ISO 27001– Information Security Management System

ISO 27001 is the internationally recognized standard for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

Sections of best practices

There are 114 controls in 14 clauses and 35 control categories.  These sections specify the best practices for:

Business continuity planning

System access control

System acquisition, development and maintenance

Physical and environmental security


Information security incident management

Personnel security

Security organization

Communication and operations management

Asset classification and control

Information Security policies

Achieving  certification to ISO 27001 demonstrates that your company is following information security best practice.

The typical stages in implementing ISO 27001 is:

ISO 27001 GAP Analysis – identify which areas of the existing management systems in use can be aligned with the ISO 27001 standard.

Planning session

Facilitate the identification of information assets and conduct risk assessment, treatment plan and statement of applicability.

Facilitate the identification, compilation and implementation of internal processes:

  • ISO 27001 Annexure A controls
  • Policies, review and update as required
  • Processes, review and update as required
  • Procedures, review and update as required
  • Records, review and updated as required

ISO 27001 Overview training

Conducting internal audits

Facilitate the actions identified for non-conformities

Facilitate management review meeting

Facilitate external certification assessment

Implementing an ISMS based on ISO 27001 will involve your whole organisation including interdependencies with other systems. An ISMS is specific to the organisation that implements it, so no two ISO 27001 projects are the same.

Contributing factors to successful implementation:

Own it from the top and ensure all senior managers are on board and involved.

Ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function.

Prioritise the process within the organisation; this is something that is going to happen and explain why to get companywide buy in.

Engage an experienced third party to drive the process from outside the organisation to ensure progress continues even when the pressure is on.

Do your risk assessment first and then base all your security controls on the risks you have identified. Do not start implementing controls because they sound good, otherwise you will tie yourself up in knots and do a lot of unnecessary work.

Ensure this project is present in all strategic plans, budgets and resource allocations.

Keep communication lines open and maintain transparency of the entire process.

Ensure it is not viewed as an IT project, with only IT staff in the project team.

Avoid difficult technical language, keep it short, simple and practical.

Focus on business risks/issues and not technical issues only.

MAKE it part of your normal day to day operations.

Keep considering environmental changes, amend the risk assessment modify, statement of applicability and related controls.

Benefits of an ISO 27001 ISMS:

It demonstrates compliance with customer, regulatory and/or other requirements;

It helps to win new business and retain existing customers;

Manage, monitor, audit and improve your organisation’s information security practices in one place, consistently and cost-effectively;

Avoid potential financial penalties and losses associated with information breaches;

By regularly identifying and managing your information security risks it assists you in keeping up with constantly evolving information security threats;

Alignment of information security approach with the organization’s strategic objectives;

It keeps customers intellectual property and valuable information secure;

Provides customers and stakeholders with confidence in how you manage risks and opportunities;

Delivers a set of appropriate technical controls, policies and procedures for reducing, monitoring and reviewing risks;

It improves internal structures and clarifies who is responsible for which information assets;

Promotes a culture and awareness of information security that makes sure information security is entrenched across the business;

Obtaining certification to ISO 27001 provides independent assurance that your ISMS has been audited in accordance with internationally accepted standards for good information security practice.

Effective Quality Solutions can assist with the implementation of an ISO 27001 Information Security Management System.

Interested in a ISO 27001 Consultation?

Call us now on 083 629 5835 or send us a quick email.

Contact Us