ISO 27001: A Beginner’s Guide

Starting your journey to ISO 27001 compliance? Here's an easy-to-follow guide to get you on the right track.
Troy Fine

by Troy Fine

June 24, 2022
BLOG-ISO-27001 -A-Beginners-Guide

About 44,000 organizations are ISO 27001 certified and that number continues to grow each year. It’s clear that organizations are coming to understand its importance in the current business environment, but it can be difficult to make sense of if you aren’t familiar with this concept. In this post, we’ll provide an overview of what ISO 27001 is, why it’s important, best practices to help you achieve certification, and more. 

What is ISO 27001?

ISO 27001 is the international standard that describes best practices for an Information Security Management Systems (ISMS). It’s based on a set of ISO 27001 controls and measures, which organizations can use to achieve information security. 

The ISO 27001 standard requires that you have procedures in place to cover aspects of the ISMS, including:

  • Information security risk management (What are the risks you face and how do you treat those risks?)

  • Monitoring, measurement, analysis, and evaluation (How is the effectiveness of the information security management system evaluated?)

  • Improvement (How are nonconformities evaluated and corrected?)

Who Needs ISO 27001?

Any business experiencing growth in international markets that wants to demonstrate to  customers they are preserving the confidentiality, integrity, and availability of information by applying a risk management process can benefit from ISO 27001. The primary focus is empowering organizations to establish, implement, maintain, and continually improve their ISMS. Curious about how ISO 27001 compares to SOC 2? Learn more in this article on our blog.

Why is ISO 27001 Important?

The ISO 27001 standard is an effective way to keep your company’s information secure when you take the right steps to implement it. It provides a structured approach to implementing, integrating, and continuously improving your ISMS. 

This helps protect assets from both internal and external threats by making sure you:

  • Understand the organization’s needs, requirements, and risk appetite.

  • Apply policies, procedures, and controls to manage these risks within the defined parameters of the organization’s tolerance levels.

  • Monitor performance against these standards on an ongoing basis.

What are the ISO 27001 Requirements?

Once you begin digging into the world of ISO 27001, it can become overwhelming, but it doesn’t have to be that way. Looking at the standard by each clause makes it much more manageable for organizations. Clauses 0 to 3 are:

  • Introduction

  • Scope

  • Normative references

  • Terms and definitions

These clauses cover the basics of ISO 27001 and provide the context you need to begin to understand the core concepts. Clauses 4 to 10 provide ISO 27001 requirements organizations need to meet to conform with the standard.

A Closer Look at Clauses 4 to 10

Understanding each of these clauses is critical to success with ISO 27001. Here’s a brief summary of what you need to know about each one.

Clause 4: Context of the Organization

It’s important to understand the organization’s context—its environment and its relationships. These elements will include understanding the needs of both internal and external interested parties relevant to the ISMS and determining the boundaries and applicability of ISMS to establish its scope. 

Clause 5: Leadership

You’ll need solid leadership to succeed. Leadership is required to establish the information security policy and information security objectives,, decide on strategic objectives and ensure that adequate resources needed for the ISMS are available. They also need to assign responsibilities and promote continual improvement.

Clause 6: Planning 

You must factor in all risks and opportunities before taking further steps. Do a risk assessment and assess the realistic likelihood and occurrence of the risk identified and determine the level of risk. Based on the risk assessment results, select appropriate risk treatment options and determine all controls necessary to implement the information security risk treatment options selected. 

You must create a Statement of Applicability (SoA) that contains the necessary controls and justifications for inclusion, whether they are implemented and justification for exclusions of controls from Annex A.

Clause 7: Support 

For your team to conform to the  ISO 27001 standard, they need information to support their actions. This means establishing resources, training, and communication policies that keep everyone in the loop, as well as documenting key details.

Clause 8: Operation

Processes are what keeps everyone on the same page with effective information security risk management. Design processes that promote a security-first mindset and be sure to take control of the implementation of these processes. Unintended changes will need to be evaluated to mitigate adverse effects, as necessary. 

Clause 9: Performance Evaluation

You must evaluate the information security performance and effectiveness of the ISMS and determine the procedures for monitoring the ISMS. If your organization is pursuing or maintaining ISO 27001 certification, you’ll also need to perform internal  audits at planned intervals, and top management will also need to review your ISMS at planned intervals to ensure its continuing effectiveness.

Clause 10: Improvement

There’s almost always room for improvement. After your evaluation, follow up by taking action and addressing any issues you uncover. Additionally, you can continue to look for opportunities to improve as your organization evolves.

Considering Annex A: Reference Control Objectives and Controls

Annex A provides organizations with a list of controls that need to be evaluated to determine if they are necessary for mitigating risk. They aren’t mandatory. However, you are required to determine if all necessary Annex A controls have been considered and necessary ones haven’t been omitted.

Getting Started

If you’re not sure where to start for ISO 27001 certification, here’s a basic outline to help guide you through. 

Define Your ISMS Scope 

One of the most important steps in becoming ISO 27001 certified is defining the scope of your ISMS.. Your scope should cover your organization’s systems, processes, locations, services, applications, departments, people, and data, etc. that make up the components of your ISMS.

Perform a Risk Assessment

To ensure your ISMS addresses threats appropriately and conforms with ISO 27001, you’ll need to perform a risk assessment. A risk assessment will help you identify the necessary controls to mitigate applicable risk. For risks that require mitigation strategies, you will need to create risk treatment plans.

Complete Your Statement of Applicability

As mentioned above, your SoA should state which Annex A controls were determined to be necessary for inclusion  to treat the risks outlined in your risk assessment and justification for which Annex A controls were excluded. 

Document Your Information Security Policies

The policies you implement will become the foundation of your information security strategy and should be defined, approved, published, and communicated with the broader organization. Your policy should be relevant to your organization, clarify your information security objectives, show a commitment to satisfy ISO 27001 requirements and the included Annex A controls, and ensure continuous improvement of the ISMS.

Operationalize Your ISMS 

Operationalize your ISMS by implementing processes to meet Clauses 6, 7, 8, 9 and 10. These clauses cover planning, risk assessment, document control, procedure implementation, monitoring, and how your strategy and policies will remain current with updates and improvements. 

Ensure your strategy and policies are synced with tactical activities that prove your ISMS is operational and repeatable—meaning you’re able to assess risks, execute control processes, track metrics, and identify and implement corrective actions. 

Perform an Internal Audit

An internal audit is required to be completed as a means of independently monitoring your ISMS. The internal audit will help you find any nonconformities, determine the effectiveness of your ISMS, and discover any potential opportunities for improvement.

Implement Corrective Actions From Internal Audit

From the findings in your internal audit, implement corrective actions for any nonconformities. Your plan should include: 

  • The nonconformity identified. 

  • How you intend to correct, control, and deal with the consequences of the nonconformity.

  • The root cause of the nonconformity.

  • The effectiveness of your correction. 

Review Your ISMS

It’s required for senior-level management to continuously review the ISMS to ensure its effectiveness and that it meets your organization’s objectives. 

Schedule recurring review meetings that go over: 

  • Internal or external changes that impact the ISMS. 

  • Status updates on past ISMS reviews.

  • Feedback from internal audits, risk assessments, and interested parties.

  • Any updates or improvements. 

Be sure to document the results and actions from your reviews.  

Engage an Accredited Certification Body

Once you’re ready to go for ISO 27001 certification, you’ll need to choose an accredited certification body to perform the audit—Stage 1 and Stage 2 audits. A Stage 1 audit primarily reviews your documentation and determines your readiness for Stage 2. Stage 2 is a full review of your ISMS to ensure conformance with the requirements, that applicable controls are implemented and effective, and that you meet your internal policies and procedures. 

Implement Corrective Actions From Identified Nonconformities

Findings in your audit may create an opportunity to improve your information security strategy. If your auditor identified any nonconformities, be sure to implement corrective actions and track their effectiveness.  

Ready to put ISO 27001 on autopilot? Build trust faster while eliminating the hundreds of hours of manual work that would typically go into ISO 27001 certification—book a demo today.

Trusted Newsletter
Resources for you
pci-roc-hero

What Is a PCI ROC + When Do You Need One?

SOC 2 Compliance Checklist hero image

SOC 2 Compliance Checklist: 9 Key Steps To Take

PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.

2023 Compliance Trends Report

Drata surveyed 300 established and enterprise organizations to tap the pulse of the state of risk and compliance. In doing so, we identified related trends, perceptions, and how compliance impacts the business. This year, the primary takeaway is that a mature compliance program will accelerate a business, not slow it down.

Image - 2023 Compliance Trends Report
Related Resources
ISO 27001 checklist hero

ISO 27001 Checklist: 8 Easy Steps to Get Started

Ask an Auditor Header ISO 27001

Ask an Auditor: Demystifying the ISO 27001 Certification Process With Steve Cullen From ARORA Solutions

ISO 27001 controls hero

Understanding ISO 27001 Controls: A Guide to Annex A

ISO 27001 vs. ISO 27002 (1)

5 Critical Differences Between ISO 27001:2022 and ISO 27002:2022