What is ISO 27001?

How is information secured in a company? Who has access to what and when? What safeguards are in place to ensure the confidentiality, availability and integrity of information? How is the data protected? What are the risks? And how can they be minimised?

ISO/IEC 27001:2013 certification aims to answer all these questions and more. What is the purpose of precisely standard? How do you get it? We tell you everything you always wanted to know about ISO 27001 (but were afraid to ask).

SUMMARY

ISO 27001 certification, definition

ISO/IEC 27001:2013 is a pioneering international certification for IT security established by the International Organization for Standardization (ISO). 

The ISO 27001 certificate is issued by a third party certification body such as AFNOR in France. It certifies that a company has deployed a security management system (SMSI).

To achieve ISO/IEC 27001:2013 certification, organisations must follow a well-defined methodology to identify threats and minimise risks by implementing appropriate protective measures.

💡 It's all in the name!

Why this name? Firstly, because ISO is derived from the Greek "ISOs", which means equal. And secondly, because "International Organization for Standardization" would have had different acronyms in different languages (IOS in English, OIN in French), so the founders decided to give it the short form ISO. And so, whatever the country, whatever the language, ISO will always be ISO!

ISO 27001: What is it for?

ISO 27001 certification enables companies to detect, analyse and correct all risks to the organisation, its partners and customers, in the course of carrying out a commercial, contractual or other relationship. By certifying the entirety of a company's activities, you can present extremely high security standards in order to limit the risks for all your partners and customers.

Did you know? The ISO 27001 standard deals with different aspects, including :

  • the involvement of management in the security processes as well as the governance of the project;
  • analysis of risks and its means of control;
  • the continuous improvement of the MIS as well as the audits and controls carried out;
  • internal and external communication and its implications;
  • human resources security;
  • Asset management (materials, tools, processes, information...);
  • access controls ;
  • physical and environmental security;
  • the use and definition of cryptographic means, both on workstations and for client data;
  • security in operations, networks and developments;
  • supplier management ;
  • management of security incidents of all levels, business continuity and crisis management;
  • the compliance of a company and all its partners with high security standards and applicable norms and laws.

💡 Read more

 Read more:

Security: why protect your contractual data?

How can you protect your contract data in the cloud? Decryption.

What does ISO/IEC 27001 cover?

The ISO/IEC 27001 standard consists of 10 chapters and an annex. The annex consists of 114 security measures in 14 sections, covering a wide range of areas:

 

  • information security policies
  • the organisation of information security
  • communications security, acquisition, development and maintenance of information systems
  • information security in business continuity management or compliance
  • security related to operations (e.g. backups)
  • asset management
  • access control, cryptography, physical and environmental security
  • human resources security

The ISO 27001 glossary

ISMS: "Information Security Management System". It consists of ISO 27001 through documents, processes, information, tools and technologies that allow us to guarantee information security.

The purpose of ISO 27001 is to set up the company's ISMS, analyse its risks and take as many measures as possible to reduce these risks in order to guarantee the protection and security of information.

IMS: "Integrated Management System". It is a mixture of ISO 27001 and ISO 27701. It implies that an ISMS also deals with sensitive data and is fully integrated into our processes as a subcontractor and supplier.

    Some figures ISO/IEC 27001:2013

    • 350 - this is the number of ISO/IEC 27001 certificates in France in 2019
      a figure that has increased by 57% compared to 2018

    • 36,300 - the number of ISO/IEC 27001 certificates worldwide in 2019
      an increase of +14% compared to 2018

    • There are two types of certification: mandatory and voluntary

    💡 Going Further

    Are you familiar with ISO 27701:2019? This is the privacy extension of ISO/IEC 27001.

    💡 Good to know

    It takes 6 to 12 months to obtain ISO 27001 certification.

    What training for ISO 27001?

    There are a myriad of ISO/IEC training courses. Companies like Deloitte, Lead Implementer, AFNOR, HS2, IT governance, M2i or BSI offer them, and they last about 1 week. But you don't have to take them to get certified 

    What are the good practices of ISO 27001?

    1) Don't do documentation for documentation's sake. Everything you write must be applied in the company.

    2) Make it easy to use. Creating a massive SMI is fine, but if no one knows how to use it, it will do you no good!

    See also:
    Whatis compliance?
    Security: 15 questions to ask your CLM

    Good to know

    Since its inception, ISO has published monthly information on its technical committees, published standards and administrative changes concerning the organization and its members.

    The short history of ISO

     

    In 1946, 65 delegates from 25 countries met in London to discuss the future of international standardization. In 1947, ISO officially came into being with 67 technical committees: groups of experts focusing on a specific subject.

    The first ISO offices
    In 1949, ISO moved into the offices of a small private house in Geneva. By the early 1950s, the Central Secretariat had five staff members.

    The first ISO standard
    In 1951, the first ISO standard "ISO/R 1:1951" Standard reference temperature for industrial length measurements was published. Since then, the standard has been updated many times and is now ISO 1:2016 Geometrical product specifications (GPS) - Standard reference temperature for geometrical product specifications.

    ISO and developing countries
    During the 1960s, ISO made efforts to include more developing countries in its international standardization work. In 1961, it created DEVCO, a committee for developing country matters, and in 1968, it introduced correspondent membership. This allows developing countries to be informed about the work of International Standardization without having to pay the full cost of ISO membership.
    Corresponding membership remains a popular option for many countries today. At the beginning of 2012, ISO had 49 members.

    An international orientation
    In the 1970s, ISO Secretary-General Olle Sturen set out to make ISO a truly international organization. Although ISO's members came from all over the world, in the early 1970s relatively few were fully active in the development of International Standards. Sturen's visits to members led to the active participation of countries such as Australia, Japan and China. The central secretariat also reflects this international feeling, with an average of 25 nationalities represented.

    ISO goes digital
    In 1995, ISO launched its first website. Five years later, in 2000, ISO began selling its standards online.

    To go further

    Checklist: ISO/IEC 27001:2013 for dummies