Home Page What is ISO 27001 ISO 27001 Certification Programme Colin Bycroft Profile

Consultancy with broad horizons


ISO 27001 is one of a number of Management Standards developed or adopted by the International Standards Organisation (ISO).

Other well known Management Standards are ISO 9001 for Quality Management, ISO 14001 which covers Environmental Management and ISO 20000 for IT Service Management

ISO owns these standards but compliance to them can be certified by a number of bodies such as BSi (British Standards institute) and Lloyds Register (LRQA). Following initial certification, regular CAVs (Continuous Assessment Visits) are carried out to confirm ongoing compliance; these are typically undertaken on an annual basis.

ISO 27001 is the standard for Information Security Management in a business or other organisation. The emphasis is on how Information Security is managed in the organisation, i.e. the standard itself does not specify where firewalls should be installed in the network or how they should be configured, instead it requires that there are appropriate policies in place to ensure IT systems are designed securely, that only authorised staff members make changes to the systems, that there is a process which is followed when making those changes and there is also evidence the process was followed.

Information Security applies to Information Assets in the broadest sense of the term, from technical assets such as servers, laptops and routers, through to soft assets including paper documents, staff, and brand identity. A Risk Assessment is undertaken to determine how badly the loss of: Confidentiality, Integrity, or Availability (CIA) of any Information Asset would impact: the business, its employees, customers, or suppliers. The information provided by the Risk Assessment defines what measures or controls need to be implemented in order to protect each of the assets and consequently, the business. They could be technical controls such as installing a standby generator or policy based controls, perhaps introducing a staff screening policy.

All the Policies and Processes that describe how Information Security is managed in the organisation along with Reports, Records, Forms and Logs, collectively form the Information Security Management System or ISMS.


Another expectation within the Management Standards is that the organisation will not stand still once it has achieved compliance but that there will be Continual Improvement. After all, what's the point in investing time, effort and money to achieve compliance and then not reaping the rewards and just letting it wither on the vine?

The Plan, Do, Check, Act model shown here is often used when referring to Continual Improvement in Management Standards. For example, the Risk Assessment mentioned earlier is part of the Plan cycle, Do is implementing the controls, internal audits and the CAV are all Checks which subsequently identify what Actions need to be instigated.