ISO 27001
ISO 27001 is an international standard that sets a framework for the establishment, implementation and maintenance of an Information Security Management System (ISMS).

Some companies make the mistake in thinking that ISO 27001 is an IT Standard but technical management is only one piece of the pie. There are actually three aspects to information security:

3 aspects pf ISMS

Many would agree that the biggest risk in information security is the human being! You can have the best physical and technical security systems in the world but if one member of staff goes home and releases confidential information about a client then BOOM, you have an information security incident! So, human behaviour, be it negligence through ignorance or deliberate disobedience can lead to an issue.

But of course, it is not all about human breaches of security. Retailer Lakeland were “subjected to a sophisticated cyber-attack using a very recently identified flaw in Java software used by the servers running the website, and indeed numerous websites around the world”. Technical systems must cope with attacks from hackers and sites need to have robust security measures in place to prevent break-in.

Data Centres that offer cloud computing services are likely to have high fences, reinforced doors, motion sensors, tailgating controls such as “man-traps”, rooms controlled with passcode access and security guards. Many data centres have certificates in ISO 9001, ISO 27001 and ISO 14001 (or ISO 50001) to manage their use of energy to minimise negative environmental impact.

Do you remember years ago, when we were told to use a strong password and we chose something like Password with a capital P?! Now of course we are forced to use passwords that are a minimum length and contain a mix of casing and characters. Some devices use fingerprinting or eye recognition. Things have moved on somewhat and will continue to do so. Organisations handling confidential or sensitive information need to keep an eye on the future and in touch with what their clients and other interested parties expect of them.

Like all ISO management system standards, ISO 27001 ISMS tells you what to do but not how to do it. If you want help in setting up an ISMS you can either consult a subject matter expert or read an ISO guideline standard such as ISO 27002 or maybe both!

Questions you are longing to ask with one or two answers you may be surprised to hear!

No. Information Technology is only a part of ISO 27001, it also includes physical security and HR security and so behaviour is a key element in the Standard, hence it has stringent requirements on staff training for example.

Because information is bigger, information is everywhere! Not just in data processing or technical areas but in the conversations we have, the emails and texts we send and in the quick notes we write.

You have three options: read, research and do it yourself; attend training courses; hire a consultant; or possibly a mix of the three!

Both Standards use the 10-clause Annex SL structure but ISO 27001:2013 contains an additional Annex that contains 114 controls so this part of the standard can appear quite daunting when you look at it for the first time. Within the first 10 clauses, there are some requirements that are not in ISO 9001, such as a formal and documented risk assessment and a Statement of Applicability which maps to the controls in Annex A.

At Batalas we have subject matter experts who are only too willing to help you, irrespective of whether you invest in our training.

More info

Want to know more about ISO 27001

We offer both public and in-house courses for ISO 27001 Information Security Management Systems
More info