ISO/IEC 27001 – Information Security Management

The international standard for information security

What is ISO 27001 information security management?

ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS (information security management system).

ISO 27001’s best-practice approach helps organisations manage their information security by addressing people, processes and technology.

Certification to the ISO 27001 standard is recognised worldwide to indicate that your ISMS is aligned with information security best practices.

Part of the ISO 27000 series, ISO 27001 sets out a framework for organisations to establish, implement, operate, monitor, review, maintain and continually improve an ISMS.

What is an ISMS?

An ISMS takes a systematic approach to securing the confidentiality, integrity and availability (CIA) of corporate information assets.

An ISO 27001 ISMS consists of policies, procedures and other controls involving people, processes and technology.

An ISMS is an efficient way to keep information assets secure, based on regular risk assessments and technology- and vendor-neutral approaches.

You can build your ISO 27001 ISMS using our ISO 27001 Toolkit. It includes all the pre-written policies, procedures and templates you need.

ISO 27001 has changed

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations certified to ISO/IEC 27001:2013 have three years to update their ISMS.

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, visit ISO 27001 and ISO 27002:2022 updates.

Speak to an ISO 27001 expert

Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard. Throughout your project, we can support you, from carrying out an initial gap analysis to choosing a certification body. Speak to one of our experts for more information on how we can help you.

Contact us

ISO 27001 benefits

ISO 27001 is one of the most popular information security standards in existence. Independent accredited certification to the Standard is recognised worldwide. The number of certifications has grown by more than 450% in the past ten years.

Implementing the Standard helps you meet the requirements of laws such as the UK and EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations. It also helps reduce the costs associated with data breaches.

Protect your data, wherever it is

Protect all forms of information, whether digital, hard copy or in the Cloud.

Increase your attack resilience

Increase your organisation’s resilience to cyber attacks.

Reduce information security costs

Implement only the security controls you need, helping you get the most out of your budget.

Respond to evolving security threats

Constantly adapt to changes both in the environment and inside the organisation.

Improve company culture

An ISMS encompasses people, processes and technology, ensuring staff understand risks and embrace security as part of their everyday working practices.

Meet contractual obligations

Certification demonstrates your organisation’s commitment to data security and provides a valuable credential when tendering for new business.

Learn more about the benefits of certification

Learn more about
the key features of ISO 27001

Download free reports, brochures, infographics and papers on ISO 27001 and how to implement an ISMS.

View free
ISO 27001 resources

Get certified to
ISO 27001

Understand ISO 27001 accreditation and achieve certification with a range of solutions to support your project.

Get started with ISO 27001 certification

Achieve an ISO 27001 qualification

Gain industry-leading qualifications and the practical skills to implement and audit an ISO 27001-compliant ISMS.


View ISO 27001 training and qualifications

Simplify your ISO 27001 project

Achieve ISO 27001 certification quickly and hassle-free with our DIY packages, internal audits, managed services, and more.

Shop for ISO 27001

How to achieve ISO 27001 compliance

Implementing an ISMS involves:

  • Scoping the project.
  • Securing management commitment and adequate resources;
  • Identifying interested parties and applicable legal and contractual requirements;
  • Conducting a risk assessment;
  • Selecting and implementing the required controls;
  • Developing internal competence to manage the project;
  • Developing the appropriate documentation;
  • Conducting staff awareness training;
  • Continually measuring, monitoring, reviewing and auditing the ISMS; and
  • Implementing the necessary corrective and preventive actions.

Discover our ISO 27001 implementation checklist and our nine-step approach to implementing an ISMS in our bestselling guide.

ISO 27001 and risk management

Risk management forms the cornerstone of an ISMS. All ISMS projects rely on regular information security risk assessments to determine which security controls to implement and maintain.

The Standard defines its requirements for the risk management process, including risk assessment and treatment, in Clause 6.1.

ISO 27001 clauses and controls

The Standard has ten management system clauses. Together with Annex A, which lists 114 information security controls, they support the implementation and maintenance of an ISMS.

  1. Scope 
  2. Normative references 
  3. Terms and definitions 
  4. Context of the organization
  5. Leadership
  1. Planning 
  2. Support 
  3. Operations 
  4. Performance evaluation
  5. Improvement

Download the ISO 27001 management system clauses infographic

What is ISO 27001?

Download your free guide to ISO 27001

Learn more about how ISO 27001 works, some of its key implementation points, and the benefits of implementing an ISMS and achieving certification to the Standard in this free green paper.

Download now

Demonstrating GDPR compliance with ISO 27001 and ISO 27701

Like all ISO management system standards, ISO 27001 follows Annex SL. This common high-level structure makes implementing integrated management systems that conform to multiple standards easier.

For instance, an ISO 22301-compliant BCMS (business continuity management system) could share components with an ISO 27001-compliant ISMS.

ISO 27701 is an extension to ISO 27001, expanding its requirements to cover privacy management. This includes the processing of personal data or PII (personally identifiable information).

Implementing an integrated ISMS and ISO 27701-compliant PIMS (privacy information management system) will help you meet the GDPR’s requirements for managing, processing and protecting personal data.

Learn more about ISO 27701

How IT Governance can help you get ISO 27001 certified

  • Our implementation methodology has been honed for more than 15 years.
  • We are the global authority on ISO 27001. Our management team led the world’s first certification project when the Standard was known as BS 7799.
  • We offer everything you need to implement an ISMS – you don’t need to go anywhere else.
  • We guarantee certification (provided you follow our advice!).
  • You benefit from real-world practitioner expertise, not just academic knowledge.
  • We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
  • We’ve helped more than 800 consultancy clients achieve certification and compliance with ISO 27001.
  • We have a proven and pragmatic approach to assessing compliance with international standards, no matter your organisation’s size or nature.
  • Our pricing and proposals are completely transparent, so you won’t get any surprises.
  • We can help small businesses prepare for certification in just three months.

Ready to simplify your security? Let’s get started.

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.

This website uses cookies. View our cookie policy
SAVE 10%