Standards

at the Heart
of Information Security

ISO/IEC 27001
Overview
implementation guide

Enabling better business

BSI ISO/IEC 27001 Overview implementation guide [Link] 2

Contents

3 Introduction
Information security standards
What is ISO/IEC 27001?

4 Features and benefits

What can ISO/IEC 27001 do for your business?
Benefits of ISO/IEC 27001 according to users

5 Core concepts: Learning the language of ISO/IEC 27001

Versions of ISO/IEC 27001
Key terminology
What does it involve?
Context of the organization

7 Case study:
Keeping data safe and secure with ISO/IEC 27001

8 Your ISO/IEC 27001 journey

9 Understanding your standard:

A breakdown of ISO/IEC 27001

11 BSI’s implementation top tips

BSI ISO/IEC 27001 Overview implementation guide [Link] 3

Introduction

Information security standards What is ISO/IEC 27001?

Information security is an essential part ISO/IEC 27001 brings together knowledge
of any modern organization. Any size and experience from the infosec industry,
business, in any sector, will have some academia, the UK government and other
kind of data, information or assets that sources to create a best practice guide to
they will need to ensure are stored information security.
securely and accessible only by the right
It’s an approach that can be adopted by
people at the right time.
any business, either partially or in full, to
Effective information security (infosec) improve how that organization keeps data
requires a balance between risk safe. It offers best practice guidance on
management and technology, customers how to identify and respond to threats
and stakeholders, staff and management. appropriately, how to make your business
It can be challenging when faced with more resilient and robust to potential
large amounts of different data, but threats, and how to continually build on the
with the right tools and information, learning to ensure you remain protected.
organizations can protect commercially
sensitive and personal data and keep their
businesses safe.

This guide will show you how you can implement ISO/IEC 27001 in your
organization, either in part or full, to maximise the long-term benefits and
safeguard your business.
BSI ISO/IEC 27001 Overview implementation guide [Link] 4

Features and benefits

What can ISO/IEC 27001 do for your business? The benefits of ISO/IEC 27001 according to users:
The ability to manage information safely and securely
has never been more important. ISO/IEC 27001 not only
helps protect your business, but also sends a clear signal
to customers, suppliers and the marketplace that your
organization has the ability to handle information securely.
Reduces Inspires trust
The benefits of ISO/IEC 27001 business risk in our business
The benefits of ISO/IEC 27001 aren’t just limited to
information security, however. Adopting ISO/IEC 27001
could offer your business a range of benefits, by
highlighting inefficiencies and processes that can be
improved.
• Demonstrate your commitment to information security to
marketing documents, branding and communications,
making you more attractive to potential customers and
allowing you to take on new work. Helps protect Helps us comply
• Streamline and improve processes that may be outdated our business with regulations
or simply ineffective. This could mean destroying
existing data silos or coming up with completely new
ways to do things.
• Save time by having effective processes in place,
leaving more opportunities for innovation and focusing
on the higher-value aspects of your business. !

Increases our Reduces the

competitive edge likelihood
of mistakes
BSI ISO/IEC 27001 Overview implementation guide [Link] 5

Core concepts: Learning the language of ISO/IEC 27001

Versions of ISO/IEC 27001

The latest version of ISO/IEC 27001 was published in
2013. ISO/IEC 27001:2013 was created to help face the
challenges of modern business. It is backed up by the
principles of risk management contained in ISO 31000.
You can always find previous versions of a standard at
BSI Knowledge, the online database of British Standards.

Key terminology:

Controls Risk owner Documented Interested parties Issues Risks and

Any administrative, The person or entity information A person or entity that External or internal, opportunities
managerial, technical with the authority to The meaningful data or can affect, be affected positive or negative Defined as “the effect
or legal method used manage a particular information you control by or perceive conditions that affect of uncertainty on an
to modify or manage risk and is accountable or maintain to support themselves to be the confidentiality, expected result”.
an information security for doing so. your Information affected by a decision integrity and availability
risk, e.g. processes, Security Management or activity, e.g. of an organization’s
policies, programs, System (ISMS). suppliers, customers information.
tools or devices. or competitors.
BSI ISO/IEC 27001 Overview implementation guide [Link] 6

Core concepts: Learning the language of ISO/IEC 27001

What does it involve?

Context of the organization
ISO/IEC 27001 can help you identify vulnerabilities in
your ISMS, with guidance on how to proactively control This is a thread that runs throughout the standard Understanding the context that your organization
and manage any threats. and means understanding any internal and external exists in will allow you to more clearly see any limitations
factors and/or conditions that can affect your - or opportunities - that the adoption of ISO/IEC 27001
Before exploring the standard in more detail, it’s
organization’s information. may cause.
valuable to get to grips with the core concepts that the
standard is built around. These are the areas that
ISO/IEC 27001 will help you to understand and focus on
continually improving.

Risk Leadership Communication Performance

Naturally, ISO/IEC 27001 Many of the standards’ This standard contains clear evaluation
is highly focused on the requirements are specific to and detailed requirements A final but essential part of
identification, prevention top-level management, for both internal and external adopting any standard is how
and management of risk. whether that’s one person communications at every you’ll measure the impact of
Essentially, risk associated or a group of people. This level of the organization. adopting ISO/IEC 27001,
with threats (e.g. viruses, may involve individuals at For clients, customers, analyse your ISMS and
hackers targeting you) and C-Suite, or working groups stakeholders or anyone else, identify remaining areas for
opportunities (e.g. exploiting established to manage changes being made as the improvement. Whether you
vulnerabilities in your ISMS) the adoption of the new standard is adopted must be want to get certified or
is best reduced by putting standard, setting long- and communicated clearly and in simply adopt some elements
in place the best possible short-term objectives, good time. of the standard, evaluating
planning processes. This is assigning tasks and setting and assessing your progress
a more effective course of deadlines. ensures you can keep
action than preventive (or, building on what you’ve
reactive) action. achieved.
BSI ISO/IEC 27001 Overview implementation guide [Link] 7

Case study: Keeping data safe and secure with ISO/IEC 27001

As a company reliant on the safety and “Information security is fundamental to the Introducing the standard also brought us There have been several high profile
security of its customers’ data, debt success of Fredrickson. Much of our work immediate financial benefits. Since we instances of data loss within our industry
collection agency Fredrickson adopted involves receiving, analysing and storing achieved certification we have won some and as such reducing the risk of this
ISO/IEC 27001 to demonstrate their sensitive consumer and business credit of our largest deals. Clients now include happening and proving we have the
commitment to information security. information. We must be able to assure a central government department, well highest levels of security in place is
From building consumer confidence to our customers and the general public respected UK financial institutions and important in demonstrating to clients that
saving time, the standard has resulted in that we take the security of their personal several FTSE 100 companies. We are we are fit for purpose.”
a range of benefits for the organization, information seriously. committed to setting the standard and
according to Sales and Marketing Director, becoming the most compliant agency in
Rather than simply saying that we
Jan-Michael Lacy. the UK. We believe that in the near future
are compliant with the information
BS ISO/IEC 27001 certification will be a
security standard BS ISO/IEC 27001,
pre-requisite imposed by many of our
we felt it would provide the market with
clients when selecting outsourced
the confidence it needed if we got
partners.
independent assessment and certification.
As a result, clients and the general public
can now have total confidence in our
information security practices and the way
their personal information is managed.
Being able to show that we are Jan-Michael Lacy
BS ISO/IEC 27001 certified has significantly Sales and Marketing Director
reduced the man hours needed to The standard isn’t just for firms like
complete IT security questionnaires ours – any business can benefit from
required by clients in bidding for work and it. Compliance also helps businesses
to meet legal requirements such as
on an ongoing basis after a contract has data protection regulations and the
been awarded. Freedom of Information Act.”
BSI ISO/IEC 27001 Overview implementation guide [Link] 8

Your ISO/IEC 27001 journey

1 Discuss the possibility of adopting

ISO/IEC 27001 with stakeholders, 5 When you’ve fully implemented the
standard, make sure you regularly
team leaders and staff to ensure it will review your ISO/IEC 27001 system to
add value to your organization and ensure continual improvement.

6
that everyone is on board with the
Encourage training opportunities that
implications of adoption – an
support your ISO/IEC 27001 system,
ISO/IEC 27001 training session or
such as staff becoming internal
external consultant can help with this.
auditors.

2 Buy the standard and read it;

understand the content, your 7 Through BSI, or another third-party
certification body, apply for full
requirements and how it will improve
certification. Undertake the two-stage
your business. Download your PDF
formal assessment which examines
version of the full standard and start
how you’re applying the standard and
exploring how you can enhance your
checks procedures and controls in
information security.
place are in line with ISO/IEC 27001.

3 Start planning your implementation

strategy and reviewing existing 8 Receive your ISO/IEC 27001
certification, which is valid for
processes as a benchmark to monitor
three years.
progress against. Compare your
current system with ISO/IEC 27001
approaches.

4 Create workgroups with defined roles,

responsibilities and deadlines. These
groups should be made up of different
levels of staff, as they will use their
practical experience to manage the
adoption of the standard.
BSI ISO/IEC 27001 Overview implementation guide [Link] 9

Understanding your standard

A breakdown of ISO/IEC 27001

Clause 1 and 2: Clause 3 and 4: Clause 5 and 6:
The physical document that houses a
Scope and references to Terms and definitions and Leadership and planning
standard is made up of clauses which
other documents context of the organization
guide you or your organization through the
process of implementation. These clauses The first clause details the scope of the standard. As with clause 2, refer to the terms and Clause 5 focuses on the role of top
enable you to plan how you will adopt a A lot of the documents referenced in definitions contained in ISO/IEC 27000. Clause 4 management. While they can assign ISMS
standard like ISO/IEC 27001, from the very ISO/IEC 27001 are contained in ISO/IEC 27000, establishes internal and external issues that may relevant responsibilities and authorities, they
first step to post-certification. such as: impact the implementation and effects of remain ultimately accountable for it, so they
ISO/IEC 27001 on the ISMS. need to establish the ISMS and infosec policy,
To dispel the air of mystery around • Information technology
ensure those policies are clearly communicated
• Security techniques This clause will talk you through identifying those
standards, we’ve broken down to and understood by all parties and monitor the
issues, establishing your interested parties and
ISO/IEC 27001 into its separate clauses to • Information security management systems
any legal, regulatory or contractual obligations
continual improvement of the ISMS.
explain how each one works, what it will • Overview and vocabulary, which is referenced you may have to them. It’ll then guide you Clause 6 outlines how you plan to address any
require of your business and the intended and provides valuable guidance through determining the scope of your ISMS and of the risks and opportunities to information you
outcome of each section. show you how to establish, implement, maintain have identified, focusing on how to deal with
and continually improve your ISMS in relation to information security risks.
ISO/IEC 27001.

“Statement of Applicability”
(SoA)
The SoA summarises your strategy
around risk treatment, the control
objectives and any controls you have
included. It also details those you have
excluded and explains why. The SoA
establishes your infosec objectives
clearly, concisely and in line with the
standard’s requirements.
BSI ISO/IEC 27001 Overview implementation guide [Link] 10

Understanding your standard

Clause 7: Support Clause 8: Operation Clause 9: Performance evaluation Clause 10: Improvement

This section is about getting the right By clause 8, you’re ready to execute the plans Monitoring, measuring, analyzing and evaluating The last clause is a chance to identify any
resources, people and infrastructure in place to and processes you’ve come up with. This clause your ISMS ensures that it is effective and corrective action that might be needed. Clause
establish, implement, maintain and continually is where you can start working towards achieving will remain so. Clause 9 guides you through 10 requires you to:
improve your ISMS. From competence and your infosec objectives in a controlled way. continually assessing your organization, from
• Show how you react to nonconformities,
communications to the availability of training and considering how you’ll evaluate your infosec’s
Consider any changes - whether planned or not take action, correct them and deal with the
personnel, this clause focuses on documented effectiveness to anaylzing the methods you used.
- and record and retain the results of any new consequences.
information, how you’ll protect it and who has This is where internal audits and management
process being implemented. • Demonstrate whether any similar
access to it. reviews will take place and you can identify areas
for improvement. nonconformities exist, or could happen, and
show how you’ll eliminate their causes
• Show continual improvement of the ISMS,
including demonstrating the suitability and
adequacy of it and how effective it is. However,
how you do this is up to you
BSI ISO/IEC 27001 Overview implementation guide [Link] 11

BSI’s implementation top tips

1 Explore the best practice advice

within the standard and decide 5 Speak to your customers and
suppliers. They may be able to
whether you wish to adopt in full and suggest improvements and give
reach certification or just use the feedback on your service.

6
valuable information to improve your
Train your staff to carry out internal
internal systems.
audits of the system. This can help

2 Think about how different

departments work together to avoid
with their understanding, but it could
also provide valuable feedback on
silos. Make sure the organization potential problems or opportunities
works as a team for the benefit of for achievement.

7
customers and the organization.
When you gain certification celebrate

3 Top management commitment is key

to making implementation of
your achievement and use the BSI
Assurance Mark on your literature,
ISO/IEC 27001 a success. They need website and promotional material.
to be actively involved and approve
the resources required.

4 Review systems, policies, procedures

and processes you have in place –
you may already do much of what’s
in the standard, and make it work
for your business. You shouldn’t be
doing something just for the sake of Start your
the standard – it needs to add value. standards journey
Visit BSI Knowledge to explore
over 60,000 standards. For
more information about ISO/
IEC 27001 contact our customer
service team on 0345 086 9001.
+44(0)345 086 9001
[Link]
Enabling better business