The ISO/IEC 27001 Information Security Management Standard

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

The ISO/IEC 27001
Information Security Management Standard

by Geoff Keston

Docid: 00021030

Publication Date: 2205

Report Type: STANDARD


ISO/IEC 27001 is a highly regarded, internationally recognized
certification of an organization’s information security. Companies as
prominent as Amazon, Google, and Microsoft use their certifications to
demonstrate the security of their services. Adoption of the standard is
expected to continue growing. Especially among cloud services companies,
it may become a standard that enterprise customers expect their service
providers to meet.

Report Contents:

Executive Summary

[return to top of this

The ISO/IEC 27001 standard provides a framework for an information
security management system (ISMS) that spans an entire organization, from
executive strategy-setting to the actions of frontline employees in all

The ISO 9001 Quality
Management Standard
IT Governance Concepts Tutorial
ITIL for Enterprise IT Management Tutorial
Enterprise Governance, Risk, and Compliance Software Tutorial
IT Project Risk Management Tutorial

Even relationships with external suppliers and regulatory agencies are
covered. Rather than specifying details, the standard outlines fundamental
governance processes and gives organizations the freedom to select
security products and choose performance metrics. In respect to compliance
with 27001, what matters most is whether an enterprise has fully
considered its own “organizational context” and made choices accordingly.
An organizational context is composed of factors such as trends
within the industry in which a company operates, the competitive pressures
it faces, and the corporate culture it wants to maintain.

Given the importance of organizational context in the 27001 framework, a
good first step toward implementing the standard is for an organization to
identify its security, privacy, and regulatory needs. Then, it can
determine the ways in which its current efforts do not comply. In doing
so, it is important to focus on root causes, which are the ultimate
origins of systemic problems. Addressing root causes leads to ongoing
improvement (another key ISO concept) rather than simply fixing problems
one at a time.

Across all business functions and throughout all of the steps involved in
planning, implementing, and operating an ISMS, organizations are expected
to perform risk management. This involves weighing the cost of potential
problems against the cost of opportunities that are lost by avoiding
actions that carry risk. Complying with the 27001 standard is therefore
not simply about creating strong security defenses but also about
considering how those defenses impact business goals.


[return to top of this

ISO/IEC 27001 is a security framework, meaning that it outlines the basic
structure of an information security management system (ISMS) rather than
defining details. In other words, it focuses on broadly describing
oversight and planning processes instead of identifying specific tools and
configurations. Being a framework means the standard can be applied to a
broad range of organizations, but it also burdens organizations with
making many choices themselves rather than following a strict blueprint.

The overall ISO 27000 family includes many standards, including one that
defines key terms. The 27001 standard describes the requirements that must
be met, so it is the one to which organizations are certified.1
The certification is awarded to organizations (or relatively
autonomous parts of organizations) that pass a compliance audit. (The
certification doesn’t apply to employees themselves.) Some organizations
bill themselves as being “ISO/IEC 27001 compliant” if they believe they
are meeting the requirements even if they have not passed an audit. This
is an unofficial status, however, and is different from being certified.
Also, there are some “auditors” who will issue unofficial certificates.
(To identify whether a certification is real, an organization should
determine whether the company performing the audit is certified by a
member of The International Accreditation Forum (IAF). For example, in the
United States, many registrars are approved by IAF member ANAB.) Once
certified for 27001, an organization must pass an audit every year.

The 27001 standard covers not only IT but any department or function that
affects security or information management, including executives who
define the corporate strategy. In fact, ISO has increasingly emphasized
the role of executives and other leaders in meeting requirements, both in
27001 and in complementary standards like 9001 (for quality management).
Yet, while requiring executives to play a major role, 27001 is not
designed to be enforced only in a top-down fashion. Frontline employees in
any department are also required to demonstrate “competence and
awareness” of their own role within the ISMS. All employees also must know
how to report security issues or suggest security improvements. Auditors
may ask to see suggestions that employees have made and how the ideas were
evaluated by the organization. Not having any such involvement from
frontline employees may count as a negative mark in an audit.

An organization doesn’t need to have perfect security to be 27001
compliant. For example, having a network infected by a virus or suffering
an outage because of a hacker attack wouldn’t necessarily mean failing an
audit. Instead, what is relevant to meeting the requirements for 27001 is
the response to such incidents. In particular, and auditor might ask the
following about how an organization responded:

  • Was the root cause of the problem identified?
  • Were any processes changed to prevent similar problems?
  • Was documentation updated to reflect the new processes?
  • Was training performed to help raise awareness about the problem?
  • Has the effectiveness of the new processes been monitored?

Asking questions such as these is part of the key concept of improvement
(sometimes called “continual improvement”). An organization’s ISMS is
expected to continually get better because everyone from executives to
frontline employees is making recommendations and because it undergoes a
detailed internal audit each year. Internal audits are performed by
organizations themselves (or a hired third-party) and are distinct from
the audits used to certify an organization.

Another key concept in 27001 is risk management. The term “risk”
here is not identical to a term like “threat” or “vulnerability.” Instead,
risk-based thinking also considers the potential for lost opportunities.
This thinking considers company goals and interests, and therefore it is
not limited to the IT department. The standard requires that risk be
considered across all organizational functions and processes – simply
having a Chief Risk Officer or a risk department will not be sufficient
for meeting the requirement. (The risk management requirements are defined
in more detail in a separate ISO standard, 31000.)

Competing Standards &

[return to top of this

Alternatives to 27001 are specialized, such as by vertical industry or
region. Examples include:

  • HITRUST CSF, a security framework for healthcare organizations.
  • NIST Security and Privacy Controls for Federal Information Systems and
  • CMR 17.00, which applies in Massachusetts and is defined by the state
  • SOC 2, from AICPA, which targets services organizations and focuses on
    governance, oversight, and risk management.
  • IASME, which describes itself as an “affordable and achievable
    alternative to ISO 27001.”

Some organizations may use COBIT or ITIL for general IT management rather
than information security management specifically, but these frameworks
can be effective for an ISMS as well. ISACA, which maintains COBIT, also
offers the Risk IT framework for IT risk management.

Current Version

[return to top of this

The most recent major revision of the standard is ISO/IEC 27001:2013,
which replaced the 2005 version. (ISO standards are typically updated
about every eight years.) The latest version has themes also seen in
recent versions of other ISO standards:2

  • It is less prescriptive — For example, rather than specifying exact
    risk management steps, it describes a more broadly defined approach that
    gives compliant organizations more latitude.
  • It puts more emphasis on outside entities — The new standard
    considers “interested parties” that may be concerned with the
    organization’s security. Examples include regulatory bodies or companies
    with which an organization has contractual agreements.

The latest version also has the same main headings as recent versions of
other ISO standards:

  • 1-3 Frontmatter
  • 4 Context of the Organization
  • 5 Leadership
  • 6 Planning
  • 7 Support
  • 8 Operation
  • 9 Performance Evaluation
  • 10 Improvement

The alignment of the overall structure of the standards is meant to
reduce confusion and, in part, make it easier to be certified to more than
one ISO standard. (Some auditing companies even give a significant price
break to organizations that are being certified for both 9001 and 27001,
because many requirements are shared between the two.)

There is now an ISO 27001:2017, but it shouldn’t be viewed as a new version
of the standard. The change partly reflects the European Union’s 2017
acceptance of the standard, which is why the prefix “EN” often appears
before the 2017 update’s name.3 The other changes aren’t
substantive but provide more clarity. Specifically, the 2017 minor update
clarifies that information is a type of asset (it was intended by the 2013
version to be viewed this way) and is more explicit about how items in the
Statement of Applicability should be presented (see below).4

The 10 categories above comprise the first part of ISO 27002, focusing on
the overall framework of compliance. The second part of the standard is
called Annex A, and it defines specific security “controls,” which can be
a process, policy, device, or application that helps to mitigate risk.
While requirements in the first part of 27001 relate to broader oversight
and mirror requirements in other ISO standards, Annex A is more specific
to technology. These controls are used to address risks and relate most
directly to section 6.1.3 under the framework’s Planning section. (The
requirements of Annex A are further spelled out in ISO 27002, which
is not a separate standard but simply a companion document.)

As discussed below, organizations are required to create a “Statement of
Applicability” regarding their compliance with items in Annex A. It is
even possible to claim exemptions from some requirements, but there are
limits to this flexibility.


[return to top of this

ISO 27001 certifications have been growing substantially worldwide. In
the most recent data available, certifications grew by 13.95-percent
between 2018 and 2019, when the total reached 36,362.5

The increased adoption is due partly to the growing severity and variety
of threats facing organizations. And it is also due to a trend toward IT
governance, in which cybersecurity and other IT issues have become
corporate-level concerns. The 27001 framework makes security a management
and oversight function rather than simply a technical one, and the 2013
version (with the 2017 update) in particular aims to be more cohesive with
an organization’s business strategy. “Liability for data breaches that
affect customers leads directly to the C-suite,” says BAE Systems’ Bill
Sweeney in Harvard Business Review .6 “Executives
need to personally know how strong their company’ s cyber defenses are, as
well as the expected responses for attacks or breaches.” An even
stronger statement was made a few years ago in a report by the UK
Parliament, which suggested that the salaries of CEOs should be affected
by security problems their organizations suffer.7


[return to top of this

Build on Existing Security and Governance Approaches

When ISO releases new versions of standards, it doesn’t introduce
radically new concepts. Its standards aren’t written to promote entirely
new types of thinking. Instead, the standards are based on best
practices that have become well accepted and have been demonstrated to be
effective. Therefore, many organizations that implement ISO/IEC 27001 will
discover that their core security policies and procedures can continue
being used. This will be especially true for organizations using a
structured IT approach like ITIL, which requires formal processes for
event, incident, and problem management. (The popular
plan-do-act-check approach is not explicitly required by the new
version of 27001, but it can still be used.)

But even for organizations with many relevant best practices in place,
implementing 27001 will require some additional formalization and
documentation, and existing processes may need to be restructured or

Identify Security, Privacy, and Regulatory Needs

The 27001 standard doesn’t ask organizations to implement particular
technologies or to follow minutely defined processes. Instead, it provides
a framework that structures a security program. To fill in the details,
ISO standards want organizations to devise their policies and procedures
based on their specific business “context.” This includes factors
such as the following:

  • Competitive environment

  • Regulatory and legal requirements

  • Supplier relationships

  • Corporate strategy

  • Financial pressures

  • Industry trends

  • Technology developments

  • Corporate culture

  • Societal trends

  • Customer buying habits

Work from the Statement of Applicability

Once an organization determines its business needs and documents them in the
context statement, it can then create the “Statement of Applicability.” This
document, described in the section on “information security risk treatment”
(6.1.3.), does the following:

  • identifies which elements of the standard apply to the organization,
  • explains why any exclusions are reasonable for the organization,
  • defines the controls used for the parts of the standard that do apply.

The ability for an organization to exclude some requirements enables the
standard to be flexible. The Statement of Applicability is the foundation

  • internal auditing
  • working with the registrar
  • working with the auditor
  • defining the scope of the certification and the audit

The ability to claim exemptions applies to Annex A rather than the entire
standard, and the flexibility is not unlimited. Auditors can dispute some
exemption claims, and some claims will simply not be allowed by the rules of
the certification bodies.

Seek Business Gains

A mistake that some organizations make when seeking ISO certification is
to operate their compliance program separately from their day-to-day
business. In effect, such organizations let their ISO processes and their
true processes operate in parallel, using the former simply to become
certified and the latter to drive business decisions. This approach not
only creates wasted effort, but it also makes it harder to pass an audit.

Using 27001 certification as a marketing tool is a legitimate goal,8
but it should not be the primary driver of the system. A better
approach is to use the 27001 framework as a means to make needed changes. A
core part of many ISO standards is that an organization’s business context
should be considered when making decisions, so focusing on business goals is
fully in keeping with the goals of the framework. This is another reason
that the standard requires organizational leaders to be closely involved in
maintaining the ISMS.

Conduct a Gap Analysis and Look for Root Causes

Once an organization identifies its business goals and its needs for
security, privacy, and regulatory compliance, it can then identify where
and how it falls short of meeting the requirements of 27001. This “gap
analysis” process identifies the primary areas to focus on in
compliance. To conduct a gap analysis, an organization may use the
internal audit process described above.

ISO standards like 27001 and the interrelated 9001 emphasize the
importance of identifying root causes of problems. Rather than solving
problems one-by-one as they occur, ISO encourages organizations to find
the systemic factors that are the common origins of many issues. Root
causes are often identified using a process called the “Five Whys,” which
involves asking a series of questions about why a problem occurred.
Progressively, these questions get closer to a problem’s root cause.


[return to top of this

About the Author

[return to top of this

Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.

[return to top of this