What is ISO 27001:2013? Understand the Information Security Standard

Published on: May 24, 2022

Get your questions about ISO 27001:2013 answered as you learn about the benefits and main clauses of this ISO Management System Standard, which is so important in our modern world

On 25 October 2022, a new version of ISO 27001 was published – ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems. Learn more about the standard update in this blog article.

In a hyper-connected digital world, the threat of data breaches and cyber attacks has become incontestable. According to the Australian Cyber Security Centre’s latest report, one cybercrime is reported in Australia every eight minutes, a 13% increase from the previous year. Self-reported losses total more than $33 billion, but the actual figure is likely higher due to under-reporting.

Consumers are increasingly concerned with how companies use and store their data. At the same time, businesses struggle to find effective ways to protect private information and sensitive data, an even more significant concern as more people are working remotely and challenging information security best practices. As cybercriminals become more sophisticated, many specialists say that it’s not a case of if but when a cyber attack or a data breach will occur. How, then, can a business protect its data?

The easy answer seems to be to invest in a good anti-virus software or some other type of privacy protection tool. However, software may not be enough without promoting a culture of information security within the organisation, and that’s why the Information Security Management System (ISMS) Standard, ISO 27001:2013, has become such a popular framework in the past few years.

An ISMS – or Information Security Management System – is a framework of processes, technology, and people that employ technical, administrative, managerial, and legal controls for effective risk management. In other words, it’s a systematic approach to protecting information assets through effective risk management.

Whether a company offers technology-based solutions to clients, or if the products and services are technology-light or non-existent, they are likely to deal with personal information from consumers and other stakeholders, as well as commercially sensitive information. Hence, implementing a Management System for Information Security will benefit organisations in any industry.

Continue reading to learn more about ISO 27001:2013 and have the most common questions about this standard answered.

What is ISO 27001:2013?

By definition, the ISO 27001:2013 Standard specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the organisation’s context. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the business.

Similar to other ISO Management System Standards, the requirements outlined in the document are generic and applicable to organisations of all types, sizes and industries.

The core aspects of ISO 27001:2013 are:

  • Confidentiality, ensuring information is only accessible to authorised individuals (employees’ data must only be accessible to authorised Human Resources personnel, for example).
  • Integrity, guaranteeing data is intact and complete, avoiding unauthorised changes from malicious (by a disgruntled employee) or accidental acts (by an inexperienced employee).
  • Availability, ensuring information is available to the people who need it, when they need it. This means your systems must be reliable and always accessible to authorised people when required.

These aspects must be maintained by applying a risk management process, giving confidence to interested parties that risks are adequately managed.


You may also find the 27000 family of standards named ISO/IEC . The IEC added to the name is to include a reference to the International Electrotechnical Commission, the technical body responsible for creating the standards in the field of electrical and electronics technologies, in cooperation with the International Organisation for Standardisation (ISO).

If you’re new to ISO Management Systems, you may expect the standard to provide strictly technical guidelines for the Information Security Management System. However, rather than specifying software requirements, ISO 27001:2013 is a framework for a strategic approach to Information Security. This will become more evident as we go through the standard’s benefits and overarching clauses below.

What are the benefits of ISO 27001:2013?

Information Security is an essential component to the successful operation of any business in an increasingly connected world. By ensuring data and confidential information is protected, implementing and achieving certification to ISO 27001:2013 will help businesses:

  • Build stakeholder trust: the certification gives your customers and stakeholders confidence that the established ISMS will protect and preserve their data, enhancing business reputation.
  • Reduce costs: by developing a business-wide framework that enables a proactive and fast response to new and emerging threats, eliminating information security incidents and reducing the time and costs related to correcting breaches.
  • Widen market potential: by meeting large contract and tender pre-qualification requirements and gaining an important competitive advantage.
  • Improve business management: by planning, implementing, and controlling the processes needed to meet information security requirements.
  • Attain legal compliance: by providing an effective framework for monitoring legal requirements and evaluating compliance.
  • Grow the business: by providing opportunities to improve and innovate the business with the knowledge that confidential information is protected.
  • Reduce risks: by conducting information security risk assessments at planned intervals and implementing risk treatment plans, the business will increase its resilience to cyber attacks and data breaches.
  • Enhance company culture: ensuring all employees take a risk-based approach to their work activities.

What are the ISO 27001:2013 Information Security Management System requirements?

SO 27001:2013 Information Security Management System requirements

The ISO 27001:2013 standard comprises 11 clauses (0 to 10), as detailed below:

  • Clauses 0 to 3 (Introduction, Scope, Normative references, Terms and definitions) outline an introduction to the standard and its general terms.
  • Clauses 4 to 10 provide the mandatory requirements for conformance with ISO 27001:2013.

Clause 4: Context of the organisation – This requires an organisation to understand the needs and expectations of interested parties and determine the scope of the organisation’s Information Security Management System. It is crucial to clarify what areas of the business are covered by the ISMS. It also comprises how the organisation implements, maintains and continually improves the Information Security Management System.

Clause 5: Leadership – Emphasises how top management should support and demonstrate commitment to the Information Security Management System, including establishing an Information Security Policy and ensuring roles, responsibilities, and authorities are clear within the information security context.

Clause 6: Planning – Requires an organisation to determine actions to address risks and opportunities to ensure the Information Security Management System can achieve goals such as preventing and reducing risks and promoting continual improvement. It also states the organisation shall implement measurable and relevant ways to evaluate the effectiveness of these actions. The organisation must keep documentation about their information security objectives and determine what will be done, project timelines, roles and responsibilities and how they will evaluate results.

Clause 7: Support – To support the establishment, implementation, maintenance and continual improvement of the Information Security Management System, the organisation must promote awareness through clear communication and provide employees with the necessary resources to create, update and control the ISMS.

Clause 8: Operation – To meet this requirement, the business must plan, implement and control information security processes. The organisation shall keep documented information to ensure that the processes have been carried out as planned. Performing an information security risk assessment and treatment plans are also mandatory.

Clause 9: Performance evaluation – The organisation needs to assess its information security performance and effectiveness, determining what needs to be monitored and measured, when, which methods will be used, and who will perform the ISMS evaluation and analysis. Internal audits are also requested within this clause, as well as top management action to review the Information Security Management System and ensure its continuing suitability, adequacy and effectiveness.

Clause 10: Improvement – Following up on the evaluation, the organisation shall continually improve the suitability, adequacy and effectiveness of the Information Security Management System by taking corrective action (and eliminating the causes) in case a nonconformity to the Standard or to business processes is identified.

Annex A is also an essential component of ISO 27001:2013. This second part of the Standard comprises a list of 114 controls, organised in 14 sections. These are used to support the implementation of ISO 27001:2013’s requirements as part of the risk management process. The controls to be implemented should be selected based on the risk treatment options that are decided on for the organisation’s risks that are identified (as a result of the Information Security Risk Assessment).

What is the ISO 27000 Family of Standards?

ISO 27001:2013 is part of a wider set of standards, the ISO 27000 series. Published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), the 27000 family comprises over a dozen Standards, as well as Guidelines, Specifications and Codes of Practice. Among them, there are six fundamental elements that will be a good starting point when implementing an Information Security Management System (ISMS):

ISO/IEC 27001:2013Information technology – Security techniques – Information security management systems – Requirements
ISO/IEC 27002:2013Information technology – Security techniques – Code of practice for information security controls
(ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection – Information security controls was published in 2022, and is in the process of superseding ISO/IEC 27002:2013)
ISO/IEC 27005:2018Information technology – Security techniques – Information security risk management
ISO/IEC 27017:2015Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018:2019Information technology – Security techniques – Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors
ISO/IEC 27701:2019Security techniques – Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy information management – Requirements & guidelines

Accredited Certification can be achieved to ISO 27001:2013.

A tender requirement or client contract may also determine that the organisation needs to implement one or more specific controls from codes of practices such as ISO 27017:2015 (contains additional cloud-based risk controls) and ISO 27018:2019 (guidelines to the protection of personally identifiable information). In these cases, the business can also ask the certification body to assess its ISMS against the requirements and get a “verification of conformity” (in conjunction with their Accredited Certification to ISO 27001:2013).

ISO 27002:2013 is a guidance document that supports the implementation of the requirements of ISO 27001:2013 Information Security Management Systems. The new version of this standard was published just recently, in February 2022. You can find out more about what changed here.

Where to start with implementing the requirements of the ISO 27001:2013 Standard?

Implementing the requirements of the ISO 27001:2013 Standard

Interpreting the requirements and matching them with the business’ context and needs can be an overwhelming task. Getting help from an ISO Management System Consultant can assist, resulting in a more effectively implemented system that will work for the business, and lower the risk of failing the Certification Audits. Regardless of whether an organisation will implement the standard by itself or with the help of a professional consultant, the business must have a copy of the Standard document so the team can get familiar with the requirements.

Elements such as the size of the organisation, complexity of its operations, and systems that are currently in place will impact costs and timeframes when implementing the Business Management System. After successfully doing so, the business can go for the Certification Audits with an Accredited Conformity Assessment Body (click here to read more about the certification process).

From a strategic planning perspective, the business can benefit from qualifying the team who will be conducting internal audits of the Business Management System, as this will be a requirement to achieve and maintain certification to ISO 27001:2013.

Check out our practical Management System Internal Auditor Training as an option to train your team to conduct effective Internal Audits in accordance with the main ISO Management System Standards, including ISO 27001:2013.

Managing Director at ICExperts Academy and ISO Certification Experts

Erica is the Managing Director of ISO Certification Experts and ICExperts Academy. She has been helping businesses with their ISO Certification needs for over 20 years. Erica is also a Certified trainer, implementer and auditor for ISO 9001, ISO 14001, ISO 45001 and ISO 27001 standards. Erica primarily heads up the day-to-day operations of the businesses, and is also a current member of the Australian Organisation for Quality and Brand Integrity Committee.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.