Your Implementation Guide

ISO/IEC
27001
Contents
1. What is ISO/IEC 27001? 3
2. How ISO/IEC 27001 works and what it delivers for you and your company 4
3. Key requirements of ISO/IEC 27001 6
4. Top tips on making ISO/IEC 27001 effective for you 8
5. Your ISO/IEC 27001 journey 9
6. BSI Training Academy 10
7. Getting started with BSI EHS 11

2
 Your implementation guide to ISO/IEC 27001
1. What is ISO/IEC 27001?
Successful businesses understand the value of timely, accurate “ISO/IEC 27001 demonstrates to
information, good communications and confidentiality. Information clients that we have secure data and
security is as much about exploiting the opportunities of our robust systems.”
interconnected world as it is about risk management. – Hugo Holland Bosworth
Group Operations Director, Alternative
That’s why organizations need to build resilience around their information security Networks Plc
management. Internationally recognized ISO/IEC 27001 is an excellent framework,
which helps organizations manage and protect their information assets so that they
remain safe and secure.

At BSI, we have the experience, the experts and the support services to help make
sure you get the most from ISO/IEC 27001, by making you more resilient and
responsive to threats to your information.

This guide shows you how to implement ISO/IEC 27001 in your organization to
build resilience for the long term and safeguard your reputation. We also showcase
our additional support services, which help you not only achieve compliance, but
continue to reduce risk and protect your business.

3
 Your implementation guide to ISO/IEC 27001 Benefits of
ISO/IEC 2001:2013*
2. How ISO/IEC 27001 works and what
it delivers for you and your company.
The ability to manage information safely and securely has never
been more important. ISO/IEC 27001 not only helps protect your 75%
business, it also sends a clear signal to customers, suppliers and reduces business risk
the marketplace that your organization has the ability to handle
information securely.

ISO/IEC 27001 is a robust framework that helps you protect information such as
financial data, intellectual property or sensitive customer information. It helps
you identify risks and puts in place security measures that are right for your
business, so you can manage or reduce risks to your information. It helps you 80%
to continually review and refine the way you do this, not only for today, but also inspire trust in our business
for the future. That’s how ISO/IEC 27001 protects your business, your reputation
and adds value.

“It helped the team understand

the threats and vulnerabilities that
exist in today’s environment and
proactively control them. It has led 71%
to a greater awareness, vigilance and helps protect our business
enthusiasm for information security.”
– Mr. Tareq Al-Sahaf,
General Manager. Gulf Insurance Group
K.S.C (GIG)

55%
helps us comply with regulations

53%
increases our competitive edge

50%
reduces likelihood of mistakes

*Source – BSI voice of the customer 2012-2016

4
Your implementation guide to ISO/IEC 27001
How ISO/IEC 27001 works
The latest version of ISO/IEC 27001 was published in 2013 to Annex SL helps keep consistency, align different management
help maintain its relevance to the challenges of modern day system standards, offer matching sub-clauses against the
business and ensure it is aligned with the principles of risk top level structure and apply a common language. It compels
management contained in ISO 31000. It’s based on the high organizations to incorporate their Information Security
level structure (Annex SL), which is a common framework for Management System (ISMS) into core business processes,
all revised and future ISO management system standards, make efficiencies and get more involvement from senior
including ISO 9001:2015 and ISO 14001:2015. management.

Some of the core concepts of ISO/IEC 27001:2013 are:

Concept Comment
Consider the combination of internal and external factors and conditions that can affect the
Context of the organization
organization’s information.

Issues can be internal or external, positive or negative and include conditions that affect the
Issues, risks and opportunities confidentiality, integrity and availability of an organization’s information. Risks are defined as the
“effect of uncertainty on an expected result”.

A person or entity that can affect, be affected by, or perceive themselves to be affected by a
Interested parties
decision or activity. Examples include suppliers, customers or competitors.

Requirements specific to top management who are defined as a person or group of people who
Leadership
directs and controls an organization at the highest level.

Risk associated with threats and Refined planning process replaces preventive action and is defined as the “effect of uncertainty
opportunities on an expected result”.

The standard contains explicit and detailed requirements for both internal and external
Communication
communications.

Documented information The meaningful data or information you control or maintain to support your ISMS.

Performance evaluation The measurement of the ISMS and risk treatment plan effectiveness.

The person or entity that has been given the authority to manage a particular risk and is
Risk owner
accountable for doing so.

A risk modification plan which involves selecting and implementing one or more treatment
Risk treatment plan
options against a risk.

Any administrative, managerial, technical or legal method that is used to modify or manage an
information security risk. They can include things like practices, processes, policies, procedures,
Controls
programs, tools, techniques, technologies, devices and organizational structures. They are
determined during the process of risk treatment.

Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be used. 5

 Your implementation guide to ISO/IEC 27001
3. Key requirements of ISO/IEC 27001
Clause 1: Scope direction of the organization. They also need to make sure that
The first clause details the scope of the standard. these are made available, communicated, maintained and
understood by all parties.
Clause 2: Normative references
All the normative references are contained in ISO/IEC 27000, Top management must ensure that the ISMS is continually
Information technology – Security techniques – Information improved and that direction and support are given. They
security management systems – Overview and vocabulary, can assign ISMS relevant responsibilities and authorities, but
which is referenced and provides valuable guidance. ultimately they remain accountable.

Clause 3: Terms and definitions Clause 6: Planning

Please refer to the terms and definitions contained in ISO/IEC This clause outlines how an organization plans actions to
27000. This is an important document to read. address risks and opportunities to information.

Clause 4: Context of the organization It focuses on how an organization deals with information
This is the clause that establishes the context of the security risk and needs to be proportionate to the potential
organization and the effects on the ISMS. Much of the rest of impact they have. ISO 31000, the international standard for
the standard relates to this clause. risk management, contains valuable guidance. Organizations
are also required to produce a “Statement of Applicability”
The starting point is to identify all external and internal (SoA). The SoA provides a summary of the decisions an
issues relevant to your organization and your information or organization has taken regarding risk treatment, the control
information that is entrusted to you by 3rd parties. Then you objectives and controls you have included and those you have
need to establish all “interested parties” and stakeholders as excluded, and why you have decided to include and exclude the
well as how they are relevant to the information. You will need controls in the SOA.
to identify requirements for interested parties, which could
include legal, regulatory and/or contractual obligations. You’ll Another key area of this clause is the need to establish
also need to consider important topics such as any market information security objectives and the standard defines the
assurance and governance goals. properties that information security objectives must have.

You will be required to decide on the scope of your ISMS, which Clause 7: Support
needs to link with the strategic direction of your organization, This section of ISO/IEC 27001 is all about getting the right
core objectives and the requirements of interested parties. resources, the right people and the right infrastructure in place
to establish, implement, maintain and continually improve the
Finally, you’ll need to show how you establish, implement, ISMS.
maintain and continually improve the ISMS in relation to the
standard. It deals with requirements for competence, awareness and
communications to support the ISMS and it could include
Clause 5: Leadership making training and personnel available, for example.
This clause is all about the role of “top management,” which is This clause also requires all personnel working under an
the group of people who direct and control your organization organization’s control to be aware of the information security
at the highest level. They will need to demonstrate leadership policy, how they contribute to its effectiveness and the
and commitment by leading from the top. implications of not conforming.

Top management needs to establish the ISMS and information The organization also needs to ensure that internal and
security policy, ensuring it is compatible with the strategic external communications relevant to information security

6
Your implementation guide to ISO/IEC 27001
and the ISMS are appropriately communicated. This includes they are performing in relation to the objectives of the standard
identifying what needs to be communicated to whom, when to continually improve.
and how this is delivered.
You will need to consider what information you need to evaluate
It’s in this clause that the term “documented information” the information security effectiveness, the methods employed
is referenced. Organizations need to determine the level of and when it should be analyzed and reported.
documented information that’s necessary to control the ISMS.
There is also an emphasis on controlling access to documented Internal audits will need to be carried out as well as
information, which reflects the importance of information management reviews. Both of these must be performed at
security. planned intervals and the findings will need to be retained as
documented information.
Clause 8: Operation
This clause is all about the execution of the plans and processes It should be noted that management reviews are also an
that are the subject of previous clauses. opportunity to identify areas for improvement

It deals with the execution of the actions determined and Clause 10: Improvement
the achievement of the information security objectives. In This part of the standard is concerned with corrective action
recognition of the increased use of outsourced functions requirements. You will need to show how you react to
in today’s business world, these processes also need to be nonconformities, take action, correct them and deal with the
identified and controlled. Any changes, whether planned or consequences. You’ll also need to show whether any similar
unintended need to be considered here and the consequences nonconformities exist or could potentially occur and show
of these on the ISMS. how you will eliminate the causes of them so they do not
occur elsewhere.
It also deals with the performance of information security risk
assessments at planned intervals, and the need for documented There is also a requirement to show continual improvement
information to be retained to record the results of these. of the ISMS, including demonstrating the suitability and
adequacy of it and how effective it is. However you do this is
Finally, there is a section that deals with the implementation of up to you.
the risk treatment plan, and again, the need for the results of
these to be retained in documented information. ISO/IEC 27001 also includes Annex A which outlines 114
controls to help protect information in a variety of areas across
Clause 9: Performance evaluation the organization. ISO/IEC 27002 also provides best practice
This clause is all about monitoring, measuring, analyzing and guidance and acts as a valuable reference for choosing as
evaluating your ISMS to ensure that it is effective and remains well as excluding which controls are best suited for your
so. This clause helps organizations to continually assess how organization.
7
 Top tips on making ISO/IEC 27001
effective for you
Your implementation guide to ISO/IEC 27001
4. Top tips on making ISO/IEC 27001 effective for you.
Every year we help tens of thousands of clients. Here are their top tips.
Every year we help tens of thousands of clients. Here are their top tips.

Top management commitment is key “The earlier that organizations talk to senior
to making implementation of managers, the better it will go for them so
Top management commitment is key “The earlier that organizations talk to senior
to making implementationaofsuccess.
ISO/IEC 27001 They need to be
ISO/IEC 27001 have those discussions
managers, early.”
the better it will go for them so have
actively
a success. They need to be involved and approve the
actively involved John Scott,those
Overbury, leading
discussions UK fit-out and
early.”
resources
and approve the resources required. required. refurbishment business
John Scott, Overbury, leading UK fit-out and
refurbishment business

Think about how different departments “The key to implementing the standard lies
work
Think together
about to avoid
how different silos. Make sure the
departments in getting staff
“The key to think aboutthe
to implementing information
standard lies in
work together to avoid silos. Make surefor
organization works as a team thethe benefit of security as
getting staff to think aboutthe
an integral part of daily security
information
customers
organization works as a team for the the organization.
andbenefit business as
and not as part
an integral an additional burden.”and not
of the daily business
of customers and the organization. Mr. Thamer,asIbrahim
an additional burden.”
Ali Arab, Assistant General
Mr.
Manager IT Thamer, Ibrahim Ali Arab, Assistant General
Manager IT

Review systems, policies, procedures and “Don’t try and change your business to fit the
processes you have in place – you may already standard. Think about how you do things and
Reviewdosystems,
muchpolicies, procedures
of what’s in theand
standard – and how that“Don’t try andreflects
standard change your
on business
how you to do
fit the
it,
processes you have in place – you may standard. Think about how you do things and
make it work for your business. You shouldn’t rather than the other way around.”
already do much of what’s in the standard how that standard reflects on how you do it,
bemake
– and doing something
it work just forYou
for your business. the sake of the Paul Brazier, Commercial
rather Director,
than the other wayOverbury
around.”
shouldn’t be doing something just for the standard – Paul Brazier, Commercial Director, Overbury
sake of the standard.

Speak to your customers and suppliers. They “This certification allows us to go one step
may be able to suggest improvements and give further by offering our customers the peace of
“This certification allows us to go one step further
feedback on your service. mind thatbywe haveour
offering thecustomers
best controls inofplace
the peace mind that
Speak to your customers and suppliers. to identify and reduce any risks to confidential
we have the best controls in place to identify and
They may be able to suggest improvements
information.”
reduce any risks to confidential information.”
and give feedback on your service.
Jitesh
Jitesh Bavisi, Bavisi, Director
Director of Compliance,
of Compliance, Exponential-
Exponential-eBavisi
eBavisi

Train your staff to carry our internal audits “The course was loaded with practical
Train your staff to carry
of the our internal
system. audits
This can help with their exercises“The
andcourse was loaded
real-case with practical
scenarios and wasexercises
of the system. This can help with their and real-case scenarios and was structured
understanding, but it could also provide structured in a way that it encouraged
understanding, but it could also provide in a way that it encouraged participants to
valuable
valuable feedbackfeedback onproblems
on potential potentialor problems or participants to be interactive
be interactive andexperiences
and share their share theirin
opportunities for achievement.achievement.
opportunities for experiences in information
information security.” security.”
Nataliya Stephenson
Nataliya Stephenson Manager,
Manager, Information
Information Security,
Security,
NSW General’s
NSW Attorney Attorney General’s Department
Department

And finally, when you gain certification,

And finally, when you gain certification,
celebrate
celebrate youryour achievement
achievement and use theand BSI use the BSI
Assurance Mark on your literature,
Assurance Mark on your literature, website website
and promotional
and promotional material. material.

8
8
 Your implementation guide to ISO/IEC 27001
5. Your ISO/IEC 27001 journey.
Whether you’re new to information security management or looking to enhance your current
system, we have the right resources and training courses to help you understand and implement
ISO/IEC 27001. We can help make sure your system keeps on delivering the best for your business.

You need to: We help you:

• Buy the standard and read it;

• Discover information on our website,
understand the content, your
including case studies, whitepapers
Understand requirements and how it will improve
and webinars visit bsiamerica.com
and prepare your business
• BSI ISO/IEC 27001:2013
• Contact us; we can propose a solution
Requirements training
tailored to your organization’s needs

• Download self-assessment checklist

• Ensure your organization understands
• BSI ISO 27001:2013 Implementation
the principles of ISO/IEC 27001 and
training course
See how ready the roles individuals will need to play.
• Schedule a BSI gap assessment to see
you are Review your activities and processes
where you are
against the standard
• BSI Business Improvement Software can
support ISO/IEC 27001 implementation

• Contact us to schedule your

certification assessment • BSI ISO/IEC 27001:2013 Internal and
• We will then carry out system Lead Auditor training
Review and and document assessments (a 2 • BSI Business Improvement Software
get certified stage process). The length of this helps ISO/IEC 27001 implementation
may depend of the size of your • Your BSI certification assessment
organization

Continually improve and make excellence a habit

Your journey doesn’t stop with certification. We can help you to fine-tune your organization so it performs at its best.
• Celebrate and promote your success – download and use • Your BSI Client Manager will visit you regularly to make
the BSI Assurance Mark to show you are certified. sure you remain compliant and support your continual
• BSI ISO/IEC 27001 Lead Auditor qualification can help improvement.
advance your auditing skills. • Consider integrating other management system standards
• BSI Business Improvement Software will help you to to maximize business benefits.
manage systems and drive performance.

9
 Your implementation guide to ISO/IEC 27001
6. BSI Training Academy
Boost your knowledge with our expertise: BSI has a comprehensive range of training courses to support
implementation of ISO/IEC 27001 and helps build the skills in your organization. Our expert instructors can
transfer the knowledge, skills and tools your people need to embed the standards of excellence into your
organization. What’s more, the accelerated learning techniques applied in our courses will help make sure
that what you learn stays with you.

Courses that help you understand

ISO/IEC 27001 include:
BSI ISO/IEC 27001:2013 Requirements (TPECS) ISO/IEC 27001:2013 Internal Auditor (TPECS)
• 2-day classroom-based training course • 3 day classroom-based training course
• Learn about the structure and key requirements of ISO/IEC • Learn how to initiate an audit, prepare and conduct audit
27001:2013 activities, compile and distribute audit reports and complete
• Essential for anyone involved in the planning, implementing, follow-up activities
maintaining, supervising or auditing of an ISO/IEC • Ideal for anyone involved in auditing, maintaining or
27001:2013 ISMS supervising an ISO/IEC 27001:2013 ISMS

BSI ISO/IEC 27001:2013 Implementation ISO/IEC 27001:2013 Lead Auditor (TPECS)

• 2 day classroom-based training course • 4 day classroom-based training course
• Discover the stages of implementation and how to apply a • Gain the skills and understanding required to lead and
typical framework for implementing ISO/IEC 27001 successfully undertake a successful management system
• Recommended for anyone involved in planning, audit
implementing, maintaining, supervising or auditing of an • Recommended for anyone involved in auditing maintaining
ISO/IEC 27001 ISMS or supervising an ISO/IEC 27001:2013 ISMS

ISO/IEC 27001:2013 Lead Implementer

• 5 day classroom-based training course
• Learn and understand the tools and methodologies to lead
an ISO/IEC 27001 implementation
• Recommended for anyone involved in planning,
implementing, maintaining, supervising or auditing of an
ISO/IEC 27001 ISMS
10
 Your implementation guide to ISO/IEC 27001
7. BSI Business Improvement Software
Accelerate implementation time and It can help you to:
deliver continual improvements
• Accelerate implementation time by up to 50%
The decision to implement a new management system • Manage your document control effectively
standard is a huge opportunity to drive business improvement, • Provide company-wide visibility on implementation of the
but initiating, implementing and maintaining this can also be a standard, so you know exactly where you are at any one time
challenge. Ensuring you get the most from your investment is • Easily and accurately input actions related to audits,
a key driver to your future success. incidents/events, risk and performance
• Gain early insight through its customizable dashboards and
BSI business improvement software provides a solution that reporting tools and allow you to quickly see the trends that
can significantly reduce the cost and effort to implement can help you make business decisions early on and drive
an effective management system, such as ISO/IEC 27001. It improvement
can be configured to the requirements of ISO/IEC 27001 and
provide your organization with the tools necessary to manage
The savings are the costs you avoid because
essential elements of ISO/IEC 27001 across your organization.
you could not see what was happening at
The start of your ISO/IEC 27001 journey is an ideal time to
the facility level.
implement BSI business improvement software and sustain
the standard successfully.

11
Why BSI?
BSI has been at the forefront of ISO/IEC 27001 since the start.
Originally based on BS 7799, developed by BSI in 1995, we’ve been
involved in its development and the ISO technical committee ever
since. That’s why we’re best placed to help you understand the
standard.

At BSI, we create excellence by driving the success of our clients

through standards. We help organizations to embed resilience, helping
them to grow sustainably, adapt to change and prosper for the long
term. We make excellence a habit.

For over a century our experts have been challenging mediocrity

and complacency to help embed excellence into the way people
and products work. With 80,000 clients in 182 countries, BSI is an
organization whose standards inspire excellence across the globe.

Our product and services

We provide a unique combination of complementary products and services, managed through our three business streams:
Knowledge, Assurance and Compliance.

Knowledge Assurance Compliance

The core of our business centers on the Independent assessment of the To experience real, long-term benefits,
knowledge that we create and impart to conformity of a process or product our clients need to ensure ongoing
our clients. In the standards arena, we to a particular standard ensures that compliance to a regulation, market
continue to build our reputation as an our clients perform to a high level need or standard, so that it becomes
expert body, bringing together experts of excellence. We train our clients an embedded habit. We provide
from industry to shape standards at in world-class implementation and consultancy services and differentiated
local, regional and international levels. auditing techniques to ensure they management tools to facilitate this
In fact, BSI originally created eight of maximize the benefits of our standards. process.
the world’s top 10 management
system standards.

WhyWhy
BSI?BSI?
BSI has been
BSIathas
thebeen
forefront
at theofforefront
ISO/IEC 27001 since27001
of ISO/IEC the start.
sinceOriginally
the start.based on BS
Originally
Find 7799,
based
out on BS 7799,
more
developed by BSI in 1995,
developed we’ve
by BSI beenwe’ve
in 1995, involved in involved
been its development and Call
in its development
the ISO technical
1 and
800 the ISO4977
862 technical
committee committee
ever since. ever
That’ssince.
why That’s
we’re best
why placed
we’re toinquiry.msamericas@bsigroup.com
Emailbest help youtounderstand
placed help you understand
the standard.the standard.
© The British Standards At BSI, we
Institution 2013 create
At BSI,excellence
we create
by driving the
excellence successthe
by driving of success
our clients through
of our bsigroup.com/en-us
standards.
clients through standards.
We help organizations
We help organizations
to embed resilience,
to embed helping them
resilience, to grow
helping themsustainably,
to grow sustainably,
adapt to change
adapt and prosperand
to change forprosper
the longfor
term.
the We
longmake
term.excellence
We make aexcellence
habit. a habit.