Toro-Blog-listing

The Ultimate ISO 27001 Guide

Written by Katie Barnett - Director of Cyber Security | Mar 25, 2024 8:27:35 PM

Understanding where to start with ISO 27001 can feel somewhat overwhelming, but we are here to help!   

By the time you’ve finished this guide you’ll understand what ISO 27001 is, what the benefits are, how it works and why it’s a great framework for blended security.  

What is ISO 27001?   

At its core, ISO 27001 is a globally recognised framework designed to help organisations establish, implement, maintain, and continually improve an information security management system.  

ISO 27001 includes requirements for managing information assets by considering people, processes, technology, and physical controls. The wholistic nature of ISO 27001 makes it the perfect framework to approach blended security processes and controls across your organisation​. 

Before you start…  

ISO 27001 should not be treated as a checklist exercise; it should be seen a continual improvement journey. Embrace it as such and you will improve your overall security posture. 

Why might you need it?  

  • Your customers expect it,  
  • You need it to win certain contracts, 
  • You want a framework to guide security improvements.  

ISO 27001 ultimately shows your clients that you are serious about security, and you follow best practices to keep their data secure.  

Why is it an excellent choice as a framework? 

  • ISO 27001 will help to reduce your financial risk by adopting a structured risk management process and by strengthening your security practices.  
  • It will help to improve your customers’ trust. It will increase customer, investor, and partner confidence in your security controls.  
  • There are lots of standards addressing individual security disciplines but ISO 27001 covers elements of cyber, physical and people security and business continuity. It highlights the importance of a blended security approach, which is one of the reasons why this standard comes highly recommended by Toro.  
  • As the third most commonly certified ISO standard worldwide, ISO 27001 will provide you with international credibility and assurance, so if someone is asking for your accreditations – they are going to know what this is. 

How does it work? 

  • ISO 27001 is the primary standard in the 27000 family.  
  • If you’re interested in using this framework, a good starting point is to purchase a copy of the standard itself from ISO website (link)  
  • Whilst the standards themselves are quite dry, there is some good and informative guidance both within the standard and around them to help you better understand what and how you should be implementing security within your organisations. Alternatively, ask Toro to assist. 

What are the controls? 

The ISO 27001 framework is broken down into 2 parts.  

Firstly, there are the core requirements needed to run an ISMS (Information Security Management System), this is your governance and process piece. This looks at context, leadership, planning, support, operation, performance evaluation and improvement. These are broken down below.

The second part of ISO 27001 is the Annex A controls, which are broken down into 4 themes. There are 93 controls across the 4 security domains; 

  • Organisations Controls (37) 
  • People Controls (8) 
  • Physical Controls (14) 
  • Technological Controls (34) 

This blended approach across all the controls ensures that security is not restricted to one part of the business.  

Where do I start? 

The first thing you need to do is to get leadership support and buy in from the organisation. Once this is in place you need to: 

  • Define the scope of the ISO 27001 implementation within your organisation. Ideally, you should scope ISO 27001 to the whole organisation. If this is not possible, a more limited scope might be defined by business division, physical geography, or key products/services or processes within your company that can be segregated.  
  • Ensure you have an Information Security Policy (or suite of policies and procedures) with associated roles and responsibilities.  
  • Define your risk assessment methodology and perform a risk assessment based on your information security objectives and plans to achieve them. 
  • Identify which of the 93 Annex A controls are – or aren’t applicable in order for you to manage your information security risks.  From this create a statement of applicability (SOA) which lists all the applicable controls to your organisation.  
  • Collect evidence to demonstrate that the policies have been implemented and controls are operational. 
  • Ensure your employees are provided with awareness training on information security and the most relevant threats to your organisation. 
  • Audit, monitor and measure how well your ISMS processes are working, identify what is not working and implement continual improvement. Report this to top management.

Other important things to consider:

  • ISO 27001 relies heavily on documentation. Documents must be actively managed and include elements like version control, classification, owner, and last reviewed date.  
  • The standard encourages ongoing improvement, so it is important that you conduct regular internal audits and build this into your process.  

How long does it take?  

There are lots of different factors that will determine how long it takes such as the size of your organisation, the number and complexity of processes, number of locations and number of employees. You also need to consider the current maturity of your information security capability and the knowledge that exists already within your organisation.   

However, we’d typically say that you need to allocate at least 6 – 12 months.  

We would recommend treating the certification as a project and managing it this way, whether it is done completely in-house or supported by an ISO 27001 consultant. 

How often do you need to re-certify?  

You need to complete a full audit every 3 years and surveillance audits need to be done annually. 

How much involvement from senior management? 

You need top management ‘buy-in’. A reputable auditor will need to be satisfied that the ISMS is integrated into the wider organisation and not just a siloed initiative being run in isolation.  

How much does it cost? 

It depends on your size, complexity, the scope, and the accreditation certification body chosen. The cost of the audit for small businesses starts at £6k whereas larger organisations should expect to pay more.  

The cost of implementation, whether you are paying for consultancy support or just internal time and resources should also be factored in. 

Altogether small businesses might need to budget £15-20k and larger organisations significantly more than this. 

What are the alternatives? 

IASME Cyber Assured is the Cyber Essentials equivalent of ISO 27001, looking for processes, policies and procedures that support a system of governance and information security. 

Cyber Essentials is the cheapest technical controls framework, but it is far more prescriptive / black & white and can be challenging for some organisations to achieve if your IT is not proactively centrally managed or you do not have a robust and fast patching schedule, especially. 

Achieving ISO27001 certification can seem daunting and overwhelming, lots of organisation prefer to partner with a third-party organisation.  

If you are interested in implementing ISO 27001 in your organisation and would like to speak to Toro please get in touch. Toro have supported 100’s of organisations achieve ISO 27001 and have done this both as a stand along project or as part of a wider security improvement programme.  

If you want to watch our latest webinar which demystifies ISO 27001, please view it here. 
View full post