ISO/IEC 27001:2013

Your implementation guide

What is ISO/IEC 27001?
Successful businesses understand the value of timely, At BSI, we have the experience, the experts and the
accurate information, good communications and support services to help make sure you get the most
confidentiality. Information security is as much about from ISO/IEC 27001, by making you more resilient
exploiting the opportunities of our interconnected and responsive to threats to your information.
world as it is about risk management.
This guide shows you how to implement
That’s why organizations need to build resilience ISO/IEC 27001 in your organization to build
around their information security management. resilience for the long term and safeguard your
Internationally recognized ISO/IEC 27001 is an reputation. We also showcase our additional
excellent framework, which helps organizations support services, which help you not only achieve
manage and protect their information assets compliance, but continue to reduce risk and protect
so that they remain safe and secure. your business.

“ISO/IEC 27001 demonstrates

to clients that we have secure
data and robust systems.”
Hugo Holland Bosworth,
Group Operations Director, Alternative Networks Plc
Contents
• B
 enefits
• ISO/IEC 27001: 2013 clause
by clause
• Top tips from our clients
• Your ISO/IEC 27001 journey
• BSI Training Academy
• BSI Business Improvement
Software

2
How ISO/IEC 27001 works and what it
delivers for you and your company
The ability to manage information safely and securely has never been more important. ISO/IEC 27001 not only
helps protect your business, it also sends a clear signal to customers, suppliers and the marketplace that your
organization has the ability to handle information securely.

ISO/IEC 27001 is a robust framework that helps you protect information such as financial data, intellectual
property or sensitive customer information. It helps you identify risks and puts in place security measures that
are right for your business, so you can manage or reduce risks to your information. It helps you to continually
review and refine the way you do this, not only for today, but also for the future. That’s how
ISO/IEC 27001 protects your business, your reputation and adds value.

Benefits of ISO/IEC 27001:2013*

75% 80% 71%

reduces inspires trust in helps protect
business risk our business our business

55% 53% 50%

helps us comply increases our reduces the
with regulations competitive likelihood of
edge mistakes

“It helped the team understand the threats and vulnerabilities that exist in
today’s environment and proactively control them. It has led to a greater
awareness, vigilance and enthusiasm for information security.”
Mr. Tareq Al-Sahaf, General Manager. Gulf Insurance Group K.S.C (GIG)

*Source: BSI Benefits survey - BSI clients were asked which benefits they obtained from ISO/IEC 27001:2013
3
How ISO/IEC 27001 works
The latest version of ISO/IEC 27001 was published in 2013 to help maintain its relevance to the challenges of
modern day business and ensure it is aligned with the principles of risk management contained in
ISO 31000. It’s based on the high level structure (Annex SL), which is a common framework for all revised
and future ISO management system standards, including ISO 9001:2015 and ISO 14001:2015.
Annex SL helps keep consistency, align different management system standards, offer matching sub-clauses
against the top level structure and apply a common language. It compels organizations to incorporate their
Information Security Management System (ISMS) into core business processes, make efficiencies and get
more involvement from senior management.

Some of the core concepts of ISO/IEC 27001:2013 are:

Concept Comment

Context of the Consider the combination of internal and external factors and conditions that can
organization affect the organization’s information.
Issues, risks and Issues can be internal or external, positive or negative and include conditions that
opportunities affect the confidentiality, integrity and availability of an organization’s information.
Risks are defined as the “effect of uncertainty on an expected result”.
Interested parties A person or entity that can affect, be affected by, or perceive themselves to
be affected by a decision or activity. Examples include suppliers, customers or
competitors.
Leadership Requirements specific to top management who are defined as a person or group of
people who directs and controls an organization at the highest level.
Risk associated with Refined planning process replaces preventive action and is defined as the “effect of
threats and opportunities uncertainty on an expected result”.
Communication The standard contains explicit and detailed requirements for both internal and
external communications.
Documented information The meaningful data or information you control or maintain to support your ISMS.
Performance evaluation The measurement of the ISMS and risk treatment plan effectiveness.

Risk owner The person or entity that has been given the authority to manage a particular risk and
is accountable for doing so.
Risk treatment plan A risk modification plan which involves selecting and implementing one or more
treatment options against a risk.
Controls Any administrative, managerial, technical or legal method that is used to modify
or manage an information security risk. They can include things like practices,
processes, policies, procedures, programs, tools, techniques, technologies, devices and
organizational structures. They are determined during the process of risk treatment.
Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be used.

4
Key requirements of
ISO/IEC 27001:2013

Clause 1: Scope topics such as any market assurance and governance

goals.
The first clause details the scope of the standard.
You will be required to decide on the scope of
Clause 2: Normative references your ISMS, which needs to link with the strategic
direction of your organization, core objectives and the
All the normative references are contained in
requirements of interested parties.
ISO/IEC 27000, Information technology – Security
techniques – Information security management Finally, you’ll need to show how you establish,
systems – Overview and vocabulary, which is implement, maintain and continually improve the ISMS
referenced and provides valuable guidance. in relation to the standard.

Clause 3: Terms and definitions Clause 5: Leadership

Please refer to the terms and definitions contained in This clause is all about the role of “top management,”
ISO/IEC 27000. This is an important document to read. which is the group of people who direct and control
your organization at the highest level. They will need to
Clause 4: Context of the organization demonstrate leadership and commitment by leading
from the top.
This is the clause that establishes the context of the
organization and the effects on the ISMS. Much of the Top management needs to establish the ISMS and
rest of the standard relates to this clause. information security policy, ensuring it is compatible
with the strategic direction of the organization. They
The starting point is to identify all external and
also need to make sure that these are made available,
internal issues relevant to your organization and
communicated, maintained and understood by all
your information or information that is entrusted
parties.
to you by 3rd parties. Then you need to establish all
“interested parties” and stakeholders as well as how Top management must ensure that the ISMS
they are relevant to the information. You will need to is continually improved and that direction and
identify requirements for interested parties, which support are given. They can assign ISMS relevant
could include legal, regulatory and/or contractual responsibilities and authorities, but ultimately they
obligations. You’ll also need to consider important remain accountable.

5
Clause 6: Planning Clause 7: Support
This clause outlines how an organization plans This section of ISO/IEC 27001 is all about getting
actions to address risks and opportunities to the right resources, the right people and the right
information. infrastructure in place to establish, implement,
It focuses on how an organization deals with maintain and continually improve the ISMS.
information security risk and needs to be It deals with requirements for competence,
proportionate to the potential impact they awareness and communications to support the ISMS
have. ISO 31000, the international standard for and it could include making training and personnel
risk management, contains valuable guidance. available, for example.
Organizations are also required to produce a This clause also requires all personnel working
“Statement of Applicability” (SoA). The SoA provides under an organization’s control to be aware of the
a summary of the decisions an organization has information security policy, how they contribute to its
taken regarding risk treatment, the control objectives effectiveness and the implications of not conforming.
and controls you have included and those you have
excluded, and why you have decided to include and The organization also needs to ensure that
exclude the controls in the SOA. internal and external communications relevant to
information security and the ISMS are appropriately
Another key area of this clause is the need to communicated. This includes identifying what needs
establish information security objectives and the to be communicated to whom, when and how this is
standard defines the properties that information delivered.
security objectives must have.
It’s in this clause that the term “documented
information” is referenced. Organizations need to
determine the level of documented information that’s
necessary to control the ISMS.
There is also an emphasis on controlling access
to documented information, which reflects the
importance of information security.

6
Clause 8: Operation methods employed and when it should be analyzed and
reported.
This clause is all about the execution of the plans and
processes that are the subject of previous clauses. Internal audits will need to be carried out as well as
management reviews. Both of these must be performed
It deals with the execution of the actions determined and
at planned intervals and the findings will need to be
the achievement of the information security objectives. In
retained as documented information.
recognition of the increased use of outsourced functions
in today’s business world, these processes also need It should be noted that management reviews are also an
to be identified and controlled. Any changes, whether opportunity to identify areas for improvement.
planned or unintended need to be considered here and
the consequences of these on the ISMS. Clause 10: Improvement
It also deals with the performance of information security This part of the standard is concerned with corrective
risk assessments at planned intervals, and the need for action requirements. You will need to show how you
documented information to be retained to record the react to nonconformities, take action, correct them and
results of these. deal with the consequences. You’ll also need to show
whether any similar nonconformities exist or could
Finally, there is a section that deals with the
potentially occur and show how you will eliminate the
implementation of the risk treatment plan, and again,
causes of them so they do not occur elsewhere.
the need for the results of these to be retained in
documented information. There is also a requirement to show continual
improvement of the ISMS, including demonstrating the
Clause 9: Performance evaluation suitability and adequacy of it and how effective it is.
However you do this is up to you.
This clause is all about monitoring, measuring, analyzing
and evaluating your ISMS to ensure that it is effective and ISO/IEC 27001 also includes Annex A which outlines 114
remains so. This clause helps organizations to continually controls to help protect information in a variety of areas
assess how they are performing in relation to the across the organization. ISO/IEC 27002 also provides
objectives of the standard to continually improve. best practice guidance and acts as a valuable reference
for choosing as well as excluding which controls are best
You will need to consider what information you need
suited for your organization.
to evaluate the information security effectiveness, the
7
Top tips on making ISO/IEC 27001
effective for you
Every year we help tens of thousands of clients. Here are their top tips.

 Top management commitment is key “The earlier that organizations talk to senior
to making implementation of managers, the better it will go for them so
ISO/IEC 27001 a success. They need to be have those discussions early.”
actively involved and approve the John Scott, Overbury, leading UK fit-out and
resources required. refurbishment business

Think about how different departments “The key to implementing the standard lies
work together to avoid silos. Make sure the in getting staff to think about information
organization works as a team for the benefit of security as an integral part of the daily
customers and the organization. business and not as an additional burden.”
Mr. Thamer, Ibrahim Ali Arab, Assistant General
Manager IT

Review systems, policies, procedures and “Don’t try and change your business to fit the
processes you have in place – you may already standard. Think about how you do things and
do much of what’s in the standard – and how that standard reflects on how you do it,
make it work for your business. You shouldn’t rather than the other way around.”
be doing something just for the sake of the Paul Brazier, Commercial Director, Overbury
standard –

Speak to your customers and suppliers. They “This certification allows us to go one step
may be able to suggest improvements and give further by offering our customers the peace of
feedback on your service. mind that we have the best controls in place
to identify and reduce any risks to confidential
information.”
Jitesh Bavisi, Director of Compliance, Exponential-eBavisi

Train your staff to carry our internal audits “The course was loaded with practical
of the system. This can help with their exercises and real-case scenarios and was
understanding, but it could also provide structured in a way that it encouraged
valuable feedback on potential problems or participants to be interactive and share their
opportunities for achievement. experiences in information security.”
Nataliya Stephenson Manager, Information Security,
NSW Attorney General’s Department

And finally, when you gain certification,

celebrate your achievement and use the BSI
Assurance Mark on your literature, website
and promotional material.

8
Your ISO/IEC 27001 Journey
Whether you’re new to information security management or looking to enhance your current system,
we have the right resources and training courses to help you understand and implement ISO/IEC 27001.
We can help make sure your system keeps on delivering the best for your business.

You We
need to: help you:
• B uy the standard and read it; understand the • D
 iscover information on our website, including
and prepare
Understand

content, your requirements and how it will case studies, whitepapers and webinars
improve your business visit bsiamerica.com
• Contact us; we can propose a solution tailored • BSI ISO/IEC 27001:2013 Requirements training
to your organization’s needs

• E
 nsure your organization understands the • Download self-assessment checklist
ready you are

principles of ISO/IEC 27001 and the roles • BSI ISO 27001:2013 Implementation training
See how

individuals will need to play. Review your course

activities and processes against the standard • Schedule a BSI gap assessment to see where you are
• B
 SI Business Improvement Software can
support ISO/IEC 27001 implementation

Review and get

• Contact us to schedule your certification • BSI ISO/IEC 27001:2013 Internal and Lead Auditor
certified

assessment training
• We will then carry out system and document • BSI Business Improvement Software helps
ISO/IEC 27001 implementation
assessments (a 2 stage process). The length of
this may depend of the size of your organization • Your BSI certification assessment

Continually improve and make excellence a habit

Your journey doesn’t stop with certification. We can help you to fine-tune your organization so it performs at its best.
• C
 elebrate and promote your success – download • Y
 our BSI Client Manager will visit you regularly
and use the BSI Assurance Mark to show you are to make sure you remain compliant and
certified. support your continual improvement.
• BSI ISO/IEC 27001 Lead Auditor qualification can • C
 onsider integrating other management system
help advance your auditing skills standards to maximize business benefits.
• B
 SI Business Improvement Software will help you
to manage systems and drive performance.

9
BSI Training Academy

Boost your knowledge with our expertise: BSI has a comprehensive range of training courses to support
implementation of ISO/IEC 27001 and helps build the skills in your organization. Our expert instructors can
transfer the knowledge, skills and tools your people need to embed the standards of excellence into your
organization. What’s more, the accelerated learning techniques applied in our courses will help make sure
that what you learn stays with you.

Courses that help you understand ISO/IEC 27001 include:

BSI ISO/IEC 27001:2013 Requirements (TPECS) ISO/IEC 27001:2013 Internal Auditor (TPECS)
• 2-day classroom-based training course • 3 day classroom-based training course
• L earn about the structure and key requirements of • L earn how to initiate an audit, prepare and conduct
ISO/IEC 27001:2013 audit activities, compile and distribute audit reports
• E ssential for anyone involved in the planning, and complete follow-up activities
implementing, maintaining, supervising or auditing • Ideal for anyone involved in auditing, maintaining or
of an ISO/IEC 27001:2013 ISMS supervising an ISO/IEC 27001:2013 ISMS

BSI ISO/IEC 27001:2013 Implementation ISO/IEC 27001:2013 Lead Auditor (TPECS)

• 2 day classroom-based training course • 4 day classroom-based training course
• D
 iscover the stages of implementation and how to • G
 ain the skills and understanding required to
apply a typical framework for implementing ISO/IEC lead and successfully undertake a successful
27001 management system audit
• Recommended for anyone involved in auditing
• R
 ecommended for anyone involved in planning, maintaining or supervising an ISO/IEC 27001:2013
implementing, maintaining, supervising or auditing ISMS.
of an ISO/IEC 27001 ISMS

ISO/IEC 27001:2013 Lead Implementer

• 5 day classroom-based training course
• L earn and understand the tools and methodologies
to lead an ISO/IEC 27001 implementation
• R
 ecommended for anyone involved in planning,
implementing, maintaining, supervising or auditing
of an ISO/IEC 27001 ISMS

10
BSI Business Improvement Software

Accelerate implementation time and It can help you to:

deliver continual improvements • Accelerate implementation time by up to 50%
The decision to implement a new management • Manage your document control effectively
system standard is a huge opportunity to drive • P
 rovide company-wide visibility on implementation
business improvement, but initiating, implementing of the standard, so you know exactly where you are
and maintaining this can also be a challenge. Ensuring at any one time
you get the most from your investment is a key driver
to your future success. • E asily and accurately input actions related to audits,
incidents/events, risk and performance
BSI business improvement software provides a • G
 ain early insight through its customizable
solution that can significantly reduce the cost and dashboards and reporting tools and allow you
effort to implement an effective management to quickly see the trends that can help you make
system, such as ISO/IEC 27001. It can be configured business decisions early on and drive improvement
to the requirements of ISO/IEC 27001 and provide
your organization with the tools necessary to
manage essential elements of ISO/IEC 27001 across The savings are the costs you
your organization. The start of your ISO/IEC 27001
journey is an ideal time to implement BSI business avoid because you could not see
improvement software and sustain the standard what was happening at
successfully.
the facility level.

11
Why BSI?
BSI has been at the forefront of ISO/IEC 27001 since the start. Originally based on BS 7799,
developed by BSI in 1995, we’ve been involved in its development and the ISO technical
committee ever since. That’s why we’re best placed to help you understand the standard.
At BSI, we create excellence by driving the success of our clients through standards.
We help organizations to embed resilience, helping them to grow sustainably,
adapt to change and prosper for the long term. We make excellence a habit.
For over a century our experts have been challenging mediocrity and complacency to help
embed excellence into the way people and products work. With 80,000 clients in 182
countries, BSI is an organization whose standards inspire excellence across the globe.

Our products and services

We provide a unique combination of complementary products and services, managed through our three
business streams: Knowledge, Assurance and Compliance.

Knowledge Assurance Compliance

The core of our business centers Independent assessment of To experience real, long-term
on the knowledge that we the conformity of a process benefits, our clients need to
create and impart to our clients. or product to a particular ensure ongoing compliance to
In the standards arena, we standard ensures that our clients a regulation, market need or
continue to build our reputation perform to a high level of standard, so that it becomes an
as an expert body, bringing excellence. We train our clients embedded habit. We provide
together experts from industry in world-class implementation consultancy services and
to shape standards at local, and auditing techniques to differentiated management
regional and international levels. ensure they maximize the tools to facilitate this process.
In fact, BSI originally created benefits of our standards.
eight of the world’s top 10
BSI/USA/517/MS/0516/E

management system standards.

Find out more

Call: 1 800 862 4977
© BSI Group

Visit: bsiamerica.com