Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

How Does ISO27001 Benefit your Cyber Security Strategy?

October is Cyber Security Awareness Month across the globe, so we’ll be publishing a series of blogs to help organizations improve their cyber security strategy and increase awareness of common cyber security issues.

Based on recent events, the cyber-world is not getting any safer, and an organization operating online today faces threats from a wide variety of sources, with new ones joining the fray on a regular basis. So if you have a role such as Chief Information Security Officer (CISO) then you have what we can comfortably call a challenge.

There are many different ways in which information security can be approached, and much of the battle can be to get senior management to really understand the high-level direction that your company is taking. In order to make it easier to grasp, most organizations define what they term their “cyber security strategy” and brief the board on what this means.

ISO27001 Cyber Security padlock image

What are the choices for a strategy?

If you’ve reached the point where everyone is agreed that a strategy is needed, but no one really knows what it should be, then it can often help to base it around one of a number of frameworks that exist within the industry at the moment, rather than making it up yourself.

Based partly on which country you are based in and the industry you operate within, the choices are fairly wide, but it’s certainly not an endless list. The main suspects are usually:

  • The ISO/IEC 27001 international standard for information security
  • Cyber Essentials (a UK government-backed scheme)
  • NIST Special Publication 800-53 (a framework of controls published by the US National Institute of Standards and Technology – NIST)
  • NIST Cyber Security Framework (US only)
  • SOC2 – an audit standard often used for data centres
  • CIS Controls framework – a set of safeguards, now at V8
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
  • COBIT – a well-known framework from ISACA
  • National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) (UK only)
  • PCI DSS – required if credit card information is processed

This can be a difficult choice. Let’s explore why the first on the list, the ISO/IEC 27001 standard, is a good option to go for.

What is ISO27001?

ISO27001 is a standard published by the ISO (International Organization for Standardisation). The current version was published in October 2022, runs to nineteen pages and comes in basically two parts:

  1. The management system
  2. The Annex A controls

The management system consists of a set of requirements grouped into seven main clauses, 4 to 10 (0 to 3 are basically intro):

  1. Context of the organization
  2. Leadership
  3. Planning
  4. Support
  5. Operation
  6. Performance evaluation
  7. Improvement

If you do everything it says, then you will be creating an information security management system (ISMS) which sets clear objectives, assesses risk, has defined roles and responsibilities, documents things well and measures its own success, to name but a few aspects. This means you start to treat information security as an ongoing process, rather than a one-off exercise.

The Annex A controls are a set of 93 good ideas to secure your organization, not just from a technical viewpoint, but also from a physical, organizational and people viewpoint too.

So let’s talk about why ISO27001 is a sensible choice to base your strategy around.

Why choose ISO27001?

It’s international

Some of the alternatives on the previous list are UK or US-only, and each country will have its own equivalents. The advantage of ISO27001 is that it is internationally recognised around the world so it has credibility not just in your home country, but in those of your international customers also.

It provides a great framework for improvement

You’ll never get your cyber security completely right first time, and the threats change rapidly anyway, so you need to be continually reviewing and improving your defences or they will soon be out of date. ISO27001 has what is basically an improvement engine that makes you strive to be better week in, week out.

There’s a useful list of controls to choose from

Annex A of the ISO27001 standard is a goldmine of best practice ideas to improve your information security. If you combine it with the more detailed guidance in ISO27002 then you have a well-rounded approach to building your defences. And the risk-based aspect of ISO27001 means that you only implement the controls that make sense for your organization.

Certification keeps the focus up

You can become externally certified to ISO27001 which means that a third party validates that you have implemented your ISMS properly, and other people can trust that this is the case. Annual audits are a strong incentive to keep the focus on your management system and your controls so that you never let your guard down.

It gives you credibility

The ISO27001 standard has a good reputation internationally and is generally accepted as an indication that your organization takes information security seriously and has a strong approach in place. This can save a lot of time when answering questions for tenders, as certification many boxes automatically.

It emphasises a risk-based approach

Many of the alternative frameworks are simply a set of controls that can be implemented; ISO27001 emphasises the need to assess your organization’s risk and only put in place those controls that make sense for your organization, so saving time and money and maximising benefit.

In summary

These are just some of the reasons why basing your cyber security strategy around ISO27001 is a great idea. Of course, the other frameworks can add significant value too and it’s not uncommon for an organization to use two or more to guide them, for example ISO27001 and PCI DSS. The key thing is to establish a structure for your strategy; one which meets your compliance goals, but also helps your senior management team understand what’s going on.

 

Note, this blog has been updated in November 22 to reflect the new 2022 standard. 


More ISO27001 resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

I really love the introductions and guidance in each document. This makes it so easy to use for my team and the uninitiated to quality management.

Chauncery Ventures
UK

View all Testimonials