A comprehensive digital content hub offering in-depth information on ISO 27001 standards, compliance, and certification.
ISO 27001
Unlock Your Competitive Advantage with ISO 27001
In our digital age, businesses can access more sensitive customer data than ever. Consequently, they must take appropriate steps to protect that information or risk financial and reputational consequences.
Your ultimate guide to first-time ISO 27001 success
SO 27001 is an Information security management standard that provides organisations with a structured framework to safeguard their information assets and ISMS, covering risk...
100% first-time ISO 27001 success with the Assured Results Method
The Assured Results Method is your simple, practical, time-saving path to first-time ISO 27001 success. ARM breaks the whole process down into simple steps and guides you through them one by one.
Everything You Need to Know About the ISO 27001: 2022 Standard Update
A new and improved version of ISO/IEC 27001 was published in October 2022 to address growing global cybersecurity challenges and improve digital trust. The world’s best-known standard on information security management helps organisations secure their information assets – which is vital in today’s increasingly digital world.
If you’re responsible for information security, the updated ISO/IEC 27001: 2022 standard update requires you to implement the changes to ensure you remain compliant and align your infosec posture with the digitisation of business practices and accompanying threats.
What Has Changed In The ISO/IEC 27001: 2022 Standard
The good news is that many changes are editorial, for example, changing 'international standard' to 'document' throughout and rearranging phrases to allow for better international translation.
There are also changes to align with the ISO harmonised approach:
Numbering re-structure
The requirement to define processes needed for implementing the ISMS and their interactions
The explicit requirement to communicate organisational roles relevant to information security within the organisation
New clause 6.3 – Planning of Changes
A new requirement to ensure the organisation determines how to communicate as part of clause 7.4
New requirements to establish criteria for operational processes and implement control of the processes
The core changes, however, apply to updates to the current controls in Annex A to align the standard better with the recent changes to ISO/IEC 27002 - Information security, cybersecurity and privacy protection.
The changes to ISO/IEC 27001: 2022 also consider that risk management increasingly spreads across more organisational functions. Therefore the updates are intended to make it more straightforward for more people to map and implement the proper security controls.
What Are The Core Changes to Annex A Controls in ISO/IEC 27001: 2022
The number of controls has reduced from 114 to 93
Some controls have been deleted, 24 controls have been merged, and 58 have been revised. 11 new security controls have been added, designed to address the evolving information security and cybersecurity landscape; these are:
A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
As a result, you need to update your management system to optimise any existing ISMS and better align with the context of your information security risks and your organisation.
The structure has been consolidated into four key areas
Organisational
People
Physical
Technological
This contrasts with the 14 areas that formed the previous version of the standard.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
The concept of attributes has been introduced
Aligned with the common terminology used within digital security, five attributes have been introduced:
Control type
Information security properties
Cybersecurity concepts
Operational capabilities
Security domains
These should enable organisations to understand their current security posture better and encourage the adoption of security practices and processes that will lead to more effective business operations.
When Does The Updated ISO/IEC 27001: 2022 Version Take Effect
ISO/IEC 27001:2022 took immediate effect in October 2022 but gave organisations already certified to ISO 27001:2013 three years to transition to the new 2022 version. With the October 2025 deadline just twelve months away, organisations that have yet to transition to the 2022 version must ensure their certifications are updated now to comply with the new standard.
Additional Guidance for ISO/IEC 27001: 2022
Download our helpful 'Summary of Changes' worksheet that outlines all the critical changes to controls from the current version and offers a roadmap to achieving ISO/IEC 27001: 2022.
Download Guide
Strengthen your Information Security Posture Today
Organisations that adopt cyber resilience quickly emerge as leaders in their industry and achieve a competitive advantage. The updated ISO/IEC 27001 ensures the entire organisation is covered, not just your infosec team and supports your digitisation strategy, reduces the risks of breaches, and builds trust in your brand and your organisation's information resilience.
The ISMS.online platform and tools are ready to support you now, from helping you understand the changes, checking the impact on your organisation's security objectives, implementation guidance, and transitioning your certification. Unlock your compliance advantage today!
Book A Demo
Winter Watches: Our 6 Favourite ISMS.online Webinars of 2024
In 2024, we saw cyber threats increase, data breach costs rise to record levels, and regulatory restrictions tighten as regulations like NIS 2 and the EU AI Act came into effect. Implementing a robust information security strategy is no longer a nice-to-have for organisations, but a mandatory requirement. Applying information security best practices helps businesses mitigate the risk of cyber incidents, avoid costly regulatory fines, and grow customer trust by securing sensitive information.
Our top six favourite webinars in our ‘Winter Watches’ series are a must-watch for businesses looking to boost their information security compliance. Covering everything from transitioning to the latest ISO 27001 update to navigating NIS 2 and DORA, these key webinars offer top tips and vital advice from industry experts on establishing, managing, and continuously improving your information security management.
Whether you need guidance on implementing the new ISO 42001 standard, support transitioning from ISO 27001:2013 to ISO 27001:2022 or advice on complying with new or upcoming regulations, our top webinars offer advice to help you along the path to success.
Transitioning to ISO 27001:2022: Key Changes and Effective Strategies
In October 2025, the transition period between the ISO 27001:2013 standard and the latest ISO 27001:2022 standard ends. For organisations certified to the 2013 iteration of ISO 27001, making the switch to compliance with the latest version of the standard can seem daunting.
In ‘Transitioning to ISO 27001:2022’, our expert speakers discuss the changes introduced by the new standards and offer guidance on effectively transitioning from the 2013 to 2022 version.
Toby Cane, Sam Peters and Christopher Gill provide practical advice on successfully implementing ISO 27001:2022 within your business, discussing:
The core changes to the standard, including revised requirements and new Annex A controls
The steps you need to take to maintain compliance with ISO 27001:2022
How to build a transition strategy that reduces disruption and ensures a smooth migration to the new standard.
This webinar is essential viewing for information security professionals, compliance officers and ISMS decision-makers ahead of the mandatory transition deadline, with under a year to go.
Watch Now
ISO 42001 Explained: Unlocking Secure AI Management In Your Business
Last December, the International Organisation for Standardisation released ISO 42001, the groundbreaking framework designed to help businesses ethically develop and deploy systems powered by artificial intelligence (AI).
The ‘ISO 42001 Explained’ webinar provides viewers with an in-depth understanding of the new ISO 42001 standard and how it applies to their organisation. You’ll learn how to ensure your business’s AI initiatives are responsible, ethical and aligned with global standards as new AI-specific regulations continue to be developed across the globe.
Our host Toby Cane is joined by Lirim Bllaca, Powell Jones, Iain McIvor and Alan Baldwin. Together, they break down the core principles of ISO 42001 and cover everything you need to know about the AI management standard and the AI regulatory landscape, including:
A deep dive into the structure of ISO 42001, including its scope, purpose and core principles
The unique challenges and opportunities presented by AI and the impact of AI on your organisation’s regulatory compliance
An actionable roadmap for ISO 42001 compliance.
Gain a clear understanding of the ISO 42001 standard and ensure your AI initiatives are responsible using insights from our panel of experts.
Watch Now
Mastering NIS 2 Compliance: A Practical Approach with ISO 27001
The European Union’s NIS 2 Directive entered into force in October, bringing stricter cybersecurity and reporting requirements for businesses across the EU. Does your business comply with the new regulation?
In our in-depth ‘Mastering NIS 2 Compliance: A Practical Approach with ISO 27001’ webinar, we break down the new regulation and how the ISO 27001 framework can provide a roadmap to successful NIS 2 compliance.
Our panel of compliance experts Toby Cane, Luke Dash, Patrick Sullivan and Arian Sheremeti discuss how organisations affected by NIS 2 can ensure they meet requirements. You’ll learn:
The key provisions of the NIS 2 Directive and how they impact your business
How ISO 27001 maps to NIS 2 requirements for more efficient compliance
How to conduct risk assessments, develop incident response plans and implement security controls for robust compliance.
Gain a deeper understanding of NIS 2 requirements and how ISO 27001 best practices can help you efficiently, effectively comply:
Watch Now
Securing Your Cloud Setup: Unlocking the Power of ISO 27017 & 27018 Compliance
Cloud adoption is accelerating, but with 24% of organisations experiencing cloud security incidents last year, standards like ISO 27017 and ISO 27018 are essential for ensuring security, privacy, and long-term business competitiveness.
In our webinar, expert speakers Toby Cane, Chris Gill, Iain McIvor and Alan Baldwin explain how these standards can strengthen your organisation’s security posture to reinforce cloud security and enable strategic growth. You’ll discover:
What the ISO 27017 and ISO 27018 standards cover, including their scope and objectives
Insight into the risks associated with cloud services and how implementing security and privacy controls can mitigate these risks
The security and privacy controls to prioritise for NIS 2 compliance.
Discover actionable takeaways and top tips from experts to help you improve your organisation’s cloud security stance:
Watch Now
Building Digital Trust: An ISO 27001 Approach to Managing Cybersecurity Risks
Recent McKinsey research showing that digital trust leaders will see annual growth rates of at least 10% on their top and bottom lines. Despite this, the 2023 PwC Digital Trust Report found that just 27% of senior leaders believe their current cybersecurity strategies will enable them to achieve digital trust.
Our ‘Building Digital Trust: An ISO 27001 Approach to Managing Security Risks’ webinar explores the challenges and opportunities for building digital trust, with a focus on how ISO 27001, the information security standard, can help.
Our expert panel, Toby Cane and Gillian Welch, share practical advice and key steps for businesses looking to establish and maintain digital trust. In the 45-minute session, you’ll learn:
Best practices for building and maintaining digital trust, including using ISO 27001
The importance of digital trust for businesses
How cyber attacks and data breaches impact digital trust.
Aimed at CEOs, board members and cybersecurity professionals, this vital webinar provides key insights into the importance of digital trust and how to build and maintain it in your organisation:
Watch Now
Navigating DORA Compliance with ISO 27001: A Roadmap to Digital Resilience
The Digital Operational Resilience Act (DORA) comes into effect in January 2025 and is set to redefine how the financial sector approaches digital security and resilience.
With requirements focused on strengthening risk management and enhancing incident response capabilities, the regulation adds to the compliance demands impacting an already highly regulated sector. Financial institutions’ need for a robust compliance strategy and increased digital resilience has never been greater.
In ‘Navigating DORA Compliance with ISO 27001: A Roadmap to Digital Resilience’, speakers Toby Cane, Luke Sharples and Arian Sheremeti discuss how leveraging the ISO 27001 standard can help your organisation seamlessly achieve DORA compliance. They cover:
DORA's core requirements and how they impact your business.
How ISO 27001 provides a structured, practical path to compliance.
Actionable steps for conducting gap analyses, managing third-party risks, and implementing incident response plans.
Best practices for building resilient digital operations that go beyond simple compliance.
Gain an in-depth understanding of DORA requirements and how ISO 27001 best practices can help your financial business comply:
Watch Now
Unlock Robust Compliance in 2025
Whether you’re just starting your compliance journey or looking to mature your security posture, these insightful webinars offer practical advice for implementing and building robust cybersecurity management. They explore ways to implement key standards like ISO 27001 and ISO 42001 for improved information security and ethical AI development and management.
Continuously improve your information security management with ISMS.online – be sure to bookmark the ISMS.online webinar library. We regularly add new sessions with actionable tips and industry trends.
Audits, Audits, Compliance and Certifications, Certification, ISO 27001, Multiple Standards
An Integrated Approach: How ISMS.online Achieved ISO 27001 and ISO 27701 Recertification
In October 2024, we attained recertification to ISO 27001, the information security standard, and ISO 27701, the data privacy standard. With our successful recertification, ISMS.online enters its fifth three-year certification cycle—we've held ISO 27001 for over a decade! We're pleased to share that we achieved both certifications with zero non-conformities and plenty of learning.
How did we ensure we effectively managed and continued to improve our data privacy and information security? We used our integrated compliance solution – Single Point of Truth, or SPoT, to build our integrated management system (IMS). Our IMS combines our information security management system (ISMS) and privacy information management system (PIMS) into one seamless solution.
In this blog, our team shares their thoughts on the process and experience and explains how we approached our ISO 27001 and ISO 27701 recertification audits.
What is ISO 27701?
ISO 27701 is a privacy extension to ISO 27001. The standard provides guidelines and requirements for implementing and maintaining a PIMS within an existing ISMS framework.
Why Should Organisations Look to Implement ISO 27701?
Organisations are responsible for storing and handling more sensitive information than ever before. Such a high - and increasing - volume of data offers a lucrative target for threat actors and presents a key concern for consumers and businesses to ensure it's kept safe.
With the growth of global regulations, such as GDPR, CCPA, and HIPAA, organisations have a mounting legal responsibility to protect their customers' data. Globally, we're steadily moving towards a compliance landscape where information security can no longer exist without data privacy.
The benefits of adopting ISO 27701 extend beyond helping organisations meet regulatory and compliance requirements. These include demonstrating accountability and transparency to stakeholders, improving customer trust and loyalty, reducing the risk of privacy breaches and associated costs, and unlocking a competitive advantage.
Our ISO 27001 and ISO 27701 Recertification Audit Preparation
As this ISO 27701 audit was a recertification, we knew that it was likely to be more in-depth and have a larger scope than a yearly surveillance audit. It was scheduled to last 9 days in total. Also, since our previous audit, ISMS.online has moved HQ, gained another office and had several personnel changes. We were prepared to address any non-compliances caused by these changes, should the auditor find any.
IMS Review
Before our audit, we reviewed our policies and controls to ensure that they still reflected our information security and privacy approach. Considering the big changes to our business in the past 12 months, it was necessary to ensure that we could demonstrate continual monitoring and improvement of our approach.
This included ensuring that our internal audit programme was up to date and complete, we could evidence recording the outcomes of our ISMS Management meetings, and that our KPIs were up to date to show that we were measuring our infosec and privacy performance.
Risk Management and Gap Analysis
Risk management and gap analysis should be part of the continual improvement process when maintaining compliance with both ISO 27001 and ISO 27701. However, day-to-day business pressures may make this difficult. We used our own ISMS.online platform project management tools to schedule regular reviews of the critical elements of the ISMS, such as risk analysis, internal audit programme, KPIs, supplier assessments, and corrective actions.
Using Our ISMS.online Platform
All information relating to our policies and controls is held in our ISMS.online platform, which is accessible by the whole team. This platform enables collaborative updates to be reviewed and approved and also provides automatic versioning and a historical timeline of any changes.
The platform also automatically schedules important review tasks, such as risk assessments and reviews, and allows users to create actions to ensure tasks are completed within the necessary timescales. Customisable frameworks provide a consistent approach to processes such as supplier assessments and recruitment, detailing the important infosec and privacy tasks that need to be performed for these activities.
What to Expect During an ISO 27001 and ISO 27701 Audit
During the audit, the auditor will want to review some key areas of your IMS, such as:
Your organisation's policies, procedures, and processes for managing personal data or information security
Evaluate your information security and privacy risks and appropriate controls to determine whether your controls effectively mitigate the identified risks.
Assess yourincident management. Is your ability to detect, report, investigate, and respond to incidents sufficient?
Examine your third-party management to ensure adequate controls are in place to manage third-party risks.
Check your training programmes adequately educate your staff on privacy and information security matters.
Review your organisation's performance metrics to confirm they meet your outlined privacy and information security objectives.
The External Audit Process
Before your audit begins, the external auditor will provide a schedule detailing the scope they want to cover and if they would like to talk to specific departments or personnel or visit particular locations.
The first day starts with an opening meeting. Members of the executive team, in our case, the CEO and CPO, are present to satisfy the auditor that they manage, actively support, and are engaged in the information security and privacy programme for the whole organisation. This focuses on a review of ISO 27001 and ISO 27701 management clause policies and controls.
For our latest audit, after the opening meeting ended, our IMS Manager liaised directly with the auditor to review the ISMS and PIMS policies and controls as per the schedule. The IMS Manager also facilitated engagement between the auditor and wider ISMS.online teams and personnel to discuss our approach to the various information security and privacy policies and controls and obtain evidence that we follow them in day-to-day operations.
On the final day, there is a closing meeting where the auditor formally presents their findings from the audit and provides an opportunity to discuss and clarify any related issues. We were pleased to find that, although our auditor raised some observations, he did not discover any non-compliance.
People, Processes and Technology: A Three-Pronged Approach to an IMS
Part of the ISMS.online ethos is that effective, sustainable information security and data privacy are achieved through people, processes and technology. A technology-only approach will never be successful.
A technology-only approach focuses on meeting the standard's minimum requirements rather than effectively managing data privacy risks in the long term. However, your people and processes, alongside a robust technology setup, will set you ahead of the pack and significantly improve your information security and data privacy effectiveness.
As part of our audit preparation, for example, we ensured our people and processes were aligned by using the ISMS.online policy pack feature to distribute all the policies and controls relevant to each department. This feature enables tracking of each individual's reading of the policies and controls, ensures individuals are aware of information security and privacy processes relevant to their role, and ensures records compliance.
A less effective tick-box approach will often:
Involve a superficial risk assessment, which may overlook significant risks
Ignore key stakeholders' privacy concerns.
Deliver generic training not tailored to the organisation's specific needs.
Execute limited monitoring and review of your controls, which may result in undetected incidents.
All of these open organisations up to potentially damaging breaches, financial penalties and reputational damage.
Mike Jennings, ISMS.online's IMS Manager advises: "Don't just use the standards as a checklist to gain certification; 'live and breathe' your policies and controls. They will make your organisation more secure and help you sleep a little easier at night!"
ISO 27701 Roadmap – Download Now
We've created a practical one-page roadmap, broken down into five key focus areas, for approaching and achieving ISO 27701 in your business. Download the PDF today for a simple kickstart on your journey to more effective data privacy.
Download Now
Unlock Your Compliance Advantage
Attaining recertification to ISO 27001 and ISO 27001 was a significant achievement for us at ISMS.online, and we used our own platform to do so quickly, effectively and with zero non-conformities.
ISMS.online provides an 81% head start, the Assured Results Method, a catalogue of documentation that can be adopted, adapted, or added to, and our Virtual Coach's always-on support. Easily ensure your organisation is actively securing your information and data privacy, continuously improving its approach to security, and complying with standards like ISO 27001 and ISO 27701.
Discover the benefits first-hand - request a call with one of our experts today.
Audits, Audits, Compliance and Certifications, Certification, ISO 27001, Multiple Standards
An Integrated Approach: How ISMS.online Achieved ISO 27001 and ISO 27701 Recertification
In October 2024, we attained recertification to ISO 27001, the information security standard, and ISO 27701, the data privacy standard. With our successful recertification, ISMS.online enters its fifth three-year certification cycle—we've held ISO 27001 for over a decade! We're pleased to share that we achieved both certifications with zero non-conformities and plenty of learning.
How did we ensure we effectively managed and continued to improve our data privacy and information security? We used our integrated compliance solution – Single Point of Truth, or SPoT, to build our integrated management system (IMS). Our IMS combines our information security management system (ISMS) and privacy information management system (PIMS) into one seamless solution.
In this blog, our team shares their thoughts on the process and experience and explains how we approached our ISO 27001 and ISO 27701 recertification audits.
What is ISO 27701?
ISO 27701 is a privacy extension to ISO 27001. The standard provides guidelines and requirements for implementing and maintaining a PIMS within an existing ISMS framework.
Why Should Organisations Look to Implement ISO 27701?
Organisations are responsible for storing and handling more sensitive information than ever before. Such a high - and increasing - volume of data offers a lucrative target for threat actors and presents a key concern for consumers and businesses to ensure it's kept safe.
With the growth of global regulations, such as GDPR, CCPA, and HIPAA, organisations have a mounting legal responsibility to protect their customers' data. Globally, we're steadily moving towards a compliance landscape where information security can no longer exist without data privacy.
The benefits of adopting ISO 27701 extend beyond helping organisations meet regulatory and compliance requirements. These include demonstrating accountability and transparency to stakeholders, improving customer trust and loyalty, reducing the risk of privacy breaches and associated costs, and unlocking a competitive advantage.
Our ISO 27001 and ISO 27701 Recertification Audit Preparation
As this ISO 27701 audit was a recertification, we knew that it was likely to be more in-depth and have a larger scope than a yearly surveillance audit. It was scheduled to last 9 days in total. Also, since our previous audit, ISMS.online has moved HQ, gained another office and had several personnel changes. We were prepared to address any non-compliances caused by these changes, should the auditor find any.
IMS Review
Before our audit, we reviewed our policies and controls to ensure that they still reflected our information security and privacy approach. Considering the big changes to our business in the past 12 months, it was necessary to ensure that we could demonstrate continual monitoring and improvement of our approach.
This included ensuring that our internal audit programme was up to date and complete, we could evidence recording the outcomes of our ISMS Management meetings, and that our KPIs were up to date to show that we were measuring our infosec and privacy performance.
Risk Management and Gap Analysis
Risk management and gap analysis should be part of the continual improvement process when maintaining compliance with both ISO 27001 and ISO 27701. However, day-to-day business pressures may make this difficult. We used our own ISMS.online platform project management tools to schedule regular reviews of the critical elements of the ISMS, such as risk analysis, internal audit programme, KPIs, supplier assessments, and corrective actions.
Using Our ISMS.online Platform
All information relating to our policies and controls is held in our ISMS.online platform, which is accessible by the whole team. This platform enables collaborative updates to be reviewed and approved and also provides automatic versioning and a historical timeline of any changes.
The platform also automatically schedules important review tasks, such as risk assessments and reviews, and allows users to create actions to ensure tasks are completed within the necessary timescales. Customisable frameworks provide a consistent approach to processes such as supplier assessments and recruitment, detailing the important infosec and privacy tasks that need to be performed for these activities.
What to Expect During an ISO 27001 and ISO 27701 Audit
During the audit, the auditor will want to review some key areas of your IMS, such as:
Your organisation's policies, procedures, and processes for managing personal data or information security
Evaluate your information security and privacy risks and appropriate controls to determine whether your controls effectively mitigate the identified risks.
Assess yourincident management. Is your ability to detect, report, investigate, and respond to incidents sufficient?
Examine your third-party management to ensure adequate controls are in place to manage third-party risks.
Check your training programmes adequately educate your staff on privacy and information security matters.
Review your organisation's performance metrics to confirm they meet your outlined privacy and information security objectives.
The External Audit Process
Before your audit begins, the external auditor will provide a schedule detailing the scope they want to cover and if they would like to talk to specific departments or personnel or visit particular locations.
The first day starts with an opening meeting. Members of the executive team, in our case, the CEO and CPO, are present to satisfy the auditor that they manage, actively support, and are engaged in the information security and privacy programme for the whole organisation. This focuses on a review of ISO 27001 and ISO 27701 management clause policies and controls.
For our latest audit, after the opening meeting ended, our IMS Manager liaised directly with the auditor to review the ISMS and PIMS policies and controls as per the schedule. The IMS Manager also facilitated engagement between the auditor and wider ISMS.online teams and personnel to discuss our approach to the various information security and privacy policies and controls and obtain evidence that we follow them in day-to-day operations.
On the final day, there is a closing meeting where the auditor formally presents their findings from the audit and provides an opportunity to discuss and clarify any related issues. We were pleased to find that, although our auditor raised some observations, he did not discover any non-compliance.
People, Processes and Technology: A Three-Pronged Approach to an IMS
Part of the ISMS.online ethos is that effective, sustainable information security and data privacy are achieved through people, processes and technology. A technology-only approach will never be successful.
A technology-only approach focuses on meeting the standard's minimum requirements rather than effectively managing data privacy risks in the long term. However, your people and processes, alongside a robust technology setup, will set you ahead of the pack and significantly improve your information security and data privacy effectiveness.
As part of our audit preparation, for example, we ensured our people and processes were aligned by using the ISMS.online policy pack feature to distribute all the policies and controls relevant to each department. This feature enables tracking of each individual's reading of the policies and controls, ensures individuals are aware of information security and privacy processes relevant to their role, and ensures records compliance.
A less effective tick-box approach will often:
Involve a superficial risk assessment, which may overlook significant risks
Ignore key stakeholders' privacy concerns.
Deliver generic training not tailored to the organisation's specific needs.
Execute limited monitoring and review of your controls, which may result in undetected incidents.
All of these open organisations up to potentially damaging breaches, financial penalties and reputational damage.
Mike Jennings, ISMS.online's IMS Manager advises: "Don't just use the standards as a checklist to gain certification; 'live and breathe' your policies and controls. They will make your organisation more secure and help you sleep a little easier at night!"
ISO 27701 Roadmap – Download Now
We've created a practical one-page roadmap, broken down into five key focus areas, for approaching and achieving ISO 27701 in your business. Download the PDF today for a simple kickstart on your journey to more effective data privacy.
Download Now
Unlock Your Compliance Advantage
Attaining recertification to ISO 27001 and ISO 27001 was a significant achievement for us at ISMS.online, and we used our own platform to do so quickly, effectively and with zero non-conformities.
ISMS.online provides an 81% head start, the Assured Results Method, a catalogue of documentation that can be adopted, adapted, or added to, and our Virtual Coach's always-on support. Easily ensure your organisation is actively securing your information and data privacy, continuously improving its approach to security, and complying with standards like ISO 27001 and ISO 27701.
Discover the benefits first-hand - request a call with one of our experts today.
Clauses, Controls, ISO 27001, Policies, Small Businesses
Your 10-Step Roadmap to a Robust ISMS
Implementing an information security management system (ISMS) is vital to protecting your organisation's data. Data breaches—and the costs associated with them—are rising, and the threat landscape is evolving as new AI-driven cyber threats develop. An effective ISMS helps a business maintain the confidentiality, integrity, and availability (CIA) of its data while also ensuring compliance with relevant laws and regulations.
In this guide, we share ten key steps to building a robust ISMS. Gain actionable tips and expert advice on implementing each step to boost your organisation's information security and protect your data.
Download the Checklist
1. Choose Your ISMS Framework
An ISMS provides a framework for identifying, assessing, and managing information security risks and taking actions to mitigate them. There are several recognised ISMS frameworks, providing a set of guidelines and requirements for implementing an ISMS.
ISO 27001 ISMS framework: This globally recognised framework provides a set of best practices for information security management. The framework covers all aspects of information security, including:
Risk management
Access control
Network and web-based security
Data backup and recovery
Physical security
Employee training and education
Monitoring and review.
NIST CSF ISMS framework: This framework was developed by the National Institute of Standards and Technology (NIST) and provides guidelines for information security management for U.S. government organisations. It covers various controls, including:
Access control
Incident response
Cryptography
Security assessment
Authorisation.
These frameworks provide your business with guidelines for implementing an effective ISMS, helping to ensure the CIA of your sensitive information.
2. Develop Your Risk Management Plan
How you choose to manage risk is a core component of your organisation's ISMS. Organisations must identify and assess potential risks to their information assets and develop a plan to treat, transfer, terminate or tolerate them based on severity. Your organisation should:
Determine the scope of your ISMS: Your ISMS scope should define the information assets you intend to protect.
Define your risk management methodology: Your chosen methodology should take a systematic approach consistent with your information security strategy. The process should include risk identification, assessment, mitigation, and monitoring.
Identify and assess risks: When you've selected your methodology, the first step in the risk management process is to identify potential threats to your business's information assets and evaluate the likelihood and impact of each threat.
Prioritise and rank risks: Once you've identified and assessed risks, you should prioritise and rank them based on their severity level. This will help your organisation focus resources appropriately and develop risk mitigation and incident response plans.
Develop risk mitigation and response plans: Your risk mitigation plans should include measures, such as policies, procedures and controls, to reduce the likelihood and impact of risks. Incident response plans should outline the steps your organisation will take should a security incident occur.
Monitor results: An organisation's risk management plan should be regularly updated and improved. This helps you ensure that it remains effective.
3. Define Your Information Security Policies and Procedures
Your information security policies define your organisation's steps to protect its information assets. Procedures provide the steps employees should follow to ensure your policies are implemented and effective.
Key steps for defining your organisation's policies and procedures include:
Review existing policies and procedures: By reviewing existing documentation, you can ensure any existing policies and procedures are still relevant to your business and practical to implement.
Identify relevant information security requirements: Organisations must secure their information according to stringent regulatory and legal requirements, which are often based on their geography or sector.
Develop your policies and procedures: When developing the policies and procedures required to protect your organisation's information, consider the scope of your ISMS, your existing documentation review, and any identified information security requirements.
Communicate policies and procedures internally and train employees: Share policies and procedures with staff and stakeholders. Investing in information security training also ensures everyone in the business is aware of their information security roles and responsibilities.
Regularly review and update your policies and procedures: Continuous improvement is a cornerstone of an ISO 27001-compliant ISMS. Regularly reviewing your policies and procedures ensures your organisation is addressing risks as they arise.
4. Implement Access Control and Authentication Processes
Access control and authentication processes ensure that only authorised individuals can access your organisation's sensitive information and systems and verify user identities.
Steps for implementing access control and authentication processes include:
Develop an access control policy: Your access control policy should outline the principles and rules for controlling access to information assets. It should also specify who is authorised to access information assets and the circumstances in which access is granted.
Select authentication tools: Based on the information assets and users being protected, you should leverage appropriate authentication tools. Common authentication mechanisms include passwords, smart cards, biometrics, and two-factor authentication.
Implement access control systems: Access control systems should be implemented to enforce the access control policy. These systems include technical solutions like firewalls and intrusion detection systems and administrative solutions, such as access controls and permissions based on an employee's role.
Test and evaluate: Regular testing is vital to ensure your access control and authentication methods are working as expected. This can include penetration testing, security audits, and user acceptance testing.
Continuously monitor and improve: Access control and authentication mechanisms should be monitored and improved to ensure they effectively protect information assets. For example, you can review and update your organisation's access control policy and establish new authentication methods as needed.
5. Protect Against Network and Web-Based Threats
Regular software updates and the implementation of security solutions, such as firewalls, can help mitigate threats like viruses, malware, and hacking attempts.
Firewalls: A firewall acts as a barrier between your organisation's internal and external networks and only allows authorised traffic to pass through. Firewalls can be hardware- or software-based and can be configured to block specific types of traffic.
Anti-virus and anti-malware software: Anti-virus and anti-malware software can detect and remove malware before infecting your network or computer.
Software updates: Keeping your organisation's software up-to-date ensures you are protected against newly discovered vulnerabilities attackers may attempt to exploit.
HTTPS encryption: HTTPS encryption protects the confidentiality and integrity of data passed between a web client and a server. It's crucial to enable HTTPS encryption on all web-based applications, especially those that involve sensitive information, such as passwords or payment information.
Monitor logs: Logs can provide valuable information about potential security incidents, including unauthorised access attempts, and help you quickly respond to threats.
6. Ensure Data Backup and Recovery
Your organisation should have a well-defined backup and recovery plan to ensure that you can restore critical information in the event of data loss.
Regular data backups: To minimise data loss in the event of an incident, your organisation should back up data at daily or weekly intervals, Regular data backups are critical in ensuring data can be recovered should an incident occur.
Store backups offsite: Storing your data backups in a different location helps to protect against data loss in the event of a physical disaster, such as a fire or flood. Consider storing your backups in a secure location like a cloud-based data centre or on physical media that can be stored offsite.
Test backup and recovery procedures: Regularly testing backup and recovery procedures involves restoring data from backups to a test environment and verifying that the data can be accessed and used. This helps to ensure data can be recovered during a disaster.
Document backup and recovery procedures: Documenting backup and recovery procedures ensures each process is repeatable and reliable. Your documentation should include the frequency, type, location, and processes for restoring data from backups.
Choosing a backup solution: When choosing a backup solution, consider factors such as cost, scalability, reliability, and ease of use.
Encrypt backups: Encrypting backups helps your organisation protect against data theft and unauthorised access.
Monitor backup and recovery performance: Monitoring backup and recovery performance ensures that backups and recovery perform as expected. Performance metrics such as backup size, backup time, and restore time should be reported regularly.
7. Implement Physical Security Measures
Physical security measures, such as server rooms and access control systems, protect your organisation's sensitive information from theft or damage.
Control access to physical premises: Physical offices or sites should be only accessible to authorised personnel. Consider implementing physical access controls, such as security cameras, key card systems, and biometric authentication.
Securely store sensitive equipment: Sensitive equipment, such as servers, should be stored in secure locations, such as data centres, to protect against theft and unauthorised access.
Secure data centres: Your data centres should be secured against physical and environmental threats like fires and theft. This can be achieved with measures like fire suppression systems, uninterruptible power supplies, and physical security measures.
Implement environmental controls: Consider implementing environmental controls, such as temperature and humidity control, in data centres to ensure that equipment is protected from heat and moisture.
Regularly inspect physical premises: Undertake regular inspections of physical premises, including data centres and equipment rooms. This will detect physical security vulnerabilities and ensure that physical security measures are functioning as required.
Conduct background checks: Conducting background checks on personnel with access to sensitive equipment and data prevents unauthorised access and protects against insider threats.
8. Conduct Employee Security Awareness Training
Employee training and education help drive the success of your ISMS. Your organisation should provide security awareness training to ensure employees understand the importance of information security, how to protect sensitive information, and their own information security responsibilities.
Provide regular security awareness training: Employee security awareness training should be conducted regularly, such as annually or biannually, to ensure employees' knowledge is up to date.
Customise training for different roles: The training you provide should be customised for different roles within your organisation. For example, training for administrators may be more technical, while training for non-technical employees may focus more on safe computing practices and avoiding phishing scams.
Use interactive and engaging methods: Your security awareness training should be interactive and engaging to keep employees interested and motivated. Respondents to our State of Information Security Report shared that learning management platforms (35%), external training providers (32%) and gamification of training and awareness (28%) were the most effective methods of improving employee skills and awareness.
Measure the effectiveness of training: Track the impact of your security awareness training by measuring its effectiveness through pre-and post-training assessments, employee feedback, and incident tracking.
9. Monitor and Review Your ISMS
Monitoring and reviewing your business's ISMS ensures its effectiveness and continuous improvement.
Establish a monitoring and review plan: Your plan should outline the frequency of monitoring and review, the methods used, and the responsibilities of key personnel.
Conduct regular internal audits: Internal audits enable you to identify potential areas for improvement and ensure that your ISMS functions as required.
Review security incidents: Use your incident response procedure to examine incidents, determine the root cause, and identify remedial actions. You should also evaluate the effectiveness of your security controls regularly to ensure that they function as intended and provide the desired level of protection.
Monitor security trends: This information can be used to identify areas for improvement in the ISMS, inform your employee training and education, and ensure that your ISMS is keeping pace with the current security landscape.
Engage stakeholders: Stakeholder feedback can help ensure the ISMS meets the organisation's needs.
Update your ISMS: You should regularly update your ISMS to ensure that it is current and relevant. This may include updating security controls, policies and procedures, and your risk management framework.
10. Continuously Improve Your ISMS
For an ISMS to comply with the ISO 27001 standard, evidence of continuous improvement is required. Whether you choose to attempt certification or simply use the framework as a guide to improving your information security posture, you should assess your information security frequently and make updates and improvements to your ISMS as needed.
When implemented correctly, an ISMS can help drive your organisation's security culture and provide the foundations needed to align with information security best practices and sustainable business growth.
Strengthen Your Information Security Today
By following the roadmap outlined in this guide, your organisation can implement a robust, effective ISMS to protect your information assets and ensure your data's confidentiality, integrity, and availability.
The ISMS.online platform enables a simple, secure and sustainable approach to information security and data privacy with over 100 supported frameworks and standards. Ready to simplify your compliance and secure your data? Book your demo.