ISO 27001, the international standard for information security, is not like any others; but in many ways, it is the same.
With technology permeating every part of our lives, organisations from all industries are looking to manage their information security risks and demonstrate compliance to a recognised standard.
Does ISO 27001 Certification mean our Products/Services are secure?
ISO 27001 is a management system standard, not a product standard. This means it provides a framework for you to manage risks, incidents and other governance issues, but it does not guarantee security.
What is Annex A of ISO 27001?
Unlike other standards, ISO 27001 has an additional Annex A which forms part of the management system, not just for guidance. It provides 114 controls and control objectives you can apply.
Do I need to apply every control in Annex A?
No, you’ll need go through each control and justify its inclusion or exclusion in a document called the Statement of Applicability (SoA). You’ll need to include all relevant controls to meeting your intended outcome.
Do I need to include all areas of my organisation?
No, but many people find excluding parts of their organisation is actually more complicated, as it creates third-party areas of the system which would need controlling.
One common exclusion is satellite sales offices, where staff can be considered mobile workers and therefore still covered by the ISO 27001 system.
I already have Cyber Essentials, are we nearly ISO 27001 Compliant?
Cyber essentials are a good start with IT security, however, it does not address the management framework required to manage risks and achieve continual improvement.
Can we use any of our other ISOs to help the ISO 27001 Journey?
ISO 27001 follows the same high-level structure as most other modern management system standards, so there are several common areas that can be integrated.
Will I need to invest in lots of security technology?
No, ISO 27001 was one of the first to take a risk-based approach, and therefore your investment can be focused on areas of high risk and generating the best improvements for the organisation.
Do I need to Pen Test my network to be compliant?
Surprising No, pen tests are not a mandatory part of the standard but they do help you to address several of the controls, so you should consider one; especially if you develop or operate a public facing web application.
We don’t handle personal information, is ISO 27001 still for me?
Yes! ISO 27001 addresses all the information in your business in all forms.