Standard guide

ISO 27001: the information security standard

ISO 27001 is the international standard for an information security management system (ISMS). This guide covers the ISO 27000 family, what ISO 27001 certification involves, and how to approach ISO 27001 implementation.

The basics

What is ISO 27001?

ISO 27001 implementation, step by step

ISO 27001 implementation means defining scope, running a risk assessment, selecting Annex A controls and producing a Statement of Applicability — the evidence base an auditor reviews for certification.

A management system

ISO 27001 defines the requirements for an ISMS — a risk-based system for managing information security across people, process and technology.

The ISO 27000 family

ISO 27001 sits within the wider ISO 27000 family, with ISO 27002 providing control guidance and ISO 27701 extending the ISMS to privacy.

Certification

ISO 27001 certification is awarded by an accredited body after an audit, and is increasingly demanded by customers and regulators alike.

The road to ISO 27001 certification

Scope and context

Define ISMS boundaries and interested parties.

Risk assessment

Identify, analyse and treat information security risk.

Statement of Applicability

Justify which Annex A controls apply.

Audit

Stage 1 and Stage 2 audits lead to ISO 27001 certification.

Where to next

Tool and train

Compare open-source GRC tooling, and read the GDPR and NIS2 guides.

GRC tooling

Keep your SoA and control evidence audit-ready.

Privacy

ISO 27701 and GDPR extend the ISMS to personal data.

NIS2

An ISO 27001 ISMS is a strong basis for NIS2 measures.

ISO 27001 FAQs

What is ISO 27001?

The international standard specifying the requirements for an information security management system (ISMS).

What is ISO 27001 certification?

Independent confirmation by an accredited certification body that your ISMS meets the ISO 27001 requirements.

How does ISO 27701 relate?

ISO 27701 extends an ISO 27001 ISMS with privacy information management, aligning it with obligations like GDPR.

Move toward ISO 27001 certification.

Build the ISMS in a hands-on workshop and tool it with open-source GRC.