March 9, 2016

ISO 27001 – The big picture

The ISO27001 protects Confidentiality, Integrity and Availability (CIA) of information. This is a quick overview of what it covers and how the process works.


4 main areas

  • Clauses 0-3 General definitions and content
  • Clauses 4-10 ISMS mandatory compliance
  • Annex A Technical controls
  • Bibliography

Clauses 4-10

7 clauses relating to the nature and operation of the ISMS.

4 – Context of the organisation

  • Boundaries of ISMS and its scope
  • Makes sure you understand the organisation
  • Makes sure you understand interested parties
  • States that the organisation shall implement a information security management system

5 – Leadership

  • Support from leadership
  • Documented information security policy that is communicated properly
  • Define and assign responsibilities for the policies

6 – Planning

  • Determine risk and opportunities
  • How to apply risk assessment process
  • How to identify and analyse risk
  • How to treat those risks
  • How to set and reach security objectives

7 – Support

  • Ensure enough support is available for the information security management system
  • Ensure organisation has adequate resources, competence and awareness
  • Requirements for documentation and how it can be controlled and updated

8 – Operation

  • Operating the ISMS processes
  • Operating risk assessments
  • Operating risk treatment

9 – Performance evaluation

  • Evaluate the effectiveness of the ISMS
  • Monitoring and measuring and analysing the performance
  • Handles management reviews

10 – Improvement

  • ISMS should be continuous process

Annex A

  • Lists control objectives and domains used in ISMS
  • 114 controls in total


  • Set scope as early as possible
  • Applies to process, data, people, places, activities
  • Consider internal and external factors
  • Consider interested parties
  • Consider relationship between activities in your and other organisations


  • Business activities, data
  • Location specific data (production/test in different place)
  • Channel specific transactions
  • Specific products/services
  • What’s important from customer point of view

Risk assessment

Key part of ISMS. Repeatable method for risk assessment.

  • Criteria for accepting risk (appetite)
  • Identifying risks
  • Analyzing risks
  • Evaluating risks

Statement of applicability

Contains a list of controls necessary to treat identified risks.

  • Go through all 114 controls
  • Justify inclusion of controls
  • Justify exclusion of controls
  • Whether implemented or not

Required documents

16 mandatory documents

  • Procedures
  • Policies

7 mandatory records

  • Internal audit records
  • Correct action records

Case study Background

Globomantics is an online web service that allows a user to fill in their personal info and request a brochure from a company for some specific service.

  • 25 staff in total, IT team of 4
  • 2 developer, 1dba, 1 sysadmin
  • Want to be 27001 as customers ar financial services and they capture PII


Brochure request

  • Requester web site
  • Requester database
  • Mailing labels

New client onboarding

  • Configure new client and campaign

Statement of applicability

  • Tailor ISO 27001 to your business
  • Go through all 114 controls
  • List include/exclude information in columns

Certification lifecycle

  1. Start with scope
  2. Risk assessment, Statement of applicability, Internal audit, Management review, Mandatory documents
  3. State 1 audit with external auditor (all should be done)
  4. Stage 2 audit with external auditor (more strict)
  5. Recommended for certification
  6. Audit findings

Toolset and support

Tool support

  • File share (no versioning or history)
  • Templates and toolkits (rapid generation, might not align to organisation needs)
  • Document management system (VCS, Sharepoint)
  • Risk management and governance system

Organisational support

  • Human resources
  • Facilities
  • Training
  • IT operations
  • Software development
  • Business stakeholders

3rd party support

  • Gap analysis prior to Stage 1 audit to find issues
  • Other external help