ISO 27001 sets out the criteria for an Information Security Management System. It has typically been applied by organisations in sectors such as finance, information technology (IT) and human resources (HR). However, with recent compliance matters stemming from the EU GDPR, and with cybercrime on the rise, information security (or ‘infosec’) has become a key topic of conversation in recent times, and ISO 27001 offers organisations a management system structure for securing their key assets.
ISO 27001 is based on the management system model of continual improvement – the ‘Plan-Do-Check-Act’ framework, a model it shares with other standards such as ISO 9001 and ISO 14001. This common structure allows for a simplified approach in integrating large parts of an ISO 27001 Information Security Management System, or ISMS, with existing ISO management systems, such as quality, environmental and occupational health and safety.
An effective ISMS can result in the reduced risk of ransomware and other cybercrime, greater commercial viability and, overall, an enhanced level of employee, customer and third-party confidence in your organisation’s operations.
In addition to the typical ISO requirements of internal audit and management review, processes expected of an ISMS include:
Asset management: An inventory or register of clearly identifiable assets will need to be drawn up and adequately maintained, with details of asset owners, their acceptable use and a policy for their return to the organisation upon termination with that owner.
Information security risk assessments: Risk assessments are at the core of an effective ISMS. Your organisation will need to implement and document a risk assessment process that systematically identifies, evaluates, and scores or grades information security risks, and establishes and prioritises actions to address those risks.
Information security risk treatments: Following from the risk assessments, your organisation will need to determine appropriate treatment options and plans. Key to this process is the creation and maintenance of a Statement of Applicability document, which contains the necessary controls as included within the ISMS, or as justifiably excluded.
Physical and environmental security: Among its infosec controls, your organisation will need to demonstrate adequate measures to prevent unauthorised access, damage and interference to its information and information processing facilities, as well the prevention of loss, damage, theft or compromise of its assets.
Evaluation of legal and contractual compliance: Similar to ISO 14001 and ISO 45001 management systems, any organisation with an ISMS is required to understand its legal, statutory, regulatory and contractual requirements and review how infosec is implemented and operated against organisational procedures and policies.
As of October 2022, there are two versions of the ISO 27001 standard:
- ISO/IEC 27001:2017
- ISO/IEC 27001:2022
After the publication of the 2022 version of the standard, a 3-year transition period began. During this transition period, certification is possible to either version of the standard. However, all certificates issued for ISO/IEC 27001:2017 will expire or be withdrawn by 31st October 2025. Any client that is certified to the 2017 version of the standard is expected to complete a transition audit before October 2025.
More details about the ISO/IEC 27001:2022 transition period can be found in our Transition Policy linked here:
https://www.eqa.ie/wp-content/uploads/2023/05/ISO-27001-Transition-Policy.pdf
For further information on the ISO 27001 standard and its implementation, please refer to the link below:
https://www.iso.org/isoiec-27001-information-security.html
If you are interested in obtaining certification to ISO 27001, you can complete our online application at the link below:
https://www.eqa.ie/request-a-quotation/management-system-certification/
If you have any questions you can contact us at info@eqa.ie or by calling our number on 01-4734188.