Following the ISO 27001 international standard means setting up your organization with an effective information security management system (ISMS). Looking at it from a practical perspective, if you want to establish and operate the best ISMS for your organization, you can turn to the ISO 27001 specifications to guide you in the process of just how to do that. 

What is ISO 27001?

ISO 27001 is a methodology that aims to create and implement an effective ISMS for an organization. Simply speaking, a solid ISMS is the main product of ISO 27001 implementation. If the ISMS is the “what”, the ISO 27001 is the “how”.

ISO 27001 is risk-based, meaning it is built primarily on identifying and evaluating the risks within an organization and its data protection system. Putting measures in place based on those assessments is the next step, followed by continuous monitoring and improvements.

What is the purpose of ISO 27001?

The purpose of ISO 27001 is to provide guidelines for “establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system”.

The goal of creating an ISMS system based on ISO 27001 is to protect an organization’s data confidentiality, integrity, and availability.

  • Confidentiality: information is only accessible by authorized persons
  • Integrity: changes in the information can only be made by authorized persons
  • Availability: authorized persons have timely and uninterrupted access to the information

What is an ISMS?

An ISMS is important for a company’s cyber security. It’s a set of concrete policies whose main objective is to protect a company’s (and the company’s clients’) data, reduce risk of data breaches and cyber-attacks, and prescribe controls that could mitigate damage if it does occur. 

Once you have your ISMS set up, you’ll have taken a deep look at the policies, procedures, technical measures, and staff training necessary to manage the risks associated with data security threats.

What is the scope of ISO 27001?

Any organization that deals with any type of sensitive information is a candidate for ISO 27001 compliance.

The IT, finance, pharmaceutical and health industries are obvious candidates. But ultimately, any organization, no matter its size or type, can benefit greatly from complying with ISO 27001. Private, public, profit or non-profit all are prone to data breaches. 

In addition, ISO 27001 is an international standard, meaning it is easily recognized no matter where you’re doing business.

How to implement ISO 27001

You can look at ISO 27001 as an overview of best practices in data security. It isn’t prescriptive. It’s not step-by-step instructions that you follow while setting up your ISMS. It’s a guide that allows each organization to achieve a bespoke ISMS for themselves, based on its individual risk assessment.

The organization then decides while still keeping in mind its unique circumstances which safeguards suggested by ISO 27001 make the most sense for each risk that was found. And those get implemented into the organization’s ISMS.

A holistic approach to data protection

ISO 27001 stems from a holistic approach that looks at data security from three main angles: people, technology and processes. You should therefore expect the ISMS you put together to be visible in all areas of your organization and business processes.

This is because using technology alone isn’t going to be enough to secure data. Most of the time, there is a human factor involved in any data breach. Think about all the aspects that the IT department has no governance over, like sensitive information leaked accidentally in an email, remote employees using their own computers or unsecured networks, or when a manager’s phone gets stolen.

This is why an ISO 27001-based ISMS must be adhered to across the organization or company, using a top-down approach rather than a bottom-up one.

Getting management involved is one of the key prerequisites for implementing ISO 27001. You can have the best ISMS on paper, but if your management isn’t behind it, it’ll never gain traction in your organization.

It’s one thing to have up-to-date technology and software, but people, their training and policy enforcement are just as important. ISO 27001 takes this into consideration and helps make sure these points are being addressed just as much as the technology itself.

The main steps of implementing ISO 27001

The basic components in implementing ISO 27001 are:

  1. Identify stakeholders
  2. Stakeholders define their expectations in terms of information security
  3. Assess risks. Analyze gaps.
  4. Define controls and other mitigation methods to handle risks in a way that meets set expectations
  5. Implement the controls and other risk treatment methods
  6. Continuously measure if controls perform as expected
  7. Make continuous improvements to ensure the system is always at its best

Risk assessment

In order to perform the formal risk analysis required by ISO 27001, you’ll first need to decide if you will hire a consultant to help you, or if you’ll be doing it on your own.

Larger corporations might have employees or entire teams dedicated to tasks such as this, so they may decide to do an assessment on their own. On the other hand, hiring an experienced consultant could make the process go faster and smoother, without taking up a whole team’s precious time on one fairly daunting task.

A small organization might decide that it is small enough to handle its own risk assessment. Then again, they might prefer a specialist, because they might not feel up to the challenge themselves.

No matter what you choose to do, you will first need to compile a list of assets (this includes things like electronic files, hardware, and intellectual property) and who owns them, in other words, who is responsible for which risk.

Once an asset list is put together, it’s time to think about the threats and vulnerabilities that are associated with them, followed by an evaluation of each risk. You’ll be scoring each risk to be able to identify which ones are most likely and which would have the worst consequences, and are therefore prioritized over others.

Once an ISO 27001 risk assessment is complete, you are ready to move on to figuring out mitigation methods and controls.

The 14 control sets of ISO 27001

We’ve talked about how an organization’s ISMS should be expected to affect all aspects of the business. To get a better understanding of what that entails, Annex A of ISO 27001 covers 14 domains of a company’s information security system and describes controls that can be used within the particular domain.

These are the 14 control sets of ISO 27001 and their (very brief) content:



Information security policies
2 controls

Aligning policies with overall security direction of the organization. Policy execution.

Organization of information security
7 controls

Managing information security practices within the organization. Addresses mobile devices and remote workforce.

Human resource security
6 controls

Individuals’ responsibilities before, during and after employment at the organization

Asset Management
10 controls

Securing and identifying data assets, data storage and protection.

Access control
14 controls

Ensuring employees can only view information that is relevant to them.

2 controls

Data encryption, protection of data confidentiality.

Physical and Environmental Security
15 controls

Preventing unauthorized physical access or damage to the organization’s facilities. Preventing loss or theft of hardware or file storage equipment.

Operations Security
14 controls

Ensuring that facilities dealing with the collection and storage of data are secure. Vulnerability management.

Communications security
7 controls

Protecting information in networks, either within the organization or when being transmitted to a 3rd party.

System Acquisition, Development, and Maintenance
13 controls

Maintaining security requirements across the entire life cycle.

Supplier relationships
5 controls

What information is available to contractual parties and how is information security is being handled?

Information Security Incident Management
7 controls

Identifying who is responsible for handling and reporting security issues and the steps in the process. 

Business Continuity Management
4 controls

Creating a system to maintain the information security process during business disruptions.

8 controls

Identifying and complying with laws and regulations relevant to the organization.


As we’ve explained, an organization is not required to implement all of the controls mentioned in ISO 27001. They are only to be considered if they make sense based on the organization’s risk assessment and expectations.

An integral part of having a good ISMS is not only the implementation of the ISO 27001 best practices, but the continuous maintenance and improvement of the system. It’s the only way to make sure your organization’s data security system is kept fresh and up-to-date.

Talk to us

How Safetica Helps to Comply with ISO 27001

Sensitive Data Overview

Safetica provides an overview of the information flows and sensitive data storage and helps you to monitor user operations and provides you with reports on how data is processed.

Data Classification and Security Policies

With Safetica you can easily classify the data, and based on that you can apply DLP policies, and enforce desired behaviors when users interact with sensitive information.

Data Encryption

Safetica helps you to encrypt your data. Encryption is centrally managed in the Safetica management console.

Data Leakage Notification

In case of a security incident, Safetica’s real-time email alert system notifies the appropriate personnel. It provides details, so you can take follow-up actions, and minimize the impact of data leakage.

Regulatory Compliance

With Safetica and its DLP policies you can make sure that you are compliant not only with ISO 27001 but also with other regulations, such as GDPR, PCI DSS, HIPAA, CMMC and more.

See Safetica in action. Complete this quick contact form today.​

Kristýna Svobodová
Content Strategist @Safetica

Next articles

SAMA’s Cyber Security Framework: The Scope, Purpose, and How to Comply

The Saudi Arabian Monetary Authority (SAMA) has introduced a Cyber Security Framework designed to fortify the nation's financial systems and critical industries against cyber threats. Throughout this guide, we'll explore the key components, while also providing tips and insights on how to achieve compliance with its requirements.

HITRUST framework: The Scope, Purpose, and How to Comply

This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.

Understanding SOC 2: The Scope, Purpose, and How to Comply

Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.