ISO 27001:
The facts
Did you know?
98% say ISO 27001 improves
information security.
ISO 27001 Global Report
Protect • Comply • Thrive
A global benchmark in effective data
security
With increasing regulatory pressure to reduce data breach risks stemming
from new legislation such as the General Data Protection Regulation
(GDPR) and the Directive on security of network and information systems
(NIS Directive), ISO 27001 can offer assurance and peace of mind that
you are following international best practice for information security.
ISO/IEC 27001:2013 (ISO 27001) enables your business to thrive despite
continued pressure from your clients, the board and stakeholders to
reduce data breach risks.
ISO 27001 is the third fastest-growing management standard in the world,
with certifications growing more than 450% in the past ten years.
A brief introduction to ISO 27001
ISO 27001 is a global management system standard that provides the specification for establishing, implementing,
maintaining and continually improving an information security management system (ISMS). It enables you to protect
the confidentiality, integrity and availability of your information.

An ISMS is a systematic approach to managing data in a secure way and includes people, processes and
technology.

Organisations that adopt ISO 27001 can be certified by an independent audit body, thereby presenting evidence
to clients and stakeholders that they comply with international information security management best practice.

The key benefits of achieving ISO 27001 compliance

ISO/IEC 27001 provides a robust approach to help you manage information security and reduce your risk of a data
breach.

Through its comprehensive approach to information security, ISO 27001 presents a practical and effective method
of achieving demonstrable compliance with a range of international data privacy laws, including the GDPR, the
NYDFS Cybersecurity Requirements for Financial Services Companies and the NIS Directive.

Other benefits

• Adopt international best practice in

information security management.

• Avoid penalties and losses due to data

breaches.

• Access new business opportunities and

qualify for tenders where certification
is a prerequisite.

• Improve your corporate reputation.

• Build staff awareness of information

security.

• Get a competitive advantage.

• Safeguard your valuable data and

intellectual property.

• Retain your existing customer base.

• Satisfy stakeholder, shareholder and

audit requirements.
How does an ISO 27001-conformant ISMS work?
Not just electronic data

An ISMS helps to protect an organisation's information in all its various forms, including:

• Data held in mobile devices, computers and other electronic systems;

• Hard copies of information (e.g. printed supplier contracts, employee information stored in cabinets
or organisational strategies); and
• Intellectual property, company secrets and customer contact details.

ISO 27001 helps you identify and manage risks

The risk assessment forms the basis of a robust ISMS and is conducted across the organisation. It includes all the
possible risks that information can be exposed to, balanced against the likelihood of these risks materialising and
their potential impact.

Once the risk assessment has been conducted, the organisation needs to decide how it will manage and mitigate
those risks. It then needs to decide how to manage the risks based on allocated resources and budget.

Four ways to treat risks

1 the risk by eliminating it entirely; e.g. getting rid of outdated software or

Avoid hardware and replacing it with newer technologies.

2 the risk by applying security controls – e.g. those recommended by Annex A of

Modify ISO 27001, to reduce the likelihood of the risk occurring.

3
the risk with a third party, e.g. an insurance company via an insurance policy.
Share

4 the risk. This decision can be made if the risk assessment finds that the cost of reducing
the risk in other ways (including terminating it) would be greater than the damage the
Retain risk could inflict upon the business.
Controls to mitigate risk
ISO 27001 recommends a set of controls that are designed to mitigate information security risks; however, an
organisation can use other control sets too. There are 114 controls in Annex A, covering the breadth of information
security management. The 14 control sets are:

1. Information security policies. 9. Communications security – includes controls

2. Organisation of information security – includes
controls for managing mobile devices and bring
your own device (BYOD).
3. Human resources security – controls related to
the employment of staff.
4. Asset management.
5. Access control – controls such as access control
and user responsibilities.
6. Cryptography – includes encryption/key
management.
7. Physical and environmental security – includes
aspects related to clear desk and clear screen
policies.
8. Operational security – includes controls for
managing malware, the company’s backup policy,
logging, how to monitor threats and vulnerabilities,
etc.
related to segregation of the network,
telecommunications security, etc.
10. System acquisition, development and
maintenance.
11. Supplier relationships – controls that relate to
supplier contract management and dealing with
supplier-related risks.
12. Information security incident management –
controls related to monitoring and detecting security
events and the execution of proper responses to
those events.
13. Information security aspects of business
continuity management.
14. Compliance – controls related to achieving
compliance with relevant legislation and regulatory
requirements.

Review, auditing and reporting

As a management standard, ISO 27001 requires an organisation to continually review the ISMS to make sure it is
functioning optimally, and that it adjusts to the constantly changing threat environment.

One aspect of reviewing and testing is an internal audit, which requires the ISMS manager to produce a set of
reports that provide evidence that risks are being adequately treated.

An even more effective way that an organisation can obtain the assurance that its risk treatment plan (RTP) is
working as intended is by obtaining accredited certification.

Getting certified to ISO 27001

Achieving accredited certification to ISO 27001 demonstrates that an organisation is following information security
best practice, and delivers an independent, expert assessment of whether data is protected according to the
specifications of the Standard.

Certification means that an independent auditor, appointed by an official certification body, will audit the ISMS to
establish whether there are any nonconformities that need to be addressed. The auditor will conduct a detailed
assessment of the ISMS, interview key staff members, and review various documentation and reports such as the
Statement of Applicability (SoA), RTP and information security policy. Based on the outcomes of the audit, the
company will be able to obtain certification that is valid for three years.

Read more about the benefits of certification.

Getting started with your ISO 27001 project
The following are important considerations when tackling any ISO 27001 project.

A gap analysis is an analysis of the gaps between an

organisation’s existing information security arrangements and
Conduct a gap analysis ISO 27001. It is a way of producing a business case for ISO
27001, and provides a timescale and an informed opinion of
the resources required to implement ISO 27001.

A successful ISMS project depends on top management

support and commitment. With top management support,
Obtain management support the project will get the financial and human resources it
needs, and the ISMS will be aligned with the strategic goals
of the organisation.

The scope of the ISMS may extend to the entire

organisation, or only a specific department or geographical
Establish the context, scope and location. When defining the scope, you will need to consider
ISMS objectives the organisational context as well as the needs and
requirements of interested parties (stakeholders, employees,
government, regulators, etc.).

You will either need to have the internal capacity to lead the
Develop or source the project or appoint an external professional with proven
necessary expertise experience of implementing an ISMS who understands the
requirements of ISO 27001 compliance.

Controls should be applied to manage or reduce the risks

Conduct an information security identified by the risk assessment. ISO 27001 requires you to
risk assessment and implement compare the controls you select against the list of best-
the necessary controls practice controls in Annex A.

Raise awareness about information security throughout the

organisation. This ensures every employee knows how they
Improve staff awareness contribute to the organisation’s security stance and therefore
contributes to it effectively.

Some documentation is mandated by ISO 27001, and

Review and update the
getting the balance right is an essential part of designing
required documentation and implementing a sustainable ISMS.

ISO 27001 supports a process of continual improvement.

This requires that the performance of the ISMS be
Measure, monitor and review continually analysed and reviewed for effectiveness and
compliance, in addition to identifying improvements to
existing processes and controls.

For more information, download our free green paper: Implementing an ISMS: The nine-step approach .
What does a typical ISMS implementation project cost?
Although costs vary from company to company based on the size and complexity of the organisation and the
preferred ISMS implementation approach, IT Governance’s annual global ISO 27001 survey reveals that
organisations spent between £5,000 and £20,000 on the total project, excluding certification fees.

What our clients say about the benefits of implementing

ISO 27001
“It made sense to certify to ISO 27001 because the workload of regular audits would be greatly eased by having
evidence to show of internal standards compliance. Some of our major clients, including banks and other mortgage
lenders, would accept ISO 27001 certification without the need for detailed audits, knowing that the certification
body had done this.”
Nick Tinning, IT director, Aberdein Considine

“Having ISO 27001 certification is important to us for two reasons. First, it gives our customers and prospects
confidence that when they entrust us with their information, that we have been independently assessed to be able
to keep that information safe. Secondly, the ISMS is simply good practice for a business like ours, it provides an
effective framework for running an organisation well.”
Andrew Saunders, operations manager, VoiceVault

“As we’ve grown we’ve wanted to demonstrate that we deliver world-class security, and the best way to do that
was to ‘get the badge’ and let the world see we’ve got it. It’s something that allows us to toe the line in order to
compete.”
Steve Carroll, managing director, Healthcode

The importance of using accredited certification bodies

It is important to ensure that the certification body you use for the certification of any management system standard
(e.g. ISO/IEC 27001 or ISO/IEC 22301 for business continuity management) is accredited by an official national
accreditation body, and that the national accreditation body is a member of the International Accreditation Forum
(IAF), such as UKAS in the UK.

Read more about the importance of using accredited certification bodies to ensure that your certificate is valid and
authentic.

The average length of time for an ISO
27001 certification project is 6-12 months*
The time it takes to achieve ISO 27001 certification
can vary depending on the size of the organisation,
the scope and complexity of the project and the
availability of resources.
Small companies with a single office location and few
staff may be able to achieve certification in less than
three months if they rely on external help.
Secure your supply chain
The proliferation of cyber attacks and data breaches is
driving a need for greater information security assurance
throughout the supply chain. By providing a globally-
accepted indication of your information security
management, ISO 27001 certification significantly
reduces the need for repeated supplier audits, lessening
the number of external audit days, and presents
significant savings in terms of preparatory work when
entering into contracts.

*Global ISO 27001 Report

Overcoming the initial barriers to ISO 27001 implementation
Despite the numerous benefits offered by ISO 27001, some companies struggle to fully adopt the Standard.

IT Governance’s annual ISO 27001 Global Report reveals some of the obstacles that information security teams face
when tackling the Standard for the first time.

Executive teams
The requirements
often fail to grasp
of the Standard
the extent of
are not always
information security
easy to interpret.
risks.

Sufficient resources It is not always clear

and budget are not how to effectively
always implement the
allocated. required
controls.
The process of
Conducting the risk
creating the required
assessment can be
policies, procedures
a complex
and documents can be
undertaking.
time-consuming.

Reporting and Scoping the project

maintaining the ISMS properly can be
requires challenging for
knowledge and complex
expertise. organisations.

Work with one of the most experienced ISO 27001 teams in

the world
IT Governance is more than just a consultancy company.

We offer a complete set of ISO 27001 products and services in addition to a wide range of other IT GRC disciplines.

This means you can get whatever you need for your project in one place.

Our multi-sector and multi-standard knowledge and experience mean we can help you implement an ISMS quickly
and easily, no matter where your business is located.

Combined with our deep industry expertise and practical approach, we can provide advice, tools, DIY solutions, in-
depth training, easy access to online consultancy (billed by the hour) or full-service consultancy support to help you
tackle any obstacle during your ISO 27001 journey.
How IT Governance can help: cost-effective resources

Secure the necessary project budget and

ISO 27001 Gap support
Get an expert opinion on the resources, timescales
Analysis
and plans you need to achieve ISO 27001
certification-readiness.

Get certification-ready in 3 months

Receive a 100% certification guarantee with our
ISO 27001 Online
TM fixed-price consultancy service for small
FastTrack businesses.
Consultancy

Develop the necessary internal expertise

ISO 27001 Certified
This fully accredited, practitioner-led course equips
ISMS Lead Implementer
you with the skills to lead an ISO 27001 ISMS
implementation project.

Accelerate the documentation process

ISO 27001 ISMS Customisable documentation templates help you
Documentation Toolkit implement the necessary controls and save you
weeks of work.

ISO 27001 ISMS Eliminate ISMS management hassle

Management Get hands-on support from an ISO 27001
Service specialist.

Implement an ISMS with expert support

ISO 27001 Get a Get expert support to tackle an ISMS implementation
Lot of Help project without the added consultancy expense. Our
Package package includes tools, training and five days of
online consultancy at key stages of your project.

Fast, accurate and hassle-free risk

assessments
vsRiskTM

vsRisk™ provides an easy solution for conducting

Standalone - Basic
risk assessments against the requirements of
ISO 27001.
About IT Governance
Practical solutions and advice. Broad management capabilities. Deep technical expertise.

IT Governance is a leading global provider of IT GRC solutions. We advise global businesses on their most critical
issues and present cost-saving and risk-reducing solutions based on international best practice and frameworks.

Consultancy
Our management team has led ISO 27001
implementations since the inception of the
Standard, when two of our directors led the world’s
first successful certification of an ISO 27001 ISMS.
To date, we have helped more than 600
organisations with their ISO 27001 implementation
and certification projects.

Our unique combination of technical expertise and a

solid track record in international management
system standards means we can deliver a complete
solution and manage the project from start to finish.

With more than 15 years’ practical experience

working on projects in a range of public- and
private-sector organisations across a variety of
market sectors, we can provide consultancy services
covering any framework or management standard
to any organisation, anywhere in the world.

Training
We are an acknowledged leader in ISO 27001,
information security, data protection and business
continuity management training, and offer industry-
leading, ISO 17024-certificated qualifications to
implement and audit an ISO 27001 ISMS.

Choose from the largest portfolio of ISO 27001

classroom-based and Live Online training courses
and qualifications available globally.

Our full range of products and services:

Training and Documentation Penetration

Consultancy
qualifications toolkits testing

Standards Staff awareness Books and

Software
programmes guides

“IT Governance gave us the confidence to accelerate the process of gaining certification which we achieved
thanks to their help in line with project timescales.”
Carl White, service manager, Lanware
Why IT Governance?
• IT Governance is considered the global authority on ISO 27001 implementation and our management team led
the world’s first successful certification to ISO 27001.

• Our implementation approach has been honed over 15+ years.

• We’ve helped more than 600 organisations implement and get certified to ISO 27001.

• A wide range of tools and solutions put you in the driver’s seat, often eliminating consultancy fees.

• Our consultancy projects provide a 100% guarantee of certification.

• You benefit from real-world practitioner expertise, not just academic knowledge.

• We can help small organisations achieve ISO 27001 certification in just three months.

• We are independent of vendors and certification bodies, and we encourage our clients to select the best-fit
supplier of independent certification services for their needs and objectives.

• Our pricing is clear and transparent.

Our credentials
IT Governance is widely recognised among certification bodies as a leading consultancy.

Some of our clients

Data Sheet ISO 27001 - v1

Speak to an expert Speak to an expert

Please contact us for further information or to speak to an expert.

IT Governance Europe Ltd t: 00 800 48 484 484

Third Floor, The Boyne Tower, e: servicecentre@itgovernance.eu
Bull Ring, Lagavooren, w: www.itgovernance.eu
Drogheda, Co. Louth, A92 F682

ITGovernanceEU