daily. By actively testing your organisation’s defences, you can understand your security posture while also improving your defences, reducing the likelihood of experiencing a cyber-attack, ensuring confidentiality, integrity, and availability
What is Penetration Testing?

What is Penetration Testing?

25 Mar, 2024
A penetration test ultimately seeks to answer the question “How effective is my organisation’s security controls against a skilled human hacker?” while determining the security posture of your organisation.
More Posts
Share by: