ISO 27001: 2013 – Information Security Management System (ISMS)

What is ISO 27001?

ISO 27001 is an internationally recognized structured methodology dedicated to information security and the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The ISO 27000-series comprises information security standards published jointly by the International Organisation for Standardization (ISO) and the International Electro technical Commission (IEC).

The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9001) and environmental protection (the ISO 14001).

The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organisations of all shapes and sizes. All organisations are encouraged to assess their information security risks, and then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming’s “plan-do-check-act” approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.

  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance


ISO 27000-series Published standards

  • ISO 27000 Fundamental and Vocabulary
  • ISO 27001 Information Security Management Requirements
  • ISO 27002 Code of Practice
  • ISO 27003 Implementation Guidance
  • ISO 27004 Information security management measurements
  • ISO 27005 Information security risk management
  • ISO 27006 Requirements for certification bodies
  • ISO 27007 Guidelines for Information security management systems auditing
  • ISO TR 27008 Guidance for auditors on ISMS controls (focused on the information security controls)
  • ISO 27010 ISM for inter-sector and inter-organizational communications
  • ISO 27011 Information security management guidelines for telecommunications
  • ISO 27013  Guideline on the integrated implementation of ISO 27001 and ISO/IEC 20000-1
  • ISO 27014  Information security governance
  • ISO TR 27015 Information security management guidelines for financial services
  • ISO 27031 Business Continuity
  • ISO 27032 Guidelines for cyber security
  • ISO 27033 IT network security
  • ISO 27034 Guidelines for application security
  • ISO 27035  Information security incident management
  • ISO 27036-3  Information security for supplier relationships Guidelines for information and communication technology supply chain security
  • ISO 27037  Guidelines for identification, collection, acquisition and preservation of digital evidence
  • ISO 27799 Security Management in Health
  • Up to ISO 27059 Reserved for future standards


Structure of the ISO 27001: 2013

ISO 27001:2013 has the following sections:

  • Introduction, the standard uses a process approach.
  • Scope, it specifies generic ISMS requirements suitable for organisations of any type, size or nature.
  • Normative references, only ISO 27000 is considered absolutely essential to users of 27001
  • Terms and definitions, a brief, formalized glossary, soon to be superseded by ISO 27000.
  • Context of the organisation, understanding the organisational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS.  Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” a compliant ISMS.
  • Leadership, top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
  • Planning outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.
  • Support, adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
  • Operation, a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
  • Performance evaluation, monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.
  • Improvement, address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS

Annex A Reference control objectives and controls, little more in fact than a list of titles of the control sections in ISO 27002.  The annex is ‘normative’, implying that certified organisations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information security risks.


ISO 27001 Certification around the world and in Australia

Certified compliance with ISO 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organisations that are concerned about the security of their information, and about information security throughout the supply chain or network.

Based on ISO survey 2013, more than 22,000 of ISO 27001 certificates have been issued all over the world. Out of these certificates, Australian share was only 140 certificates. However, based on the information security attacks and vulnerabilities reports which are published every year, we can see the need for Australian corporations to consider the ISO 27001 as the best practice. There should be some reasons why Australian rate of using ISO 27001 is so much lower than developed countries. Some of those reasons could be:

  • Lack of awareness about ISO 27001
  • Not realizing of information security importance
  • Indirect relation between information security and organisations performance
  • Lack of legislation requirements
  • Financial crisis


How ISO Consulting Services can help you

Please  contact us  if you need more details on how our expert team can assists you in training and developing a new or updating your current ISMS in compliance with ISO 27001:2013 standard.


ISO 9001:2015 is published now


After three years of revision work, the ISO 9001:2015, the most popular management system standard with over 1.1 million certificates globally issued, has published now.  Similar to ISO 14001:2015 which was published mid-September, it has been also restructured based on High Level Structure (HLS) to be aligned with other management systems.

The positive changes

The new version is adapted with 21st century circumstances with more focus on performance and process approach and less requirements for documentation and compliance.

The process approach which is introduced as a “requirement” now will challenge both organisations and auditors how to restructure the existing functional approach to a process-based mindset throughout the whole organisation in design, implementation and auditing.

Need to understand the context of the organisation and the needs and expectations of interested parties helps the organisations to establish and implement a quality management system which is tailor-made to add value to the organisation and its interested parties rather than a bunch of document to tick the boxes and satisfy the auditors.

The risk-based thinking is a real masterpiece in the 2015 version. It will help the organisations to consider both adverse and beneficial impacts of its processes, products and services internally and externally.

Change management is also a breakthrough in this version which reduce the risk of unplanned changes which can potentially cause even more issues. Any changes are supposed to be reviewed and analysed in advance considering the risks and impacts to internal and external interested parties.

Regarding the changes in the new version such as “Design & Development” and “Measuring equipment” clauses, it is more understandable and adaptable for service sector.

Structure of ISO 9001:2015

  1. Scope
  2. Normative Reference
  3. Terms & Definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Transition Guidance

International Accreditation Forum (IAF) has provided a guidance for the transition from ISO 9001:2008 to ISO 9001:2015. ISO 9001:2008 certifications will not be valid after three years from publication of ISO 9001:2015.

How ISO Consulting Services can help you

Please contact us  if you need our hands to assist you in the journey of transition to the new version of standard. We will help you assess the gaps between your existing system and the requirements of the new version and also assist you in filling the gaps and getting ready for ISO 9001 certification.