What is ISO 27001:2013? Understand the Information Security Standard

Get your questions about ISO 27001:2013 answered as you learn about the benefits and main clauses of this ISO Management System Standard, which is so important in our modern world

In a hyper-connected digital world, the threat of data breaches and cyber attacks has become incontestable. According to the Australian Cyber Security Centre’s latest report, one cybercrime is reported in Australia every eight minutes, a 13% increase from the previous year. Self-reported losses total more than $33 billion, but the actual figure is likely higher due to under-reporting.

Consumers are increasingly concerned with how companies use and store their data. At the same time, businesses struggle to find effective ways to protect private information and sensitive data, an even more significant concern as more people are working remotely and challenging information security best practices. As cybercriminals become more sophisticated, many specialists say that it’s not a case of if but when a cyber attack or a data breach will occur. How, then, can a business protect its data?

The easy answer seems to be to invest in a good anti-virus software or some other type of privacy protection tool. However, software may not be enough without promoting a culture of information security within the organisation, and that’s why the Information Security Management System (ISMS) Standard, ISO 27001:2013, has become such a popular framework in the past few years.

Whether a company offers technology-based solutions to clients, or if the products and services are technology-light or non-existent, they are likely to deal with personal information from consumers and other stakeholders, as well as commercially sensitive information. Hence, implementing a Management System for Information Security will benefit organisations in any industry.

Continue reading to learn more about ISO 27001:2013 and have the most common questions about this standard answered.

What is ISO 27001:2013?

By definition, the ISO 27001:2013 Standard specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the organisation’s context. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the business.

Similar to other ISO Management System Standards, the requirements outlined in the document are generic and applicable to organisations of all types, sizes and industries.

The core aspects of ISO 27001:2013 are:

These aspects must be maintained by applying a risk management process, giving confidence to interested parties that risks are adequately managed.

If you’re new to ISO Management Systems, you may expect the standard to provide strictly technical guidelines for the Information Security Management System. However, rather than specifying software requirements, ISO 27001:2013 is a framework for a strategic approach to Information Security. This will become more evident as we go through the standard’s benefits and overarching clauses below.

What are the benefits of ISO 27001:2013?

Information Security is an essential component to the successful operation of any business in an increasingly connected world. By ensuring data and confidential information is protected, implementing and achieving certification to ISO 27001:2013 will help businesses:

What are the ISO 27001:2013 Information Security Management System requirements?

The ISO 27001:2013 standard comprises 11 clauses (0 to 10), as detailed below:

Clause 4: Context of the organisation – This requires an organisation to understand the needs and expectations of interested parties and determine the scope of the organisation’s Information Security Management System. It is crucial to clarify what areas of the business are covered by the ISMS. It also comprises how the organisation implements, maintains and continually improves the Information Security Management System.

Clause 5: Leadership – Emphasises how top management should support and demonstrate commitment to the Information Security Management System, including establishing an Information Security Policy and ensuring roles, responsibilities, and authorities are clear within the information security context.

Clause 6: Planning – Requires an organisation to determine actions to address risks and opportunities to ensure the Information Security Management System can achieve goals such as preventing and reducing risks and promoting continual improvement. It also states the organisation shall implement measurable and relevant ways to evaluate the effectiveness of these actions. The organisation must keep documentation about their information security objectives and determine what will be done, project timelines, roles and responsibilities and how they will evaluate results.

Clause 7: Support – To support the establishment, implementation, maintenance and continual improvement of the Information Security Management System, the organisation must promote awareness through clear communication and provide employees with the necessary resources to create, update and control the ISMS.

Clause 8: Operation – To meet this requirement, the business must plan, implement and control information security processes. The organisation shall keep documented information to ensure that the processes have been carried out as planned. Performing an information security risk assessment and treatment plans are also mandatory.

Clause 9: Performance evaluation – The organisation needs to assess its information security performance and effectiveness, determining what needs to be monitored and measured, when, which methods will be used, and who will perform the ISMS evaluation and analysis. Internal audits are also requested within this clause, as well as top management action to review the Information Security Management System and ensure its continuing suitability, adequacy and effectiveness.

Clause 10: Improvement – Following up on the evaluation, the organisation shall continually improve the suitability, adequacy and effectiveness of the Information Security Management System by taking corrective action (and eliminating the causes) in case a nonconformity to the Standard or to business processes is identified.

Annex A is also an essential component of ISO 27001:2013. This second part of the Standard comprises a list of 114 controls, organised in 14 sections. These are used to support the implementation of ISO 27001:2013’s requirements as part of the risk management process. The controls to be implemented should be selected based on the risk treatment options that are decided on for the organisation’s risks that are identified (as a result of the Information Security Risk Assessment).

What is the ISO 27000 Family of Standards?

ISO 27001:2013 is part of a wider set of standards, the ISO 27000 series. Published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), the 27000 family comprises over a dozen Standards, as well as Guidelines, Specifications and Codes of Practice. Among them, there are six fundamental elements that will be a good starting point when implementing an Information Security Management System (ISMS):

ISO NUMBER	NAME
ISO/IEC 27001:2013	Information technology – Security techniques – Information security management systems – Requirements
ISO/IEC 27002:2013	Information technology – Security techniques – Code of practice for information security controls (ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection – Information security controls was published in 2022, and is in the process of superseding ISO/IEC 27002:2013)
ISO/IEC 27005:2018	Information technology – Security techniques – Information security risk management
ISO/IEC 27017:2015	Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018:2019	Information technology – Security techniques – Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors
ISO/IEC 27701:2019	Security techniques – Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy information management – Requirements & guidelines

Accredited Certification can be achieved to ISO 27001:2013.

A tender requirement or client contract may also determine that the organisation needs to implement one or more specific controls from codes of practices such as ISO 27017:2015 (contains additional cloud-based risk controls) and ISO 27018:2019 (guidelines to the protection of personally identifiable information). In these cases, the business can also ask the certification body to assess its ISMS against the requirements and get a “verification of conformity” (in conjunction with their Accredited Certification to ISO 27001:2013).

ISO 27002:2013 is a guidance document that supports the implementation of the requirements of ISO 27001:2013 Information Security Management Systems. The new version of this standard was published just recently, in February 2022. You can find out more about what changed here.

Where to start with implementing the requirements of the ISO 27001:2013 Standard?

Interpreting the requirements and matching them with the business’ context and needs can be an overwhelming task. Getting help from an ISO Management System Consultant can assist, resulting in a more effectively implemented system that will work for the business, and lower the risk of failing the Certification Audits. Regardless of whether an organisation will implement the standard by itself or with the help of a professional consultant, the business must have a copy of the Standard document so the team can get familiar with the requirements.

Elements such as the size of the organisation, complexity of its operations, and systems that are currently in place will impact costs and timeframes when implementing the Business Management System. After successfully doing so, the business can go for the Certification Audits with an Accredited Conformity Assessment Body (click here to read more about the certification process).

From a strategic planning perspective, the business can benefit from qualifying the team who will be conducting internal audits of the Business Management System, as this will be a requirement to achieve and maintain certification to ISO 27001:2013.

Check out our practical Management System Internal Auditor Training as an option to train your team to conduct effective Internal Audits in accordance with the main ISO Management System Standards, including ISO 27001:2013.