By Mathilde Bach Mikkelsen | 1,626 words | Read time: 9 minutes
Unless you have been living under a rock, you have probably heard about ISO/IEC 27001. While the name might sound overly technical to some, or like just another compliance checklist to others, the core of the standard is surprisingly straightforward. In this blog post we will break it down in simple terms to provide a clear look at what ISO 27001 is at its core.
ISO/IEC 27001 is an internationally recognized standard for establishing a solid and sustainable defense for your information. With this blog post we will give you an overview of the standard, its requirements, the broader ISO 27000 family, and how you can start implementing an ISMS (Information Security Management System).
Before we dive in, let us quickly touch on the name itself. ISO/IEC 27001 is a joint standard developed by two major international bodies: the International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC).
Together, they ensure that the standard covers both management processes and technology best practices. For simplicity, we will refer to it as ISO 27001 throughout this post.
But first, what is information security?
When talking about ISO 27001, it is fundamental to know what information security is. Best practices and ISO 27001 work with three foundational principles when it comes to information security: Confidentiality, Integrity and Availability (also known as CIA).
Confidentiality ensures that data is only accessible to authorized individuals. Integrity means that information is accurate and cannot be tampered with. Finally, availability guarantees that authorized users can access the information when they need it. Together, these three principles form the basis of a robust (information) security posture.
What is ISO 27001?
ISO 27001 is a standard for an ISMS. Despite what many people believe, an ISMS is not a type of software. Just like all companies manage their finances in a certain way, ISO 27001 is about determining how the organization wants to manage its information and ensure its security.
The business value of implementing ISO 27001 extends far beyond receiving a certificate. Achieving compliance is a competitive advantage, and it can build trust with customers and partners, showing them that you take security seriously. Internally, it reduces risk and helps prevent costly data breaches and downtime. A structured ISMS also creates clear processes and fosters a stronger security culture throughout the organization.
The ISO 27000-family
The ISO 27000-family consists of information security standards. Below is an overview of the standards we consider are the most important members of the family.
ISO 27001
This is the core standard that outlines the requirements (clause 4-10) for establishing and maintaining an ISMS. It is the only standard in the family that your organization can be audited and formally certified against. Annex A can be found in ISO 27001, which contains 93 controls.
ISO 27002
This standard is a detailed supporting guide that provides best-practice recommendations for implementing the security controls listed in ISO 27001’s Annex A. Think of it as the “how-to” handbook that explains the controls, while 27001 explains the requirements.
ISO 27003
This standard provides high-level, strategic guidance on the entire project of implementing an ISMS. While ISO 27002 focuses on individual controls, ISO 27003 helps you plan and execute the setup of your management system from start to finish. While not widely used, it provides the ISO 27-newbie a great understanding of the requirements in ISO 27001.
ISO 27005
This standard is exclusively focused on information security risk management. It provides a detailed framework for how to conduct the risk assessment and treatment processes that are required by ISO 27001. Furthermore, the annex gives many examples of vulnerabilities and threats.
ISO27701
This is a privacy-focused extension to ISO 27001, designed to help you protect Personally Identifiable Information (PII). It is a vital tool for managing data privacy and demonstrating compliance with regulations like GDPR.
If an organization is already ISO 27001 certified, they can extend their ISMS to cover privacy management and get a certification confirming your system has been enhanced to meet the requirements of ISO 27701.
ISO 27017
This standard provides specific security guidance and additional controls for cloud computing environments. It is essential for both cloud service providers and their customers to manage the unique security responsibilities that come with using the cloud.
Overview of the ISO 27001 requirements
The core requirements of the ISO 27001 standard are detailed in clauses 4 through 10.
This entire structure is built upon the Plan-Do-Check-Act (PDCA) cycle. The philosophy of the PDCA-cycle is that you start by planning an action, then executing it, checking the result, and finally acting on that result to improve.
The cycle is woven directly into the standard’s requirements, and ensures continuous improvement of the ISMS.
Plan
The process begins with the Plan phase, containing multiple clauses.
The Plan phase starts with Clause 4, Context of the Organization, which requires the business to understand its internal and external issues, as well as the needs of its stakeholders like customers and employees.
Next, Clause 5, Leadership, mandates active commitment from top management, who must establish the security policy and assign clear roles and responsibilities. In practice, you should ensure commitment from management before the ISMS-process is initiated.
Clause 6, Planning is where the organization plans their risk assessments methodology to identify threats and sets clear, measurable security objectives.
To make the ISMS possible, Clause 7, Support, ensures that necessary resources, staff competence, awareness, communication, and documentation are all in place.
Do
Once the comprehensive planning is complete, the organization moves into the Do phase, which is covered by Clause 8, Operation.
This is where plans (e.g. risk management framework from clause 6) are put into practice through the implementation of security processes and controls. It involves the day-to-day execution of the risk treatment plan to mitigate the identified risks effectively.
Even though this clause is summed up in a single paragraph, this is by far the most comprehensive part of implementing ISO 27001. This may take from three months to a year – or even several years for some organisations.
Check
To ensure the system is working as intended, the Check phase, detailed in Clause 9, Performance Evaluation, comes into play.
This involves monitoring and measuring security performance, conducting internal audits to verify compliance with internal rules, and holding regular management reviews where top leadership assesses the effectiveness of the entire security system.
Act
Finally, the cycle concludes with the Act phase, outlined in Clause 10, Improvement.
Based on the results from the performance evaluation, the organization must address any nonconformities and take corrective actions to resolve the root cause of problems, as well as continuously improve their ISMS.
This clause ensures that the management system constantly evolves and improves its maturity and effectiveness over time.
By structuring the requirements this way, ISO 27001 creates a logical and resilient security posture where planning (4-7) leads to execution (8), followed by rigorous evaluation (9) and continual improvement (10).
Annex A
It might surprise some to learn that Annex A is only mentioned in one clause in the entire mandatory part of the ISO 27001 standard (clauses 4-10). However, this single mention in clause 6.1.3 is what gives the annex its enormous impact on any practical implementation.
Clause 6.1.3 acts as a bridge, connecting your unique business risks to the standard’s generic list of controls. You are not allowed to simply ignore this list of controls; you must have a valid, documented reason if a control has not been implemented.
Annex A consists of 93 controls, including 38 organizational controls, 8 people controls, 14 physical controls and 34 technical controls. Examples of controls are access control, information security during disruption, user end point devices, capacity management and logging.
The controls are all described with one sentence each. This could easily lead to interpretation issues, problems with implementation and challenges in the audit process. This is where ISO 27002 comes into play.
While Annex A in ISO 27001 states the requirements, ISO 27002 presents guidance for each control. It is important to state that ISO 27002 does not require any sub-controls, it simply facilitates guidance and ways to implement the controls from ISO 27001.
Implementing ISO 27001
One of the most common pitfalls in approaching ISO 27001 is diving straight into the Annex A controls without first understanding the broader context.
While the controls are important, treating them as a simple checklist misses the entire point of the standard and often leads to a system that doesn’t fit the business. A successful implementation begins not with the controls, but with the framework.
The most effective approach is to start with clauses 4-10. This is where you build the foundation for your entire security program. This means securing genuine buy-in from top management, as their leadership is the single most critical factor for success.
It also involves establishing a robust risk management framework that is tailored specifically to your organization’s size, culture, and risk appetite.
When you focus on these core elements first, the controls you later select from Annex A become more than just formalities — they become relevant, proportionate tools that address your real risks.
This process can seem complex, but you don’t have to navigate it alone.
At Trifork Security, we help organizations make sense of ISO 27001 and turn the requirements into a practical, value-adding security framework. We are always happy to start with an informal conversation about your goals and where you are today.
As a first step, we can conduct a GAP analysis to map your current security posture against the standard’s requirements and controls. From there, we will work with you to define a clear, actionable roadmap for your implementation.
Please reach out if you want to know more.