top of page

ISO 27001

ISO 27001 is a standard developed by the International Organization for Standardization (ISO) that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of an organization's overall business risks. The purpose of ISO 27001 is to provide a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability.


Key purposes of ISO 27001 include:

  1. Information Security Management: ISO 27001 helps organizations establish a robust framework for managing information security risks. It provides a systematic approach to identifying, assessing, and treating information security threats and vulnerabilities within the organization.

  2. Confidentiality, Integrity, and Availability: The standard emphasizes the importance of maintaining the confidentiality, integrity, and availability of information assets. ISO 27001 helps organizations implement controls to protect sensitive information from unauthorized access, modification, or destruction.

  3. Compliance: ISO 27001 assists organizations in ensuring compliance with relevant legal, regulatory, and contractual requirements related to information security. By implementing ISO 27001, organizations can demonstrate their commitment to protecting sensitive information and meeting compliance obligations.

  4. Risk Management: ISO 27001 requires organizations to conduct risk assessments and implement appropriate controls to mitigate identified risks. By addressing information security risks proactively, organizations can prevent security incidents, minimize potential damage, and protect their reputation.

  5. Continuous Improvement: Similar to other ISO management system standards, ISO 27001 promotes a culture of continual improvement. Organizations are encouraged to monitor and review their information security performance, identify areas for enhancement, and take corrective actions to improve their ISMS over time.

  6. Stakeholder Confidence: Implementing ISO 27001 can enhance stakeholder confidence, including customers, partners, and regulators, by demonstrating that the organization has established a robust framework for managing information security risks and protecting sensitive information.


Overall: the purpose of ISO 27001 is to help organizations establish and maintain an effective information security management system that protects sensitive information, ensures compliance with legal and regulatory requirements, minimizes security risks, and fosters continual improvement in information security practices. By achieving ISO 27001 certification, organizations can demonstrate their commitment to information security and gain a competitive advantage in the marketplace.

Sample of ISO 27001 Requirements

  • Information Security Policy Statement-normally a one or two page commitment to the ISO standard, this provides a framework for setting, achieving and maintaining quality objectives, commits the organisation to legal compliance, data protection and to continuous improvement.

  • Organisation Chart-this demonstrates the structure of the business and can include line management, roles and responsibilities & identity of the Information Security Manager (ISM).

  • List of Information Security objectives-these should have measurable targets and be time-related.

  • Legal Register-a list of all legislation that applies to the business and a regular review of this document against current and updated legislation.

  • Risk register and risk treatment.

  • Statement of applicability showing how all the required controls are implemented and managed.

  • Business continuity plan..

bottom of page