Thursday 17 October 2019

ISO / IEC 27001 | Gaining Your Competitive Advantage

Written by Steve Giachardi

There are many benefits to your organisation aligning or certifying to business standards: documenting that you have strong governance in place, ensuring that you are adopting best practice, and demonstrating that you take security seriously, to name a few. In this article we will discuss the benefits of aligning and certifying to ISO/IEC 27001.

Deriving from the Greek word Iso, meaning equal, ISO/IEC 27001 is now widely recognised as the de facto standard for information security, controlled by the governing body, the International Organisation for Standardisation.

There are 31,910 organisations globally that are ISO/IEC 27001 certified, with 2,444 in the UK and 9,111 in America alone. So, why are so many organisations choosing to certify to ISO/IEC 27001?

Good governance, best practice, strong controls, and maturing as an organisation are all important and admirable objectives, but perhaps the greatest benefit is in fact a commercial one. Information and cyber security are common boardroom topics, that often filter down into what organisations demand from their suppliers. This is particularly true, but not limited to, financial services, pharmaceuticals and any industry that is highly regulated or that has valuable assets to protect, such as customer data or intellectual property.

Demonstrating that you take information security seriously, as a potential new supplier, can ultimately mean the difference between winning or losing your next tender process.        

ISO/IEC 27001 Overview

This article discusses ISO/IEC 27001, its purpose and its benefits, addressing specification and requirements, ISMS (information security management system) specification and requirements, and issues with ISMS.

ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2013 and is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for, and recognised as best practice framework for, an ISMS. Organisations meeting the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process. Organisations will meet information security standards by aligning to ISO/IEC 27001, making them likely to win more business, especially in enterprise organisations.

International information security standards

ISO/IEC 27001:2013 specifies 114 controls in 14 groups:
  • A.5 - Information security policies
  • A.6 - How information security is organised
  • A.7 - Human resources security - controls that are applied before, during, or after employment
  • A.8 - Asset management
  • A.9 - Access controls and managing user access
  • A.10 - Cryptographic technology
  • A.11 - Physical security of the organisation's sites and equipment
  • A.12 - Operational security
  • A.13 - Secure communications and data transfer
  • A.14 - Secure acquisition, development, and support of information systems
  • A.15 - Security for suppliers and third parties
  • A.16 - Incident management
  • A.17 - Business continuity/disaster recovery (to the extent that it affects information security)
  • A.18 - Compliance - with internal requirements, such as policies, and with external requirements, such as laws.

ISMS Requirements

The official title of the standard is "Information technology— Security techniques — Information security management systems — Requirements".

27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organisational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.

This structure mirrors the structure of other new management standards such as ISO 22301 (business continuity management); this helps organisations who aim to comply with multiple standards, to improve their IT from different perspectives.

Information Security Management System

An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799.

The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organisation and external environment. ISO/IEC 27001:2013 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

ISO/IEC 27001:2013 is a risk-based information security standard, which means that organisations need to have a risk management process in place. The risk management process fits into the PDCA model given above.

Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework, Risk IT, dedicated to Information security.

The development of an ISMS framework based on ISO/IEC 27001:2013 entails the following six steps:
  1. Definition of security policy
  2. Definition of ISMS scope
  3. Risk assessment (as part of risk management)
  4. Risk management
  5. Selection of appropriate controls
  6. Statement of applicability

ISMS Requirements

To be effective, the ISMS must:
  • have the continuous, unshakeable and visible support and commitment of the organisation’s top management
  • be managed centrally, based on a common strategy and policy across the entire organisation
  • be an integral part of the overall management of the organisation related to and reflecting the organisation’s approach to risk management, the control objectives and controls and the degree of assurance required
  • have security objectives and activities based on business objectives and requirements and led by business management
  • undertake only necessary tasks and avoiding over-control and waste of valuable resources
  • fully comply with the organisation philosophy and mindset by providing a system that, instead of preventing people from doing what they are employed to do, will enable them to do it in control and demonstrate their fulfilled accountabilities
  • be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices
  • be a never-ending process

Dynamic Issues In ISMS

There are three main problems which lead to uncertainty in information security management systems (ISMS):

  • Dynamically changing security requirements of an organisation
Rapid technological development raises new security concerns for organisations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organise and manage dynamically changing requirements and keep the system up to date.

  • Externalities caused by a security system
Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. Externalities could be positive or negative. The ISMS deployed in an organisation may also cause externalities for other interacting systems. Externalities caused by the ISMS are uncertain and cannot be predetermined before the ISMS is deployed. The internalisation of externalities caused by the ISMS is needed in order to benefit internalising organisations and interacting partners by protecting them from vulnerable ISMS behaviours.

  • Obsolete evaluation of security concerns
The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise. The need for continuous security evaluation of organisational products, services, methods and technology is essential to maintain an effective ISMS. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism of ISMS within the organisation is a critical need to achieve information security objectives. The re-evaluation process is tied with the dynamic security requirement management process discussed above.


Is ISO/IEC 27001 accreditation for everyone? Perhaps not. But if your business is serious about reducing risk, and is looking for an effective way to assess the risks in your business (Plan), implement controls to measure that risk (Do), use these to benchmark ongoing performance (Check), and continuously review the ISMS as the business changes over time (Act)? Yes, absolutely.

An ISO journey may seem like a big undertaking but, for most, the benefits far outweigh the initial investment, and the journey to accreditation can be surprisingly short. Rarely is there a better opportunity to drive cultural change in a business and, not only that, one that leads to both a mature information security posture, as well as your business’s next big competitive advantage.