Basic Introduction to ISO27001:

Scope, Implementation & Application

Created By Imran Ahmed (ImranahmedIT)

www.imran-ahmed.co.uk
 Introduction
 ISO 27001 is the international standard describing best practice for an Information
Security Management System (ISMS).

 An ISMS is a framework of policies and procedures that includes all legal, physical
and technical controls involved in an organisation's information risk management
processes.

 Being ISO 27001 approved is a certification which shows that the business has
defined and implemented effective Information security processes.
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk
Benefits of ISO27001 – Table (1)
Information Security Issue
With increasing fines for personal
data breaches, organizations need
1 to ensure compliance with
legislative requirements, such as
the UK Data Protection Act
Potential information breach,
2 damaging your reputation
Availability of vital information at
3 all times
How ISO 27001 helps
It provides a framework for the
management of information security
risks, which ensures you take into
account your legal and regulatory
requirements
It requires you to identify risks to
your information and put in place
security measures to manage or
reduce them
It ensures that authorised users have
secure access to information when
they need it
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk
Benefits
• Supports compliance with relevant laws and
regulations
• Reduces likelihood of facing prosecution and
fines
• Can help you gain status as a preferred supplier
• Protects your reputation
• Provides reassurance to clients that their
information is secure
• Cost savings through reduction in incidents
• Demonstrates credibility and trust
• Improves your ability to recover your
operations and continue business as usual
Benefits of ISO27001 – Table (2)
Information Security Issue
Lack of confidence in your
4 organizations ability to manage
information security risks
Difficulty in responding to rising
5 customer expectations in relation
to the security of their information
No awareness of information
6 security within your organization
How ISO 27001 helps
Gives you a framework for identifying
risks to information security and
implementing appropriate
management and technical controls
It provides a way of ensuring that a
common set of policies, procedures
and controls are in place to manage
risks to information security
It ensures senior management
recognize information security as a
priority and that there is clear level of
knowledge from the top level all the
way down
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk
Benefits
• Confidence in your information security
arrangements
• Better visibility of risks amongst interested
stakeholders
• Meet customer and tender requirements
• Reduce third party scrutiny of your information
security requirements
• Get a competitive advantage
• Improved information security awareness
• Shows commitment to information security at
all levels throughout your organization
• Reduces staff-related security breaches
 ISO 27001
ISO 27001 uses a top down, risk-based approach and is technology-
neutral. The specification defines a six-part planning process:

 Define a security policy.

 Define the scope of the ISMS.
 Conduct a risk assessment.
 Manage identified risks.
 Select control objectives and controls to be implemented.
 Prepare a statement of applicability. Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk
 ISO 27002
This standard describes a comprehensive set of information security control objectives and a set of generally
accepted good practice security controls.
ISO 27002 contains 12 main sections:
1. Risk assessment 7. Communications and operations management
2. Security policy 8. Access control
3. Organization of information security 9. Information systems acquisition, development
4. Asset management and maintenance

5. Human resources security 10. Information security incident management

6. Physical and environmental security 11. Business continuity management

12. Compliance
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk
 ISO 27000 Family
Other standards that have also been developed in the 27000 family are:
 27003 – implementation guidance.

 27004 - an information security management measurement standard suggesting metrics to

help improve the effectiveness of an ISMS.

 27005 – an information security risk management standard. (Published in 2008)

 27006 - a guide to the certification or registration process for accredited ISMS certification
or registration bodies. (Published in 2007)

 27007 – ISMS auditing guideline. Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

 Thanks for reading!

Other standards that have also been developed in the 27000 family are:
 If you like to contact me, feel free to head over to my website: www.imran-ahmed.co.uk

 You can also see my other SlideShare presentations

 Alternatively, visit my Blog page

Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk