ISO 27001 is an international standard for establishing an information security management system (ISMS), providing a framework for managing information risk and ensuring compliance with legal requirements. The certification enhances organizational credibility, helps protect against data breaches, and fosters confidence in information security practices. The document also outlines related standards, including ISO 27002, which details best practices for security controls.

1. Basic Introduction to ISO27001:
Scope, Implementation & Application
Created By Imran Ahmed (ImranahmedIT)
www.imran-ahmed.co.uk

2. Introduction
 ISO 27001 is the international standard describing best practice for an Information
Security Management System (ISMS).
 An ISMS is a framework of policies and procedures that includes all legal, physical
and technical controls involved in an organisation's information risk management
processes.
 Being ISO 27001 approved is a certification which shows that the business has
defined and implemented effective Information security processes.
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

3. Benefits of ISO27001 – Table (1)
Information Security Issue How ISO 27001 helps Benefits
1
With increasing fines for personal
data breaches, organizations need
to ensure compliance with
legislative requirements, such as
the UK Data Protection Act
It provides a framework for the
management of information security
risks, which ensures you take into
account your legal and regulatory
requirements
• Supports compliance with relevant laws and
regulations
• Reduces likelihood of facing prosecution and
fines
• Can help you gain status as a preferred supplier
2
Potential information breach,
damaging your reputation
It requires you to identify risks to
your information and put in place
security measures to manage or
reduce them
• Protects your reputation
• Provides reassurance to clients that their
information is secure
• Cost savings through reduction in incidents
3
Availability of vital information at
all times
It ensures that authorised users have
secure access to information when
they need it
• Demonstrates credibility and trust
• Improves your ability to recover your
operations and continue business as usual
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

4. Benefits of ISO27001 – Table (2)
Information Security Issue How ISO 27001 helps Benefits
4
Lack of confidence in your
organizations ability to manage
information security risks
Gives you a framework for identifying
risks to information security and
implementing appropriate
management and technical controls
• Confidence in your information security
arrangements
• Better visibility of risks amongst interested
stakeholders
5
Difficulty in responding to rising
customer expectations in relation
to the security of their information
It provides a way of ensuring that a
common set of policies, procedures
and controls are in place to manage
risks to information security
• Meet customer and tender requirements
• Reduce third party scrutiny of your information
security requirements
• Get a competitive advantage
6
No awareness of information
security within your organization
It ensures senior management
recognize information security as a
priority and that there is clear level of
knowledge from the top level all the
way down
• Improved information security awareness
• Shows commitment to information security at
all levels throughout your organization
• Reduces staff-related security breaches
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

5. ISO 27001
ISO 27001 uses a top down, risk-based approach and is technology-
neutral. The specification defines a six-part planning process:
 Define a security policy.
 Define the scope of the ISMS.
 Conduct a risk assessment.
 Manage identified risks.
 Select control objectives and controls to be implemented.
 Prepare a statement of applicability. Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

6. ISO 27002
This standard describes a comprehensive set of information security control objectives and a set of generally
accepted good practice security controls.
ISO 27002 contains 12 main sections:
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development
and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

7. ISO 27000 Family
Other standards that have also been developed in the 27000 family are:
 27003 – implementation guidance.
 27004 - an information security management measurement standard suggesting metrics to
help improve the effectiveness of an ISMS.
 27005 – an information security risk management standard. (Published in 2008)
 27006 - a guide to the certification or registration process for accredited ISMS certification
or registration bodies. (Published in 2007)
 27007 – ISMS auditing guideline. Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

8. Thanks for reading!
Other standards that have also been developed in the 27000 family are:
 If you like to contact me, feel free to head over to my website: www.imran-ahmed.co.uk
 You can also see my other SlideShare presentations
 Alternatively, visit my Blog page
Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk