What is ISO 27001?

ISO 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) .

It is a standard which specifies how information security is managed. It is not restricted to electronic records but includes written and all other forms of information storage and distribution.

What is information security?

Information security in this context means:

Who is it applicable to?

ISO 27001 is applicable to every type of organisation. The more information you have and the more valuable that information is to you and your organisation then the more important information security becomes.

What is involved?

ISO 27001 is typically delivered in 3 steps that require organisations to:

  1. Create a management framework for information security management - that details the strategy, aims and objectives of information security in the organisation. This framework must have widespread management backing across all parts of the organisation
  2. Identify and assess information security risks – a methodical audit of security risks will allow the organisation to determine appropriate actions and priorities for dealing with any risks or potential risks identified
  3. Undertake the selection and implementation of controls to mitigate risks – these controls refer to the methods used in security risk mitigation and may include: policies, practices and procedures, specific organisational structures and software implementations. These controls will vary according to how an organisation operates. The key element in determining which controls to apply is that there is a positive cost/benefit ratio.

What are the benefits of ISO 27001?

Typically the benefits of ISO 27001 include some or all of the following – depending on the nature of the organisation:

In addition, the process of achieving compliance with ISO 27001 can often lead to organisations reflecting on management structures, policies and procedures. Many find that improvements can be made to the organisation with benefits far wider than just information security.

How do I acheive certification to ISO 27001?

Once all the requirements of ISO 27001 have been met, you can apply for certification. This should be carried out by a UKAS accredited certification body.
The certification body will carry out the certification process in 3 stages:

Find out more

find out about certification

download our brochure

or contact us for more information