ISO Frequently Asked Questions

The International Organization for Standardization (ISO) has developed the ISO 27001 Standard to be widely applicable for many purposes, including:

• Assist organizations in formulating information security requirements and objectives
• Assist organizations in ensuring that security risks are cost effectively managed
• Assist organizations in complying with laws and regulations
• Provide organizations with a process framework for the implementation and management of controls to meet security objectives
• Assist in the definition of new information security management processes
• Assist in the identification and clarification of existing information security management processes
• For use by management of organizations to determine the status of information security management activities
• For use by internal and external auditors to determine the degree of compliance with information security policies, directives, and standards adopted by an organization
• For use by organizations in providing relevant information about information security policies, directives, standards, and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons
• Assist in the implementation of business-enabling information security
• For use by organizations in providing relevant information about information security to internal and external stakeholders

Unlike many other information security standards, ISO 27001 can be used to provide a security framework in a wide range of organizations — from small, medium, or large enterprises, and for most commercial and industrial market sectors.

It is commonly used in finance and insurance, telecommunications, healthcare, utilities, retail and manufacturing sectors, various service industries, transportation sectors, government, and many others.

ISO/IEC 27001:2013 specifies the processes to enable a business to establish, implement, review, monitor, manage, and maintain an effective Information Security Management System (ISMS), which is the organization-defined framework for information security.

A company may decide to seek formal certification of its ISMS for many reasons, including:

• Contractual or regulatory requirements
• Meet customer preferences or requirements
• As an extension of a risk management program
• Help motivate staff by setting clear information security goals

At the heart of ISO 27001 is the development of an Information Security Management System (ISMS) within the organization.

The organization should define the scope of its ISMS in relation to its business needs, the structure of the organization, its location, its information assets, and its technologies. The ISMS can be as small or as large as the organization wants to design it, it can cover a small part or an organization, or the entire organization, as long as however the scope is defined, all of the requirements of the ISO 27001 Standard are applied and operational within the ISMS.

The design and implementation of the organization’s ISMS will be influenced by its business and security objectives, its security risks and control requirements, the processes employed, and the size and structure of the organization.

Additional considerations when thinking through the scope and design of the ISMS include:

• The design and adoption of an ISMS should be a strategic decision involving top management down within the organization. It is not exclusively an IT decision.
• The ISMS will evolve systematically in response to changing risks.
• Areas outside the ISMS by definition are inherently less trustworthy, hence additional security controls may be needed for any business processes passing information across the boundary.
• Compliance with ISO 27001 can be formally assessed and certified by a qualified certification body such as BARR Certifications.
• A formally certified ISMS builds confidence in the organization’s approach to information security management among stakeholders, both internal and external.