What is ISO/IEC 27001?
ISO 27001 (also known as ISO/IEC 27001) is an internationally recognized standard published by the
International Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC).
It provides a set of best practices for establishing, implementing, maintaining, and continually improving
an organization's information security management system (ISMS). It is based on the Plan-Do-Check-Act
(PDCA) cycle and includes a set of controls covering various aspects of information security, including
confidentiality, integrity, and availability. Many organizations choose to adopt the ISO 27001 framework
in order to demonstrate their commitment to information security and to provide assurance to
customers, partners, and regulatory bodies that their controls are effective. The standard is applicable
to any organization, regardless of its size, type, or nature of business.
ISO 27001 is the only certified standard, not the ISO 27002.
How does ISO 27001 work?
By performing a risk assessment, you can determine what needs to happen to prevent such problems
(i.e., risk mitigation or risk treatment) and then treating them through the implementation of security
controls.
Why is ISO 27001 important?
The standard provides companies with the necessary information for protecting their most valuable
information. Individuals can get ISO 27001-certified by attending a course, passing the exam, and
proving their skills. ISO 27001 is easily recognized worldwide, increasing business opportunities for
organizations and professionals.
When should you use each standard?
ISO 27001 and ISO 27002 have different goals. If you’re starting with the standard or planning your ISMS
implementation framework, then ISO 27001 is ideal. You should then refer to ISO 27002 once you’ve
identified the controls, you’ll be implementing to learn more about how each one works.
Is ISO 27001 mandatory?
In most countries, the implementation of ISO 27001 is not mandatory, but some countries have
published regulations that require some industries to implement ISO 27001. To determine whether ISO
27001 is mandatory for your company, you should look for expert legal advice in your country of
operation.
Is ISO 27001 a legal requirement?
Public and private organizations can define compliance with ISO 27001 as a legal requirement in their
contracts and service agreements. Countries can determine laws or regulations of ISO 27001 as a legal
requirement to be fulfilled by the organizations operating in their territory.
How will the new ISO 27002:2022 affect ISO 27001?
The changes to the control set published in ISO 27002:2022 will be reflected in Annex A of ISO
27001:2022. Organizations implementing ISO 27001 or managing an existing ISMS must reflect the
changes to the control set in their management framework. You won’t need to make changes
immediately, as there will be a transition period.
Pro of the ISO 27001:
1. International recognition: The ISO 27001 framework is recognized and respected around the
world, which can be beneficial for organizations that operate globally or that want to attract
international customers and partners.
2. Comprehensive coverage: The ISO 27001 framework covers a wide range of controls related to
information security, including confidentiality, integrity, and availability. This can help
organizations identify and address potential vulnerabilities in their systems and processes.
3. Continuous improvement: The Plan-Do-Check-Act (PDCA) cycle at the heart of the ISO 27001
framework encourages organizations to regularly review and improve their controls, which can
help them stay ahead of emerging threats and maintain the effectiveness of their ISMS over
time.
4. Establishes a strong foundation for information security: The ISO 27001 framework provides a
comprehensive set of controls that cover all aspects of information security, from risk
assessment and management to access controls and incident response. This helps organizations
establish a strong foundation for their information security efforts.
5. Improves security posture: By implementing the controls in the ISO 27001 framework,
organizations can significantly improve their security posture and reduce the risk of data
breaches, cyber attacks, and other security incidents.
6. Demonstrates commitment to information security: Adopting the ISO 27001 framework
demonstrates to customers, partners, and regulatory bodies that an organization is committed
to information security and has taken the necessary steps to protect sensitive information.
7. Improves efficiency: Implementing the controls in the ISO 27001 framework can help
organizations streamline their security processes and improve efficiency by eliminating
duplication and inefficiencies.
Cons of the ISO 27001:
1. Cost: Adopting the ISO 27001 framework can be a time- and resource-intensive process,
especially for organizations that are starting from scratch. This can include the cost of training
personnel, conducting assessments, and implementing new controls.
2. Complexity: The ISO 27001 framework is comprehensive, which can make it complex to
understand and implement. This can be especially challenging for smaller organizations that
may have limited resources and expertise in information security.
3. Inflexibility: The ISO 27001 framework is a prescriptive standard, which means that it specifies
specific controls that organizations must implement. This can be inflexible for organizations that
have unique security requirements or that want to tailor their controls to their specific business
needs.
4. Can be time-consuming and resource-intensive: Adopting the ISO 27001 framework can be a
complex and time-consuming process, requiring the allocation of significant resources to
implement and maintain the necessary controls.
5. Requires ongoing maintenance: The ISO 27001 framework is based on the PDCA cycle, which
means that organizations must continually review and update their controls to ensure that they
are effective and aligned with the latest best practices. This requires ongoing maintenance and
resources.
Context of the organization – One prerequisite of implementing an Information Security Management
System successfully is understanding the context of the organization. External and internal issues, as
well as interested parties, need to be identified and considered. Requirements may include regulatory
issues, but they may also go far beyond. With this in mind, the organization needs to define the ISMS
scope.
Leadership – The requirements of ISO 27001 for adequate leadership are manifold. The commitment of
the top management is mandatory for a management system. Objectives need to be established
according to the strategic direction and objectives of the organization. Providing resources needed for
the ISMS, as well as supporting persons in their contribution to the ISMS, are other examples of the
obligations to meet. Furthermore, the top management needs to establish a top-level policy for
information security. The company’s ISO 27001 Information Security Policy should be documented, as
well as communicated within the organization and to interested parties. Roles and responsibilities need
to be assigned, too, in order to meet the requirements of the ISO 27001 standard and to report on the
performance of the ISMS.
Planning – Planning in an ISMS environment should always take into account risks and opportunities. An
information security risk assessment provides a key foundation to rely on. Accordingly, information
security objectives should be based on the risk assessment. These objectives need to be aligned with the
company`s overall objectives, and they need to be promoted within the company because they provide
the security goals to work toward for everyone within and aligned with the company. From the risk
assessment and the security objectives, a risk treatment plan is derived, based on controls as listed in
Annex A.
Support – Resources, competence of employees, awareness, and communication are key for supporting
the ISMS. Another requirement is documenting information according to ISO 27001. Information needs
to be documented, created, and updated, as well as being controlled. A suitable set of documentation,
including a communications plan, needs to be maintained in order to support the success of the ISMS.
Operation – Processes are mandatory to implement information security. These processes need to be
planned, implemented, and controlled. Risk assessment and treatment – which need to be on top
management`s minds, as we learned earlier – have to be put into action.
Performance evaluation – The requirements of the ISO 27001 standard expect monitoring,
measurement, analysis, and evaluation of the Information Security Management System. In addition to
checking key performance indicators of its work, the company needs to conduct internal audits. Finally,
at defined intervals, the top management needs to review the organization`s ISMS and ISO 27001 KPIs.
Improvement – Improvement follows the evaluation. Nonconformities need to be addressed by taking
action and eliminating their causes. Moreover, a continual improvement process should be
implemented. Even though the PDCA (Plan-Do-Check-Act) cycle is no longer explicitly mentioned in ISO
27001, it is still recommended, as it offers a solid structure and fulfills the requirements of ISO 27001.
Annex A (normative) Information security controls reference – This Annex provides a list of 93
safeguards (controls) that can be implemented to decrease risks and comply with security requirements
from interested parties. The controls that are to be implemented must be marked as applicable in the
Statement of Applicability.
What is ISO 27002?
ISO 27002 is a supplementary standard focusing on information security controls. It is intended to be
used in conjunction with ISO 27001 which specifies the requirements for a protected ISMS. The standard
explains how each control works, its objective, and how you can implement it.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the standard for international information security management, and ISO 27002 is a
supporting standard that guides how the information security controls can be implemented. Whereas
ISO 27001 only provides a brief description of each control in one or two sentences, ISO 27002 gives
more detailed guidance, dedicating an average of one page per control.
ISO 27002:2013
In the 2013 release, there were are 114 ISO 27001 Annex A controls divided into 14 categories:
1. Information Security Policies (2 controls) – It aims to provide direction and support to the
management to implement information security. It helps organizations to formulate their
information security policy based on the needs and requirements of the organization.
2. Organization of Information Security (7 Controls) – This annex has seven controls divided into two
sections which are Internal Organization and Mobile Device and Teleworking.
2.1. Internal organization: It assigns roles and responsibilities to initiate and control the
implementation of the Security management system. It aims to establish an efficient
management framework to implement and maintain Information security practices.
2.2. Mobile Device and Teleworking: It addresses the issues associated with remote working and the
risk related to the use of mobile devices. It provides training and complies with regulations to
access, process and store information remotely.
3. Human Resources Security (6 controls) – These controls are divided into three sections. These are:
3.1. Pre-employment requirements– A contractor needs to do appropriate background verification
and state responsibilities in the employment contract to ensure information safety.
3.2. Responsibilities during employment– It requires an organization to provide training to
implement a disciplinary process to protect information security. Candidates need to be aware
of their job responsibilities and update themselves.
3.3. Termination and change of employment– It ensures to protect organization’s interest when
candidates change or leave the organization.
4. Asset Management (10 Controls) – These ten controls are grouped into three domains.
4.1. Identification of Information Assets– It requires implementing an asset inventory, including its
designated asset owners. The organization must implement and document controls associated
with acceptable use.
4.2. Information Classification– An organization must classify its information and assets accordingly
and ensure adequate security measures.
4.3. Media Handling– It prevents the unauthorized access, disclosure or destruction of information.
5. Access Control (14 controls) – Access control is divided into four sections.
5.1. Requirements of access control– It requires limiting access to information and information
processing by implementing an access control policy.
6.
7.
8.
9.
10.
11.
12.
13.
5.2. User access management– It aims to provide physical and virtual authorization to access the
system and prevent unauthorized access to the employees.
5.3. System and application access control– It prevents unauthorized access to the system and
application.
5.4. User Responsibility– It makes users responsible for safeguarding their information, such as PINs,
passwords and other confidential information.
Cryptography (2 controls) – It enables an organization to use cryptographic controls for proper data
encryption to protect the confidentiality, authenticity and integrity of data.
Physical and Environmental Security (15 controls) – The 15 controls under this control are divided
into two domains.
7.1. Prevents unauthorized access- It aims to protect against any disruption and interference that
might occur to physical facilities. It protects against unauthorized access to an organization’s
information and facilities.
7.2. Prevent loss- It prevents loss, damage and theft of information and asset.
Operational Security (14 controls) – Operational security control is divided into seven sections. It
aims to establish adequate information processing facilities to ensure correct business operations. It
monitors requirements for data backup and integrity of operational software and protects from
malware and vulnerabilities to address them accordingly.
Communications Security (7 controls) – It is divided into two sections.
9.1. Network security management– It protects the three main principles of Information Security
Management, such as Confidentiality, Availability and Integrity.
9.2. Information transfer– It requires an organization to adopt transfer policy, procedures and
controls while transferring data to third-party, organizations and customers.
System Acquisitions, Development and Maintenance (13 controls) – It ensures that security
remains an integral part of the information system and requires updating the existing information
system to improve business operations.
Supplier Relationships (5 controls) – It contains five controls divided into two groups and aims to
improve the interaction between an organization and a third party.
11.1.
Information security in supplier relationships– It aims to protect the valuable assets and
information that can be accessed by suppliers to mitigate risks.
11.2.
Supplier service development management– It requires maintaining the level of
information security and service delivery mentioned in the agreement.
Information Security Incident Management (7 controls) – It ensures information security events
and weaknesses related to information security are communicated in a way that renders time to
take corrective actions.
Information Security Aspects of Business Continuity Management (4 controls) – Business
continuity Management is divided into two groups.
13.1.
Information security continuity– It embeds information security continuity in the
organization’s continuity management systems. It avoids cyber-attacks and data breaches.
13.2.
Redundancies– It ensures availability of information processing facilities and information
security business processes without disruptions even during incidents and crisis.
14. Compliance (8 controls) – It provides a holistic approach to the organization and avoids noncompliance with laws, regulations, statute and any other security requirements.
What is ISO 27002:2022?
Is the newly-revised international standard providing guidance on the selection and implementation of
security controls. The revision of this standard brings a modern approach to managing security controls
with attributes. It includes the introduction of themes and attributes, as well as updating the candidate
controls to reflect current information security concerns and practices.
The security controls have been categorized into four key areas, making it easier for businesses to
adopt: Organizational, People, Physical, Technological.




Organizational (37 controls): This includes policies, management, inventory, classification,
labeling, authentication, etc.
People (8 controls): This includes screening, education, training, disciplinary processes,
responsibility, confidentiality, etc.
Physical (14 controls): This includes security perimeters, offices, rooms, facilities, equipment,
storage, cabling, monitoring, protection against environmental threats, and more.
Technological (34 controls): This includes information access, secure authentication, malware
protection, data masking, network security, etc.
The last major change is the introduction of five attributes along with their respective values.





Control types: #Preventive, #Detective and #Corrective
Information Security Properties: #Confidentiality, #Integrity and #Availability
Cybersecurity concepts: #Identify, #Protect, #Detect, etc.
Operational capabilities: #Governance, #Asset_management, #Information_protection, etc.
Security domains: #Governance_and_Ecosystem, #Protection, #Defense, etc.
5 Organizational controls (37)
Policies for information security (5.1)
A document needs to be created, containing how the organization manages information security
objectives. This document needs to be approved by management, and needs to contain both highand low-level policies. Once the policies are in place, they need to be reviewed regularly. The best
approach to this is to set a regular meeting and plan an extra meeting in between should the
situation require it. If any changes are made, management needs to give their approval. The
policies should be shared with internal and external stakeholders.
Information security roles and responsibilities (5.2)
The policy needs to define who is responsible for what asset, process, or information security risk
activity. It is important that the assignment is done clearly and for all assignments. Make sure that
the roles and responsibilities suit your organization; a small team of five probably does not need a
full time security officer.
Segregation of duties (5.3)
To prevent any misuse of company assets, the “power” to fully control a sensitive activity should
not lie with the same person. The best way to implement this is to log all activities and split
important tasks in doing and checking or approving and initiating. This prevents fraud and error,
e.g. in the case of having one person create and sign all company cheques.
Management responsibilities (5.4)
Management needs to make sure all employees and contractors are aware of and follow the
organization’s information security policy. They should lead by being an example and show that
Information Security is both useful and necessary.
Contact with authorities (5.5)
It should be clear who is responsible for contacting authorities (e.g. law enforcement, regulatory
bodies, supervisory authorities), which authorities should be contacted (e.g. which region/country),
and in what cases this needs to happen. A quick and adequate response to incidents can greatly
decrease the impact, and may even be mandatory by law.
Contact with special interest groups (5.6)
To make sure that the latest information security trends and best practices are kept up with, good
contact with special interest groups should be maintained by personnel with ISMS tasks. Such
groups can be asked for expert advice in certain cases, and be a great source for improving one’s
own knowledge. Examples of such groups are the PVIB, NGFG, IAPP, and our own LinkedIn
group Information Security NL.
Threat intelligence (5.7)
Reacting to threats does little to prevent their first materialized occurrence. By collecting and
analyzing information about threats to your organization, you have a better idea of which
protection mechanisms need to be put in place to protect against the threats that are relevant
to your organization. Computer chip manufacturers need to prepare for targeted IP-theft attacks by
state actors, but for a small SaaS-provider, automated phishing mails are a greater threat.
Information security in project management (5.8)
To assure a successful organization wide ISMS implementation, information security should be
considered and documented in all projects in the form of requirements. These requirements can
stem from business, legal, and compliance with other standards or regulations. If you have project
management handbooks or templates, an information security chapter should be included.
Inventory of information and other associated assets (5.9)
The organization should have identified of all information- and information processing assets. All
the assets must be drawn up in an inventory, which should be properly maintained. Knowing what
assets there are, their importance, where they are, and how they are handled is essential in
identifying and predicting risks. It might even be mandatory for legal obligations or insurance
purposes.
All assets in the inventory, so of the whole company if the inventory is complete, must have an
owner. Thanks to asset ownership, assets are watched and taken care of through their whole
lifecycle. Similar assets may be grouped and the day to day supervision of an asset may be left to a
so-called custodian, but the owner remains responsible. Asset ownership must be approved by
management.
Acceptable use of information and other associated assets (5.10)
There should be well-document rules for accessing information assets. Users of the asset should be
aware of the information security requirements regarding asset use, and follow them.
For the handling of assets, procedures should be in place as well. Personnel need to understand the
labeling of assets, and know how to handle different levels of classifications. Since there is no
universal standard for classification, it is also important to have knowledge of classification levels of
other parties, since they will most likely differ from yours.
Return of assets (5.11)
When an employee or external party may no longer access an asset due to, for example, the end of
employment of agreement, they must return the asset to the organization. There should be a clear
policy for this, which has to be known by all involved. Non-tangible assets important to current
operations such as specific knowledge that is not yet documented should be documented and
returned as such.
Classification of information (5.12)
Certain information is considered to be sensitive due to e.g. monetary or legal value, and has to
remain confidential while other information is less crucial. The organization should have a policy in
place on how to handle classified information. The accountability to classify information assets lies
with its owner. To distinguish between the importance of different classified assets, it can be useful
to implement several levels of confidentiality from non-existent to severely impacting the
organization’s survivability.
Labelling of information (5.13)
Not all information falls in the same category, as discussed in 5.12 above. It is, therefore, important
to label all information in accordance to their classification. When information is handled, stored, or
exchanged it may be vital to know the classification of the object. Sadly, this can be useful to illintentioned individuals as well as a direction to interesting items. It is important to be aware of this
risk.
Information transfer (5.14)
Information is shared inside and outside the organization. There should be a protocol for all types
of information sharing, including digital documents, physical documents, video, but also by word of
mouth. Clear rules on how information can be safely shared helps lower the risk of information
contamination and leaks.
Information that is shared between the organization and external parties needs to be preceded by
an information transfer agreement. This way, the source, content, confidentiality, transfer medium,
and destination of the information transfer is known by and agreed upon by both parties.
Business communication often happens by means of electronic messaging. Organizations are
advised to have an overview of approved types of electronic messaging and should document how
these are protected and may be used.
Access control (5.15)
An access control policy should be in place to define how access is managed, and who is allowed to
access what. The rules per asset lie with the asset owners, who set up requirements, restrictions,
and rights for the access to “their” asset. Frequently used terms in an access control policy are
need-to-know and need-to-use, where the former restricts the access rights only to information an
employee needs to perform their task and the latter restricts the access rights only to information
processing facilities needed to perform the task. If you are new to access control, take a look at
our Introduction to Information Access.
Identity management (5.16)
To assign access rights to assets and networks and keep track of who actually does the accessing,
users need to be registered under an ID. When an employee leaves an organization, the ID and
access to it should be removed. When an employee only needs to be denied access, the access of
the ID can be limited. Even though using another employee’s ID might be quicker and easier to
access something, this should not be allowed by management in most cases. Sharing ID’s removes
the link between an access limitation and an employee, and makes it nearly impossible to keep the
right person responsible for their actions. Assigning, altering, and ultimately deleting an identity is
often called the identity lifecycle.
Authentication information (5.17)
Secret authentication, such as passwords and access cards, must be managed in a formal process.
Other important activities that should be stated in the policy are, for example, forbidding users to
share secret authentication information, giving new users a password that has to be changed on
first use, and having all systems authenticate a user by requiring a user’s secret authentication
information (password on PC, swiping access card for doors).
If password management systems are used, they need to provide good passwords and strictly
follow the organizations secret authentication information policy. The passwords themselves
should be stored and transmitted securely by the password management system.
Access rights (5.18)
Management should have a system in place for the provisioning and revoking of access rights. It is
advised to create certain roles based on activities certain types of employees perform, and give the
same basic access rights to them. Part of having a system in place is having repercussions for
attempted unauthorized access. Employees have no need to try to access places they should not,
since access rights can easily be requested from the asset owner and/or management.
Organisations and their employees are not static. Roles change or employees leave the company,
constantly changing access needs. Asset owners should regularly review who may access their
asset, while role changing or leaving should trigger an access rights review by management. Since
privileged access rights are more sensitive, they should be reviewed more often. Once a contract or
agreement has been terminated, the access rights of the receiving party should be removed.
Information security in supplier relationships (5.19)
Since suppliers have access to certain assets, organizations need to establish a policy stating
requirements for risk mitigation. This policy needs to be communicated to suppliers and agreed
upon. Examples of such requirements are pre-determined logistic processes, an incident process
obligations for both sides, NDA’s, and documentation of the supplying process.
Addressing information security within supplier agreements (5.20)
Every supplier that in any way, directly or indirectly, comes into contact with the organization’s
information must follow the set information security requirements and agree to them. Examples
are requirements on information classification, acceptable use, and rights to audit. An easily
forgotten aspect of an agreement is what to do when the supplier cannot or will not supply
anymore. It is important to implement a clause for that.
Managing information security in the ICT supply chain (5.21)
Agreements with suppliers should also state the information security requirements and agreements
on ICT services and supply chain. Examples of included requirements are the need to be able to
follow items through the supply chain, and that a certain minimal level of security is maintained at
every level of the “chain”.
Monitoring, review and change management of supplier services (5.22)
Everyone makes mistakes, and so do suppliers. Whether the mistake happened by accident or
deliberately , the result is the same: the organization does not receive exactly what has been
agreed upon and trust may decrease. For this reason, organizations should keep an eye on
suppliers, and audit them where felt necessary. This way, an organization is aware when a supplier
does something out of the ordinary.
Just like with system changes, management needs to control any changes in supplier services. They
need to make sure that information security policies are up to date and any changes in the
provision of the service itself is managed. A small change in the provided service combined with an
outdated information security policy might result in a large new risk. Supplier-side changes can
easily occur, for example when the service is enhanced, a new app or system is supplied, or the
supplier’s policies and procedures change.
Information security for use of cloud services (5.23)
Cloud suppliers offer a service that, when in use, is more often than not a vital part of an
organisation’s infrastructure. Office documents are stored in the cloud, but many SaaS-providers
offer their product to their customers via a cloud provider such as Amazon AWS, Microsoft Azure,
or Google Cloud.
The risks surrounding this critical part of the organisation should be appropriately mitigated.
Organizations should have processes for using, managing, and leaving (exit strategy) a used cloud.
Severing ties with a cloud provider often means a new cloud provider is on the horizon, so
controlling the purchasing and onboarding onto a new cloud should not be forgotten either. Just
like any other third party software, a new cloud environment should allow you to keep your desired
level of information security, not compromise it.
Information security incident management planning and preparation (5.24)
Organizations need to create and document procedures for information security incidents, and who
is responsible for what. This way, should an information security incident occur, it can be handled
effectively and quickly. Security incident happen unexpected and can cause quite some chaos,
which can be mitigated by having a protocol that is followed by knowledgeable and trained staff.
Assessment and decision on information security events (5.25)
Organizations should have a well document assessment method for security incidents. When a
suspicious event occurs, the responsible person is to test the event against the requirements and
determine whether there was an actual information security incident. The results of this
assessment should be documented, so that they can be used for future reference.
Response to information security incidents (5.26)
This point seems straight forward, but is still important to mention and sometimes hard to do in
practice. Once an information security incident occurs, it needs to be responded to following the
set-up procedures by the appointed staff. The pre-determined actions should be taken, and the
whole process accurately documented. This helps prevent future occurrences and weed out related
security vulnerabilities.
Learning from information security incidents (5.27)
Even though incidents are unwanted, they still possess great value. The knowledge gained from
solving an incident should be used to prevent similar incidents in the future, and can help identify a
possible systematic problem. With additional controls, it is important to keep an eye on the costs; a
new control should not cost the organisation more on an annual basis than the incidents it
mitigates.
Collection of evidence (5.28)
Once an accident occurs, the cause is usually not immediately clear. When the cause is an individual
or organization, they should be disciplined based on the intention and effect. To link an incident to
a cause, evidence needs to be collected. In case of a malicious action, this evidence and the way it
was obtained might be used in legal proceedings. To prevent accidental or deliberate destruction of
evidence, there should be a clear and safe evidence identification procedure.
Information security during disruption (5.29)
Organizations should determine their requirements for information security continuity in case of a
crisis. The easiest choice is to resume standard information security activities as best as possible in
an adverse situation. Once the requirements have been determined and agreed upon in
management, procedure, plans, and controls should be put in place to resume with an acceptable
level of information security in case of a crisis.
As organizations change, the best way to respond to a crisis changes as well. An organization that,
for example, doubled in size within a years’ time will most likely benefit from a different response
than a year ago. For this reason, the information security continuity controls on a regular basis.
ICT readiness for business continuity (5.30)
During Business Continuity planning, special attention should be placed on scenarios where IT
systems fail. There should be a clear strategy how systems will be restored, who will do this, and
how long this may and will take. It should also be clear what “restoring” means in a specific
scenario, since having only the core systems running is likely enough for the first week after a
complete meltdown.
Identification of legal, statutory, regulatory and contractual requirements (5.31)
Requirements come from all places, and are there to be met. Organizations should therefore have
an overview of all information security related requirements they need to comply to, and how this
is done. Since requirements can change or get added, the requirement compliance overview needs
to be kept up to date. An example of changing requirements is when your organization expands to
a new country on a different continent. This country is likely to have different laws on privacy,
information storage, and cryptography.
Intellectual property rights (5.32)
Intellectual property (IP) rights, also a part of legal compliance, is an area that deserves special
attention. IP can be of great value, so it is important to document one’s own intellectual property
and the use of other’s intellectual property well. (Accidental) wrong use of other’s IP may result in
large lawsuits, and should be prevented at all costs.
Protection of records (5.33)
Any records, be it accounting records or audit logs, should be protected. Records are at the risk of
being lost, compromised, or accessed unauthorized. The requirements for the protection of record
might come from the organization itself or from other sources such as legislation or insurance
companies. For this, strict guidelines should be created and followed.
Privacy and protection of Personal Identifiable Information (PII) (5.34)
Depending on the country or economic space an organization is located in, different legislation on
the protection of personal data might apply. To organizations situated in the EU and/or processing
personal data of EU citizens, the General Data Protection Regulation (GDPR) applies. Organizations
need to make sure they are aware of the requirements set by such legislation, and follow it
religiously. The GDPR, for example, mandates conducting data processing agreements, keeping a
register of processing activity, and data processing transparency.
Independent review of information security (5.35)
It is impossible for organizations to objectively review their own information security system. For
this reason, organizations should have their information security audited by an independent party
on a regular basis, or when large changes occur. This keeps an organization’s view of their
information security correct and transparent. An independent party can also be a full-time internal
auditor, who has the sole task of performing the internal audits and does not have other conflicting
tasks and responsibilities.
Compliance with policies and standards for information security (5.36)
With all these security policies, standards and procedures, it is important for managers to regularly
review whether the activities and/or processes they are responsible for are fully compliant. For this
to be done correctly, they should be aware of exactly which rules and requirement they need to
comply with and check this manually or with an automatic reporting tool.
Information systems need to be regularly reviewed for compliance as well. The easiest and usually
most cost-effective way to do this is by means of automated tooling. This tooling can quickly check
all the nooks and crannies of a system and report exactly what went/could go wrong. Vulnerability
tests such as penetration tests can effectively show any weaknesses, but might actually harm the
system when done without caution.
Documented operating procedures (5.37)
Procedures for the operating of equipment should be documented and made available to those
using the equipment. From the simple procedure of computer use (from start to shut-down) to the
use of more complicated equipment there should be a guide on how to safely and correctly operate
it. Due to their importance, the procedures should be treated as formal documents, meaning that
any changes should be approved by management.
6 People controls (8)
Screening (6.1)
An information security management system needs a policy for screening all new or promoted
employees, including consultants and temporary staff. This is to ensure that employees are
competent and trustworthy. The policy needs to take into account both local legislation and
regulations and the role of the new employee to insure that screening is sufficient but not
disproportionate. Some roles within an organisation may require a higher level of screening, for
example if employees will be handling confidential information. For information security roles in
particular, screening should also include necessary competences and trustworthiness, and this
should be documented accordingly.
Terms and conditions of employment (6.2)
Before beginning work, the employee needs to be aware of the organisation’s information security
policy, including information security roles and responsibilities. This could be communicated via a
signed code of conduct or similar method. The employees’ contracts should also include the
organisation’s relevant information security policy, including a confidentiality agreement if the
employee will be have access to confidential information.
Information security awareness, education and training (6.3)
Employees need information security training when they join the organisation of change roles.
Longer serving personnel also need to have their awareness maintained with regular training and
communication. The training needs to be relevant to the role. For many staff, this will include basics
such as reminders about password security and social-engineering attacks. For technical staff or
those handling confidential material more in-depth education will be required for their specific role.
Disciplinary process (6.4)
A policy for the disciplinary process following a confirmed information security policy violation
should be in place. The disciplinary procedure should be proportionate and graduated, with actions
that depend on the severity of the incident, the intention, whether it was a repeat offence and
importantly whether the employee was adequately trained. Many recorded security incidents will
be the result of a policy violation and should to lead to disciplinary action. This is important to
remember because staff should avoid reporting security incidents through fear of disciplinary
action.
Responsibilities after termination or change of employment (6.5)
Information security responsibilities do not end when employment is changed or terminated. The
employee’s terms and conditions of employment should contain confidentiality agreements, which
require the employee to respect the confidentiality of information after they have left the
organisation. When an employee leaves, they may also leave information security roles vacant. To
maintain continuity of security, management must identify these roles so that they can be
transferred.
Confidentiality or non-disclosure agreements (6.6)
If the confidentiality of information is sufficiently high, it may need to be protected by legally
enforceable terms. In this case, confidentiality agreements can be used, setting out the information
covered, the responsibilities of all parties, the duration of the agreement and the penalties should
the agreement be broken. These protect the information from disclosure after the employee has
left the organisation for a given time period.
Remote working (6.7)
Remote working has become standard at many organisations, giving both organisations and
employees more flexibility. There are however information security implications for remote
working, which should be considered and documented. The remote working policy should outline
where and when remote working in permitted, device and equipment provision, authorised access
and what information may be accessed remotely. Of particular importance are policies governing
the use of strange networks and the risk that friends, family or strangers may overhear or see
confidential information.
Information security event reporting (6.8)
Employees sometimes encounter information security incidents during their daily work. Incidents
can instances such as include human errors, confidentiality breaches, malfunctions, suspected
malware infections and non-compliance with the IS policy or the law. The first step in identifying,
fixing and preventing incident reoccurrence is reporting. Employees therefore need a reporting
channel and to be aware of its existence.
7 Physical controls (14)
Physical security perimeter (7.1)
The first step when protecting a physical space is to define its perimeter. Sensitive or critical areas
within the perimeter can then be identified. The perimeter must be sufficiently physically secure to
protect the contents, with alarms and intruder detection systems. If necessary a monitored
reception can control access. The image at the top of this article is an example of a zone plan
showing perimeter and secure areas.
Physical entry controls (7.2)
Only authorized persons should be able to gain entry to assets and information. The level of
restrictions depends on the organizational requirements. Things to consider include personal
identification and logging who accesses the premises. A procedure should be in place for receiving
visitors to establish their identity, where they are can go and if they must be accompanied.
Deliveries also present a risk, both because delivery areas need to be secured and to prevent
delivery personnel entering restricted areas.
Securing offices, rooms and facilities (7.3)
Offices need to be secured with digital or physical keys. In general, detailed directories and maps
should not be openly accessible as these can highlight the location of sensitive assets.
Physical security monitoring (7.4)
Monitoring can deter intruders and detect intrusion. Guards, cameras and alarms all monitor
against unauthorized access. The design of any monitoring system should be considered
confidential. Regular testing is required to ensure that the system works. Camera surveillance
systems and other monitoring systems that collect personal information or may be used to track
individual may require special consideration under data protection laws. For example, camera
surveillance may require a data protection impact assessment under GDPR legislation.
Protecting against physical and environmental threats (7.5)
Natural or manmade disasters and physical attacks threaten information security and business
continuity. The level of these risks is highly dependent on location. Floods, fires and large storms
are the most likely risks, but the risk from earthquakes, civil unrest and terrorist attacks can also be
considered in risk assessments.
Working in secure areas (7.6)
The existence and purpose of secure environments should only be shared on a need-to-know basis.
They should be kept locked, with access limited to authorised persons. Generally, lone-working
should be discouraged, for both safety and for security purposes.
Clear desk and clear screen (7.7)
Sensitive information left on desks, screens, printers and whiteboards can be accessed by anyone. a
clear desk and screen policy defines how and where information can be accessed. A basic policy
includes no printed documents left unattended, either at workspaces or printers (clear desk) and
locked device screens (clear screen). More detailed policies may be required for sensitive
information, for example that information cannot be viewed on a screen in an open environment.
Equipment siting and protection (7.8)
Careful citing of equipment can minimize a host of risks: not just unauthorized access but also the
risks due to environmental factors, spilled food and drink, vandalism, and degradation due to light
or humidity. The protection required will depend on the sensitivity of the equipment.
Security of assets off-premises (7.9)
Devices, including private devices (bring-your-own-devices), still need protection when they leave
the premises. Basics include appropriate physical protection such as covers and theft prevention by
not leaving devices unattended. The organization should be aware of what devices are used off
premises, by whom, and what information is being accessed or used when off-site.
Storage media (7.10)
Information stored in any media format brings the risk of unauthorized access, and loss of
information integrity through modification or degradation, loss, destruction or removal. Media
should therefore be safely stored and eventually securely destroyed. Policies governing the
management of removable media should cover what information can be stored on removable
media, the registration and tracking of such media, how it should be safely stored to prevent
unauthorised access or degradation, and how it should be transported. When storage is no longer
required, secure destruction is necessary. This may be performed by an external party.
Supporting utilities (7.11)
Power failures can immediately compromise a business’s activities. Less obviously,
telecommunications and air conditioning will all interrupt digital activities, and failures of gas,
sewage or water supplies will prevent employees from working on-site. Inspection and alarms
systems can identify actual or potential failures. Continuity plans should identify back-up options
and emergency contact details for service providers.
Cabling security (7.12)
Information and data are transferred via cables, while computers, security systems and
environmental controls all require power, supplied by cabling. The former can be intercepted and
outages of either can compromise information security and business continuity. The degree of
security required depends on the organization, and in many cases will be managed by building
facilities providers or telecoms and utilities companies. Basic protections include using cabling
conduits or cable floor covers to prevent damage, and locked access to utility access and entry
points.
Equipment maintenance (7.13)
Equipment maintenance introduces two information security considerations: poorly maintained
equipment risks the loss of information; while equipment servicing or maintenance can expose
information to external or unauthorized parties. Regularly serviced and updated equipment is less
likely to require riskier repairs or to lead to outages. When repairs are required, care should be
taken in choosing service providers and checking their work.
Secure disposal or re-use of equipment (7.14)
Equipment that is no longer in use may still have licensed software installed or stored sensitive
data. This also applies to equipment that requires repair, and should be a consideration when
deciding whether to use external repair services. Standard delete functions may not be adequate to
remove sensitive information. Instead, specialist destruction, deletion or overwriting methods
reduce the risk of residual information remaining on the storage media. Remember to remove
physical labels or markings too!
8 Technological controls (34)
User endpoint devices (8.1)
User endpoint devices are any devices from which information can be accessed, processed or
where information can be saved. They include laptops, smartphones and PCs. A policy for user
endpoint devices should include registration, physical, password and cryptographic protection, and
responsible use. Responsible use includes controlling who has access to the device, installation of
software, regularly updating the operating system and backing device up. An organisation may
require a specific policy for bring-your-own-device to prevent disputes and the information security
risks associated.
Privileged access rights (8.2)
The allocation of privileged or admin access rights to users, software components and systems
should be done on a case-by-case basis and only as needed. This means that there needs to be a
policy in place determining when access rights can be granted and when they should expire or be
revoked. when privileged access rights are granted, the user should understand what they are for
and when they should be used. The first step is that privileged users should always be aware that
they have admin access rights. These rights should not be used for day-to-day tasks, which should
always be done with standard access accounts. Privileged access should only be used when
administrator tasks are being conducted.
Information access restriction (8.3)
Access to information and other assets should be based on business need, with access restricted to
particular users. Information should not be accessible to anonymous users to prevent untraceable
and unauthorised access. This is important to preserve the confidentiality of information, to
monitor its use, and to prevent modification and distribution.
Access to source code (8.4)
Source code needs to be kept secure to prevent unwanted changes and to keep the code
confidential. The employees role and business need determines if they have read and write access.
Limiting access to read-only for the majority of staff helps to protect the integrity of the code. For
the same reason, developers should use development tools that control activities, rather than
having direct access to the source code repository.
Secure authentication (8.5)
Secure authentication helps to guarantee that a user is who they say they are. The required
strength of authentication is dependent on the classification of the information. Usernames and
passwords provide a basic level of authentication, which can be strengthened using cryptographic
or biometric controls, smart cards or tokens, or other multifactor authentication. Login screens
should show the minimum amount of information possible to avoid providing help to unauthorised
persons. All login attempts should be logged, successful or not, so that attacks or unauthorised
usage can be identified.
Capacity management (8.6)
Capacity management covers all of human resources, office space and other facilities, not just
information processing and storage. Future requirements should be taken into account in business
and security planning, particularly if asset acquisition has a long lead time. Cloud computing often
allows flexible capacity management. In contrast, physical facilities and personnel may require
more strategic planning. Optimisation of physical and digital information storage, deletion of old
data, and optimised batch processing and applications will mean that existing capacity is more
efficiently used.
Protection against malware (8.7)
Malware detection software (e.g. virus scanners) provides some protection, but it is not the only
was to protect against malware. Protection also includes information security awareness, access
controls and change management controls to prevent malware being installed or causing problems.
As a first line of defence, malware detection software needs to be installed and updated regularly.
However, a policy to prevent unauthorised software installation, the use of suspicious websites, the
download of files from remote sources and vulnerability detection are equally as important. Finally,
the security risks can be reduced by actively planning for a malware attack. Keeping abreast of new
malware, isolating critical environments, and making business continuity plans should an attack
occur will all help maintain business continuity in the event of an attack.
Management of technical vulnerabilities (8.8)
The management of technical vulnerabilities can be divided into three categories: identification,
evaluation and action. In order to identify vulnerabilities, assets must be inventoried with details of
the supplier, version, deployment state and responsible owner. The vendor may provide
information on vulnerabilities, but the owner should identify additional resources that monitor and
release information about vulnerabilities and methods to identify vulnerabilities, such as pentesting. When a vulnerability has been identified, the risk and urgency need to be assessed, as well
as the potential risks of applying an update or patch. Updates can often be used to take action
against vulnerabilities, but may not always adequately fix the problem and can introduce new
issues. If no update is available or the update is considered inadequate, measures such as work
arounds, isolation from the network and increased monitoring may be sufficient to mitigate the
risk.
Configuration management (8.9)
Software, hardware, service and networks need to be configured to function correctly with the
security settings considered necessary to protect the organisation. The configuration should be
based on business need and known threats. As with all secure systems, privileged access should be
limited and unnecessary functions disabled. Configuration changes should follow the change
management procedure and be fully approved and documented.
Information deletion (8.10)
Information should not be kept for longer than necessary in order to reduce the information
security exposure risk, to optimise resource use and to comply with laws such as the GDPR.
Approved secure deletion software should be used to ensure permanent deletion and certified
disposal providers should be used for physical media. The deletion method used by cloud service
providers should be checked by the organisation to ensure it is adequate. Maintaining a record of
deletion is useful in the event of a data leak.
Data masking (8.11)
Only the minimum amount of data required for a task should be available in search results. In order
to achieve this, personal data should be masked (or anonymised or pseudononymised) to hide the
identity of the subjects. This may be required by laws such as the GPDR.
Data leakage prevention (8.12)
Monitoring and detecting unauthorised attempts to disclose or extract data are key to prevention.
When an attempt is detected, measures such as email quarantine or access blocks can be activated.
Other methods, such as policies and training about uploading, sharing or accessing data should be
used to address the risks of staff leaking data.
Information backup (8.13)
The organisation needs a specific policy on back-ups, which covers method, frequency and testing.
When developing the policy, the organisation should consider points such as ensuring the
completeness of back-ups and restores, the business needs of back-ups, where and how they are
stored, and how the back-up system is tested. The back-up system should be considered as part of
the business continuity plans and be adequate to meet the continuity requirements.
Redundancy of information processing facilities (8.14)
Any organisation needs a system architecture that is sufficient to satisfy the business availability
requirements. Redundancy ensures availability by having spare capacity in case of system failure,
and often requires duplicate systems such as power supplies. Adequate redundancy that can be
spun up when necessary forms an important part of business continuity planning and should be
tested regularly.
Logging (8.15)
Logging records events, generates evidence, ensures the integrity of log information, can help to
prevent against unauthorised access, identifies information security events and supports
investigations. A logging plan needs to identify what information should be logged (e.g. user ID) and
can cover events such as system access attempts, changes, transactions, or file access, amongst
other things. The logs must be protected even from privileged users so that they cannot be deleted
or changed. The logs need to be monitored and analysed to detect patterns or incidents that may
be information security incidents.
Monitoring activities (8.16)
The aim of monitoring is to detect anomalous behaviour and to identify potential information
security incidents. The monitoring system could cover network traffic, system access, logs and use
of resources. Monitoring can help to identify system failures or bottlenecks, activity associated with
malware, unauthorised access, unusual behaviour, and attacks such as denial of service attacks.
Clock synchronisation (8.17)
Clock synchronisation is important to ensure that the timing of an information security incident is
reliably recorded. On-premises systems should use a network time protocol (NTP) to ensure
synchronisation. Cloud service providers generally handle timing for logging. However, on-premises
clocks may not be perfectly synchronised with the Cloud provider’s clock. In this case, the
difference should be recorded and monitored.
Use of privileged utility programs (8.18)
A utility program may be capable of overriding system and application controls. The usage of and
access to utility programs should therefore be tightly restricted, with unique user identification and
logging of usage.
Installation of software on operational systems (8.19)
Software installation can introduce vulnerabilities in operating systems. To minimise this risk,
software should only be installed by authorised persons. The software should be from trusted and
well maintained sources or fully tested if developed internally. Previous versions should be kept
and all changes logged so that roll-back is possible if required.
Network controls (8.20)
Networks must be secure enough to protect the information passing over them. To keep them
secure, they need to be kept up to date and monitored, with the option to limit both connections
to authenticated devices and what traffic can pass over the network. A method to isolate the
network may be useful should the network come under attack.
Security of network services (8.21)
Network security services cover everything from the provision of a simple connection and
bandwidth, to complex services such as firewalls and intrusion detection systems. The level of
security required will depend on business need. When the required security is identified it needs to
be implemented and monitored. This is often done by third party network service providers. Access
authorisation procedures and access means such as VPNs should be considered when setting up
network security services.
Web filtering (8.22)
Not every website on the internet is innocent. Some contain illegal information and others
distribute malware. Blocking the IP addresses of suspicious websites can reduce the risks. However,
not every malicious website can be blocked, so filtering must be accompanied by rules and
awareness training on appropriate and responsible internet use.
Segregation in networks (8.23)
Large networks can be split into several domains. This means that different security levels can be
applied to each domain, with limited access to different parts of the business network. The
networks can be fully physically separated or digitally separated using logic networks. Wireless
networks do not have physical boundaries and should therefore be considered as external
connections until a gateway such as a VPN has been passed when sensitive data is being accessed.
Use of cryptography (8.24)
The use of cryptography needs to carefully managed, with consideration of the required level of
protection, key management, encryption of endpoint devices and how cryptography might impact
content inspection (e.g.malware scanning). Key management requires a process generating,
storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys.
Secure development lifecycle (8.25)
Secure development covers the construction of services, architecture, software and systems. A key
aspect is the separation of development, test (approval) and production environments with secure
repositories for source code. Security should be a consideration right from the specification and
design phase, with checkpoints built into the project plan and planned testing. The developers must
also be aware of secure coding guidelines and be able to prevent, find and fix vulnerabilities.
Application security requirements (8.26)
Organisations need to identify and specify the security requirements for applications, then
determine them using a risk assessment. The requirements are determined by the security
classification level of the information passing through the application. Requirements can include
access controls, protection level, encryption, input and output controls, logging, error message
handling, resilience against attack and legal requirements. Security requires particular
consideration if the application performs transactions of information or orders and payments.
Secure system architecture and engineering principles (8.27)
Architectural and engineering principles ensure that systems are designed, implemented and
operated securely throughout their development lifecycle. Secure system principles analyse what
security controls are needed and how they should be applied. Good practice, practical
considerations about the cost and complexity and how new features can be integrated into existing
systems should also be taken into account.
Secure coding (8.28)
Practising secure coding helps to ensure that code is written to minimise vulnerabilities. Secure
coding principles can be used to promote best practice and set minimum standards in the
organisation. These should take into account current real-world threats, the use of controlled
environments for development and ensuring the competence of developers. Secure coding should
also include management of updates and maintenance, particularly checking who is responsible for
maintaining codes from external sources.
Security testing in development and acceptance (8.29)
Security testing should be an integral part of development testing. This includes testing of secure
configuration of operating systems (e.g. firewalls), secure coding and security functions (such as
access). The tests need to be scheduled, documented and have criteria to determine acceptable
results.
Outsourced development (8.30)
When development is outsourced, information security requirements need to be communicated to
and agreed by the outsourced developer and monitored by the outsourcing organisation. Licensing
and intellectual property ownership, testing and evidence of testing, and contractual rights to audit
the development process are examples of security considerations that should be agreed between
the parties.
Separation of development, test and production environments (8.31)
Testing and development activities can cause unwanted changes or system failure, which could
compromise the production environment if it is not adequately protected. The degree of separation
between testing and production will depend on the organisation, but environments need to be
separated and clearly labelled, so that testing or actions such as compiling cannot take place in the
production environment. Changes should be monitored, with careful control over who has access
to each environment. No one should have the ability to make changes to both the testing and
production environment without prior review and approval.
Change management (8.32)
The confidentiality, availability and integrity of information can all be compromised when
introducing infrastructure or software or making major changes to an existing one. A formal
process of documentation, testing, quality control and implementation can reduce the risks.
Documentation of testing and contingency planning are important in the run-up to implementation,
particularly to ensure that new software does not negatively impact the production environment.
Operating guides and procedures may need to be altered after the changes have been made.
Test information (8.33)
There are two key considerations for test information: it should be close enough to operational
information to ensure the test results are reliable, but it should not contain any confidential
operational information. If sensitive information must be used for testing, it should be protected,
modified or anonymised before being used, and should be deleted immediately after testing.
Protection of information systems during audit and testing (8.34)
The operational systems should not be unduly affected by audits or technical reviews. To prevent
excessive disturbance, the audits should be planned with agreed timing and scope. Read-only
access will prevent accidental changes to systems during an audit, and all access should be
monitored.
What is NIST 800-53
NIST 800-53 is a publication of the National Institute of Standards and Technology (NIST) in the United
States. It is a catalog of security and privacy controls that provides guidance for federal agencies and
organizations that handle sensitive information.
What is the difference between iso 27002 and NIST 800-53?
While both standards provide guidance on information security and privacy controls, ISO 27002 is more
high-level and flexible, while NIST 800-53 is more prescriptive and specific to the US federal
government.




Scope: ISO 27002 is a global standard that provides general guidance and best practices for
information security management, while NIST 800-53 is a US federal government standard that
provides specific guidance and controls for federal agencies and organizations that handle
sensitive information.
Approach: ISO 27002 is a more high-level standard that focuses on the development and
implementation of an effective ISMS, while NIST 800-53 is a more detailed standard that
provides specific controls and guidelines for protecting information and information systems.
Structure: ISO 27002:2013 is organized into 14 categories of controls, while NIST 800-53 is
organized into 18 control families. Additionally, the controls in NIST 800-53 are more
prescriptive and include specific requirements for implementation, while the controls in ISO
27002 are more general and leave more flexibility for organizations to determine how to
implement them.
Applicability: While both standards are widely used and recognized, NIST 800-53 is primarily
used by US federal agencies and organizations that work with the federal government, while ISO
27002 is used by a more global audience.
What is Cyber Essentials?
Cyber Essentials is the UK Government-backed scheme that aims to help organisations protect
themselves against common cyber threats. Cyber Essentials certification covers a basic level of IT
security, which is estimated to reduce the risk of most cyber attacks by 80%. The scheme was
introduced by The National Cyber Security Centre in 2014.
The Cyber Essentials scheme is mandatory for businesses and suppliers looking to bid for certain
government contracts and all Ministry of Defence contracts. It’s also increasingly becoming expected
when becoming involved with other supply chains and organisations.
The scheme is set around 5 technical controls which need to meet a certain standard to pass. These
include: Malware Protection, Boundary Firewalls and Internet Gateways, Patch Management, and
Access Control.
There are two levels of certification - Cyber Essentials Basic is based on a self assessment questionnaire,
which is then reviewed by IASME (The Information Assurance for Small and Medium Enterprises
Consortium). On the other hand, with Cyber Essentials Plus, your systems are scanned and audited by a
third party to assess whether they comply with the standards.
Businesses should renew their Cyber Essentials certification every year to ensure they still meet the
standard.
What’s the difference?
While Cyber Essentials is a UK Government program, ISO 27001 is an international standard. There are
British industries and organisations, particularly related to the government, which require the partners
and agents they work with to be CE compliant. Internationally, some countries have chosen to make ISO
27001 a legal necessity in some industries.
ISO 27001 is more comprehensive, covering more areas of a business which may leave companies
vulnerable. It covers all information security and accessibility, instead of specifically having an IT focus.
This means it takes significantly more time to build towards than Cyber Essentials.
Even when no changes are requested by the auditor, it takes an average of a year for most companies
to gain ISO compliance. However, the scheme also comes with some flexibility as it doesn’t have specific
control requirements for compliance.
Cyber Essentials certification is comparably much quicker to achieve and laser focused on cyber security
specifically. Most businesses can receive their certificate within a month of starting pre-work for
compliance. There’s also a fast track option which can help things to move even more quickly. Within
the UK, some industries prefer it over ISO 27001 and customers choosing where to take their business
may be more familiar with it.
The certification process is also different. You can qualify for basic Cyber Essentials compliance through
a self-assessment. For the advanced version, your systems will also be scanned and assessed by a secure
third party.
In contrast, to qualify for an ISO 27001 certificate, your company will need to undergo an in-depth audit
of your documents and procedures. This can cost upwards of thousands of euros, depending on your
business size.
There is a perception that Cyber Essentials is more directed at small and medium businesses. You can
gain certification for as little as £300 per year (depending on the size of your company) and the
standards are achievable for businesses of this size while also giving them significant protection from
cyber attacks.
In short, Cyber Essentials covers what you need to create a solid foundation of cyber security practices
in UK businesses. ISO 27001 is bigger in scale and scope, but also in price and the amount of time
investment needed.