NQA Your Complete Guide to ISO 27001

1. YOUR COMPLETE
GUIDE TO ISO 27001
9043,000
TRANSPARENT
*

2. The 27000 series of certifications cover a variety of information
security. You can optimise your time and energy by focusing on
just ISO 27001, arguably the best-known and top preparation
standard designed to protect your network through an
information security management system (ISMS).
ISO 27001 is recognised internationally and is appropriate for
any company. You’ll see ISO certifications for non-profits, major
corporations, boutique security firms, small e-tailers and even
state and federal organisations. The standard comes from the
ISO and IEC, two organisations who have made a name in
standardisation as well as information security.
Conservatively estimated, cyber threats cost the global economy
$375 billion in losses each year. Some put the cost as high as
$575 billion.
You take threats seriously and ISO 27001 is the smart way to
let others know. Learn how to store data securely, examine new
risks and create a culture that minimises risk by seeking
ISO 27001 certification.
Why Isn’t There a List to Follow?
ISO standards work this way because no single list works for
every company — or even every division. Your organisation
likely has some departments that generate new customer
information every day, while others add employee information
only once a month. Extending protection to both of these on
the same schedule would either leave customer information
vulnerable for extended periods of time or cause your HR
department to continuously perform work it didn’t need.
You don’t get a list, but you do get a mindset. You’ll be taught
how to approach risk management around the availability of
data on your network and how to implement security for it.
You’ll learn how to perceive threats, find out existing risks and
systematically address them.
You can follow the process for the rest of your career and you’ll
learn how to expand it beyond departments. For example,
a solid list would likely focus on your IT department and on
protecting data as it enters your systems. A framework like
ISO 27001 expands protection to new areas such as the legal
risks of sharing information so you avoid improper sharing
through policy instead of a firewall.
So What Do You Do With ISO 27001?
What you need to do with the security standard is become
certified. Certification — and don’t worry, we’ll help you find the
best place to get certified in a later chapter — simply means that
an independent organisation will look over your processes to
verify that you’ve properly implemented the ISO 27001 standard.
Once you’re found to be compliant, you’ll get a certification
that you can display on your website, marketing materials and
elsewhere.
To give you a thorough understanding of the ISO 27001
standard, let’s review some basics about its creation, special
requirements for the standard and the fundamentals of the
standard itself. To start, read the background that you can
benefit from right away.
ISO 27001 is an information security management standard that proves an organisation
has structured its IT to effectively manage its risks.
When your company displays the ISO 27001, your customers will know that you have
policies in place to protect their information from today’s big threats.
What is ISO 27001?
The ISO 27001 standard has become the most popular
information security standard in the world with hundreds
of thousands of companies acquiring certification. The
standard is routinely updated to ensure that it teaches
companies how to protect themselves and mitigate risks
against today’s current threats.
These threats are among those the
ISO 27001 helps you plan for:
• Cybercrime
• Data vandalism
• Errors related to integration with unprotected
partnerships or warehouses
• Internal data theft
• Loss of data due to misuse or malfeasance
• Misuse of information
• Network breaches through third-party
connections
• Personal data breaches
• State-sanctioned cyber attacks
• Terrorists attacks
• Theft
• Viral attacks
Think of the security protocol as a mindset. ISO 27001
doesn’t give you a step-by-step guide to protecting
assets. Instead, it provides you with a framework to apply
to any threats or risks you face. This means it can be
tough to implement at first, but proper training will keep
your organisation safe for a long time.

3. About the ISO and IEC
The ISO 27001 certification comes from the ISO (the
International Organisation for Standardisation) and IEC (the
International Electrotechnical Commission).
Both organisations came together to create a special system
that builds worldwide standardisation. The ISO and IEC have
members from all over the globe who participate in standards
development. ISO/IEC standards have become the preferred
credentials for manufacturers, IT companies and customers
across the globe.
Currently, ISO has published more than 19,500 standards
covering technology and manufacturing.
Understanding Information Security
Management Systems (ISMS)
Information security management systems (ISMS) are a
fundamental part of the ISO 27001 because you’ll use the
standard to establish and maintain this system. A good ISMS
involves a systemic response to new risks, allowing it to grow
and change alongside your business.
Every information asset must be covered by your ISMS and
you’ll need to run checks whenever a new device or data set is
added. The ISO/IEC standards recommend you follow a
Plan-Do-Check-Act methodology to maintain your ISMS. The
ISO 27001 will give you the framework to follow the
methodology:
• Plan: Design an ISMS workflow to assess threats and
determine controls.
• Do: Implement the plan.
• Check: Review the implementation and evaluate its
effectiveness.
• Act: Make any needed changes to improve the effectiveness
of your program.
One essential piece of the ISMS is that you’re only being taught
a method. ISO 27001 certification will give you the starting point
that can keep your company safe. However, you can add to that
as you wish. Some practitioners will layer a Six Sigmas DMAIC
approach as well, in order to meet other requirements they may
have.
Obtaining ISO 27001 empowers you to create and implement
the best ISMS for your company. Adapt, adopt and grow at the
scale that’s perfect for you.
Why You Need
ISO 27001 Certification
Securing ISO 27001 certification will show your
employees and your customers that you can be trusted
with their information. In some industries, companies
will not select IT partners who do not have ISO 27001
certifications and it is often a requirement of federal or
governmental data-related contracts.
The chief benefit of ISO 27001 is that it gives you a
reputation for being a safe and secure partner. You won’t
be seen as a potential threat to business from either
internal or external problems. Many companies have
found that ISO 27001 certification has led to an increase
in profits and influx in new business. Some even report
that ISO 27001 can reduce their operational expenses
by introducing review processes into their business
management.
Some of the benefits your organisation can expect when
you introduce cybersecurity protections visible to your
team and your clients include:
Ability to differentiate your service from competitors:
• Recognised framework for addressing legal
requirements to avoid penalties or fees
• Established company culture that is threat-aware
• Fewer intrusions, threats and employee intrusions
• Optimised IT asset usage to protect against threats
• Safety policies to ensure growth is sustainable and
secure
• Proactive approach to managing your IT assets and
your reputation
• Improved opportunities across multiple business
sectors
• Cyber threats are on the minds of everyone. By
showing the world that you’re prepared for threats, you
can boost your business and potentially send malicious
attacks elsewhere.

4. Get Your Management’s Approval
One of the key differences of the ISO 27001 standard compared
to most other security standards is that you’ll struggle with and
potentially fail certification if your management is not working
with you.
Adopting an ISMS isn’t an IT decision, it’s a business strategy
decision. The process must cover every department and must
work within all of your departments. An ISMS must be deployed
across your entire organisation and that means you’ll have to
address threats and risks that could start with any department.
ISO 27001 Standard: 6 Stages for Planning
ISO 27001 was created to provide you with a platform-neutral,
technology-neutral approach to security risks. You’ll learn to
address concerns individually as well as part of larger risk
management policies and have a guide to creating your safety
procedures.
The simplest way to view the entire process is by looking at its
core values: a six-part planning assessment and procedure.
Approach it from a top-down perspective and you’ll find success
when you:
• Define a security policy for your technology/platform/device/
company.
• Create a scope for your ISMS.
• Perform risk assessments based on your results from 1 and 2.
• Identify risks and create a management plan.
• Determine appropriate metrics and controls used to track
progress when the plan is implemented.
• Craft a statement of applicability to guide policy changes.
These six pillars are broad steps that you’ll see throughout each
of the main elements of the standard. IS0 27001 will help you
maintain this high-level approach throughout documentation
and audits, determining responsibility for implementation and
controls, ongoing maintenance and upgrades, and risk-based
activities to prevent breaches or react when they occur.
While you may be the individual seeking the certification,
ISO 27001 guidelines perform best when your entire company is
on board.

5. The sections of the new ISO 20071 standard are:
Scope
The standard lays out the requirements and provides a
management context for you to create, implement, maintain and
improve your ISMS. You’ll learn the requirements for making
assessments of your security risks and how to manage them
relative to your organisational structure.
Normative References
This section will discuss the other information and background
you’ll need. While there is a family of standards in the 27000s,
the only one specifically required is the ISO/IEC 27000. Other
standards in this family are optional and may support your ISMS
development. For certification purposes, you don’t need to
study or read anything beyond the ISO 27000 and ISO 27001
standards.
Terms and Definitions
Here you’ll learn the terms in a brief glossary. This glossary
has a planned obsolescence of sorts and will be replaced by
information provided in the ISO 27000 standard. You don’t have
to spend any additional funding: You can get a free online copy
of the ISO 27000 overview and vocabulary from the ISO.
Context of the Organisation
This section teaches you how to take your organisational
structure and needs into account when developing your ISMS.
You’ll get help building the scope of the ISMS by looking at
different departments’ interaction with your IT systems and
defining all of the parties who use, provide, adjust or observe
your data.
The goal is to “establish, implement, maintain and continually
improve” your company’s ISMS.
Leadership
The ISO 27001 standard specifically calls for top management
to be involved. This section shows you how to properly involve
leadership throughout your company and what approvals you’ll
need for implementing the ISMS. Go over this carefully and
work with management so that you can clearly demonstrate
their commitment to the ISMS as well as responsibilities for each
individual section and process.
Involving management through a clearly stated plan is a big part
of getting your ISO 27001 certification.
Planning
The planning stage will feel familiar to any developers, analysts,
data specialists and business managers. You’ll get assistance
with the creation of a workflow for identifying, reviewing and
dealing with IT security risks. It will give you the structure
to review threats in relationship to your company and the
objectives you’ve provided for your ISMS.
Support
Because you’re dealing with a policy and not a prescribed
plan, support will vary and requires a broad understanding of
your assets and capabilities. The support section will help you
define and secure adequate resources to manage an ISMS
from implementation through reviews. Pay close attention to its
discussion of how to promote awareness of ISMS policies within
your organisation because ISO 27001 certification will require
you to have a broad policy that can be applied across divisions.
Operation
Threat assessment is a continually evolving practice. The
operational segment will help you review threat assessment and
determine what types of information you should collect from
your network. Get assistance noting and evaluating threats,
manage your ISMS and allow for changes, and build a policy for
documenting successes, failures and weaknesses.
Audits are essential to any IT security paradigm, and the
ISO 27001 certification prepares you for a variety of threat
assessments.
Performance Evaluation
Put your new knowledge into action with guidance on how to
monitor your network, measure and analyse your processes,
audit changes and view every IT security control relative to your
KPIs. Bring your ISMS through all departments to look for proper
implementation and check for threats. You’ll also improve your
capabilities to improve your system. Essentially, you’ll be putting
the entire Operation segment into practice with the capability to
properly review and address changes.
Improvement
The core of ISO 27001 certification is to get better at threat
analysis and management.
The improvement section will help you review your auditing
process as well as the audits themselves. When you identify
problems and concerns through auditing, you can then
determine which are true threats and need a corrective action.
Beyond known threats, the improvement process helps you
create a maintenance scheduled for continual improvements to
your platform. You will learn standard maintenance strategies as
well as develop procedures to add audits or reviews when new
data is added.
These 10 sections form the backbone of the ISO 27001 standard
and certification.
Please note that the documentation you get when reviewing the
specification will also include an introduction and a reference
annex.
The introduction and annex aren’t included in our list because
ISO documentation notes that you can deviate from the annex,
so you won’t necessarily need to review those steps during your
ISMS’s further development and update planning. The annex
itself is listed as “normative,” so you are expected to use it
during the initial creating of your ISMS.
10 Sections for Success: ISO 27001
Control Checklist
The latest standard update — ISO/IEC 27001:2013 —
provides you with 10 sections that will walk you through
the entire process of developing your ISMS. Each of
these plays a role in the planning stages and facilitates
implementation and revision.
By continually walking through the control checklist,
you’ll have a succinct ISMS that secures your network.
With each new integration, data set, client portal and
BYOD policy, run through the list again to stay safe and
protected.

6. ISO 27001 Certification Process
The certification process for the ISO 27001 standard can be over
in as quick as a month and only has three main steps for you to
follow: Application, Assessment and Certification.
Application: Here you’ll simply work with a partner to register
for the certification process. There’s a specific ISO 27001 Quote
Request Form that gives your certification partner information
about your organisation so that they can have an accurate
estimate of your business and what to check for in their audit.
Assessment: We’ll review your business, the processes and the
implementations that are noted on the Initial Certification Audit
form. Your company will need to demonstrate that your ISMS
has been implemented and fully operations for at least three
months. We’ll also need to see a full cycle of internal audits. The
assessment has two stages that are important to you:
Stage 1 — Verify that you’re ready for an audit
and assessment.
• We’ll confirm that your ISMS meets standards and best
practices.
• Determine ISMS implementation status.
• Review scope of certification.
• Check that you meet legal and legislative compliance for
your area.
• Develop a report that notes your non-compliance areas and
areas for improvement.
• Create a plan that covers any corrective action.
• Produce an assessment used to begin stage two assessments
and testing.
Stage 2 — Execute an audit to review your ISMS and certify
it is functioning properly.
• Perform sample audits to review activities and elements
needed for certification.
• Document your ISMS’s capability to compile information and
review threats.
• Look for non-compliance and areas of improvement.
• Create a new surveillance report that reviews your system and
puts forth a date for your first annual surveillance visit.
Certification: ISO 27001 documentation will be issued by your
certification partner and you will set up a program of annual
surveillance audits plus a three-year audit program in order to
receive the certification.
By working with a smart partner, you can also get pre-
certification training and reviews to ensure that you’re ready
when the certification process begins. Don’t be shy: Always ask
about options to help you prepare for ISO 27001 certification
and for help maintaining requirements after the initial certification
is awarded.
We also recommend a gap analysis before you start the
certification process. This analysis allows you to determine
any likely workload and timing for implementing an ISMS (or
improving your existing ISMS) that will allow you to achieve
ISO 27001 certification. Gap analysis is a very good value if you
plan on bringing in outside professionals for ISMS development
because you’ll be able to provide them with an understanding of
the scope you need.
Part of the whole certification process is producing reports and
policies that should guide your ISMS development and your
internal audits. These can be a great place to begin because
you’ll need to perform initial audits to generate some of these
reports. The ISO 27001 standard itself will provide you with
information you need to understand and develop required
documents.
Mandatory Certification Requirements:
Document List
To get started with your journey to the ISO 27001 certification,
you should pick up a copy of the ISO documentation from the
standards body. Don’t trust documents you find from an outside
source unless they’re also an officially licensed provider of
certifications.
The latest version of the ISO 27001 standard provides a list of
required documents to ensure you adhere to the standard and
can meet your certification. Some of the documents are also
listed as optional, but we recommend that you create these
optional documents because they directly target new trends
in the workforce, new technologies and important business
analysis.
Numbers provided near the document are a reference for
explanations, requirements and more in the ISO standards
documentation. For any document listed with an Annex location,
you’ll need to review your processes closely. These documents
are required if they’re applicable to your business. When getting
certified, the third-party will determine if you need any of those
documents, so review these closely and consider developing
these documents just in case.

7. Documentation For ISO 27001 Adherence and Certification
Document Name Clauses Annex Clauses
Documents that you must generate
Scope of the ISMS 4.3
Information security policy and objectives (may be split into two documents 5.2, 6.2
Risk assessment and risk treatment methodology 6.1.2
Statement of Applicability 6.1.3 d
Risk treatment plan 6.1e, 6.2
Risk assessment report 8.2
Definition of security roles and responsibilities 7.1; 13.2.4
Inventory of assets 8.1.1
Acceptable use of assets 8.1.3
Access control policy 9.1.1
Operating procedures for IT management 12.1.1
Secure system engineering principles 14.2.5
Supplier security policy 15.1.1
Incident management procedure 16.1.5
Business continuity procedures 17.1.2
Company requirements: statutory, regulatory, and contractual 18.1.1
Records you must keep and maintain
Employee experience, qualifications, skills and certifications 7.2, 7.2
Monitoring and measurement results (baselines and new) 9.1
Internal audit procedures 9.2
Internal audit results and recommendations 9.2
Management review results and recommendations 9.3
Corrective action results and recommendations 10.1
Logs by user: activities, exceptions, security events and flags 12.4, 12.4.3
Optional but recommended documents
Document control procedures 7.5
Record management procedures 7.5
Internal audit guidance and review procedures 9.2
Corrective actions guidance 10.1
Bring your own device (BYOD) policy 6.2.1
Mobile and teleworking policy 6.2.1.
Information classification directive 8.2.1, 8.2.2, 8.2.3
Password policies for ISMS and users 9.2.1, 9.2.2, 9.2.4, 9.3.1,
9.4.3
Data and e-waste disposal and destruction policy 8.3.2, 11.2.7
Secure area processing and access requirements 11.1.5
Clear desk and clear screen policy 11.2.9
Change management policy 12.1.2, 14.2.4
Data storage and backup policy 12.3.1
Digital data transfer policies 13.2.1, 13.2.2, 13.2.3
Business impact and development analysis procedures 17.1.1
Maintenance and review plan 17.1.3
Business continuity strategy 17.2.1

8. Appendix 1:
Meeting Threats Through ISO 27001
NQA recommends that you undertake ISO 27001 training and
certification because it can help you make the case to your
business partners that you’re ready for the modern digital
world. To help you make that case to your management — or to
vendors you like and wish would adopt the ISO 27001 standard
— we’ve prepared a brief explanation of how ISO 27001 can
help you address some of the top problems digital industries
face.
• Risk Management Assurance. Customers demand strong
risk management. The only way to prove that you have
correct policies in place is to show certification and outside
verification. ISO 27001 proves that you take cyber threats
seriously and have prepared to address them. Certification is a
clear sign that you not only have the policies in place but that
you continually update and improve in order to keep your data
safe.
• Data Breaches. A single breach can bring down a small
or mid-sized vendor. Large companies can only survive
a handful, if they’re lucky. ISO 27001 audits offer great
protection because they limit your vulnerability. Audits
highlight potential breaches and can put other risks into focus
by using the security risk framework you learn. ISO 27001 will
help you prevent breaches, guarding you against customer
litigation and even potential regulatory action.
• Legal Compliance. We’ve focused our work on data security
all around the world. There are many different laws that can
be satisfied by ISO 27001 certification, and some like the UK
Data Protection Act have proven track records of ISO 27001
acceptance. Implementing the standard will help you stay
compliant and using NQA as your partner will ensure that you
have the most relevant legal checks when you undergo any
audit or review.
• Lapses in Attention. At the core of the ISO 27001 standard is
a security mindset. The audit process and ISMS development
provide a company-wide focus on security and can make
every department accountable. By spelling out who is in
charge of which function and who must ensure each team
member adheres to policies, you have begun to implement a
strong cybersecurity protection plan.
• Information Management and Access. Control over your
data is vital for your business, not just for the ISO 27001
certification process. By implementing a new focus through
these audits and reviews, you can determine areas that may
create bottlenecks and gaps in the access, management and
protection of your data. Strong audits from partners such as
NQA also help you determine gaps and issues in areas where
your customers access your data. That can improve customer
relationships and protect you against excess liability.
These are just some of the top conversations you can have with
your customers and your management to show how beneficial
ISO 27001 certification is. Contact NQA today for help making
the case and answers to how this certification can apply
specifically to your business.
Appendix 2: Glossary
• ISO: International Organisation for Standards — one of the two
bodies responsible for creating the certification and managing
its credential authentication.
• ISMS: Information Security Management System — set
of company policies that create a process for addressing
information security, data protection and more to prevent data
loss, harm, theft and errors within a company and its culture,
not just its IT systems.
• IEC: International Electrotechnical Commission — one of
the two bodies responsible for creating the certification and
managing its credential authentication.
• KPI: Key Performance Indicator — a business metric used to
evaluate elements that are key to the success of a program or
an organisation as a whole.
• Audit: Systematic, independent and documented process
for obtaining audit evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled.
• Availability: Property of being accessible and usable upon
demand by an authorised entity.
• Competence: Ability to apply knowledge and skills to achieve
intended results.
• Confidentiality: Property that information is not made
available or disclosed to unauthorised individuals, entities,
or processes. See 27000 2.61 for help applying this to
certifications.
• Continual Improvement: Recurring activity to enhance
performance. Will require a specific definition in relationship to
your individual requirements and processes when asked for in
audit documentation.
• Control: Measure that is modifying risk. See 27001 2.68 for
application assistance.
• Correction: Action to eliminate a detected nonconformity
during your audit and review processes. When compared to
“Corrective Action” view this as treating a symptom and the
“Action” as curing a disease.
• Corrective Action: Action to eliminate the cause of a
nonconformity and to prevent recurrence. This usage
specifically notes action you’ll take to remove root causes.
• Documented Information: Information that must be controlled
and maintained by you and secured by the medium you use
to collect it. This can be information in any format, from any
source, and will require an audit history when documents
request it.
• Effectiveness: An estimated and then proven measure of the
extent to which planned activities are realised and planned
results achieved.
• Executive Management: Person or group of people who
have delegated responsibility from the governing body for
implementation of strategies and policies to accomplish
the purpose of the organisation. See 2.29 and 2.57 for help
determining your governing body and the scope of this
management.
Where Should You Get Certified?
You need to turn to a trusted partner when it comes to
your ISO 27001 certification. Don’t put your company’s
future in the hands of someone who doesn’t have a
strong reputation for proper audits, valid certifications
and the ability to help companies meet their goals.
We work with all of our customers to ensure that they
have the right processes in place to achieve certification.
When any ISMS is found lacking, we’re here to work with
you to create and implement strategies to address gaps
we detect. You can have experts review your process
and proper implementation so you don’t have to worry
about creating the right platform and company mindset
to achieve your goals.
Reduce the risk your company faces and improve your
company’s reputation by working with NQA for all of your
ISO 27001 preparations and certifications.
Contact us today for a free quote using our Quick
Quote form.

9. • Information Security: Preservation of confidentiality, integrity
and availability of information. Secondary properties may
include authenticity verification, accountability, reliability and
other elements based on your ISMS.
• Indicator: A measure that provides an estimate or evaluation
of specified attributes derived from an analytical model (with
respect to defined information needs).
• Integrity: Property of accuracy and completeness in reviews,
audits and more.
• Interested Party: Person or organisation that can affect, be
affected, or perceive themselves to be affected by a decision
or activity undertaken by an ISMS, agent, employee or other
party you authorise.
• Level of Risk: Magnitude of a risk expressed in terms of the
combination of consequences and their likelihood. Further
explanation available in 2.14 (consequences), 2.45 (likelihood
of risk) and 2.68 (risk magnitude)
• Management System: Set of interrelated or interacting
elements of an organisation to establish policies, objectives
and processes to achieve those objectives. Management
systems can address single or multiple disciplines and must
include a variety of elements such as roles, responsibilities,
planning, operations, organisational structure, and more.
• Measurement: Process to determine a value. This may seem
vague to some but it is important because it notes that you’re
required to determine proper measurements for your ISMS
implementation.
• Metrics: Elements of your business used to evaluate
performance and effectiveness of your ISMS and information
security controls. You’ll see this in documentation from
auditors, but not in the specifications themselves.
• Monitoring: Determining the status of a system, process or
activity. Monitoring is about status and then shifts focus when
events occur.
• Non-conformity: Non-fulfilment of a requirement as defined by
the ISMS.
• Objective: Strategic, tactical or operational result to be
achieved. Objectives can differ greatly and audits will need
a strong structure to properly express objectives in order to
evaluate them.
• Outsource (verb): Make an arrangement where an external
organisation performs part of an organisation’s function
or process. ISMS must review and specify all outsourcing
options. Controls and responsibilities must be extremely clear
when outsourcing any element.
• Performance: Measureable result that can relate either to
quantitative or qualitative findings.
• Policy: Intentions and direction of an organisation as formally
expressed by its top management.
• Process: Set of interrelated or interacting activities which
transforms inputs into outputs.
• Reliability: Property of consistent intended behaviour and
results across audits, methodology and reviews.
• Requirement: Need or expectation that is stated, generally
implied or obligatory. “Generally implied” is listed when the
necessity of custom or practice is implied.
• Residual Risk: Risk that remains after a risk treatment. These
can contain unidentified risks and may also be listed as
“retained risks” in auditor information.
• Review: Activity undertaken to determine the suitability,
adequacy and effectiveness of the subject matter to achieve
established objectives.
• Risk: The effect of uncertainty on objectives, including real
and potential events. See 2.14 through 2.89 for a better
understanding of risk, its positive and negative elements, and
how it can relate to a variety of situations.
• Risk Owner: Person or entity with the accountability and
authority to manage a risk and related responses.
• Risk Treatment: Process used to modify risk. Methods can
include removing sources, changing likelihoods, adjusting
consequences, retaining risks by choice, adding new actions
and avoiding risks.
• Top Management: Person or group of people who directs and
controls an organisation at the highest level.
www.nqa.com