ISO 27001 Overview: What It Is, What It Covers, and What It Does Not

September 5, 2023

A lot of organisations pursue ISO 27001 certification because a customer asked for it. That is a legitimate reason. The problem is that when the driver is a checkbox rather than a genuine understanding of the standard, the programme that follows often does not deliver what either party expects. Certification arrives, the customer is satisfied, and the business is left managing a compliance programme it does not fully understand.

ISO 27001 is worth understanding on its own terms. It is the most widely adopted international standard for information security management, and when implemented properly it creates a genuine foundation for managing security risk. When implemented poorly, it creates a folder of documents that no one uses and an audit trail that tells auditors very little about actual security posture.

What ISO 27001 Actually Is

ISO 27001 is a management system standard. That means it specifies requirements for how an organisation manages information security, not which specific technical controls must be in place. The standard is published by the International Organisation for Standardisation and the International Electrotechnical Commission, and the current version is ISO/IEC 27001:2022. Certification is issued by an accredited third-party certification body following a two-stage audit.

The standard is built around a Plan-Do-Check-Act cycle. Organisations must define the scope of their Information Security Management System (ISMS), assess the risks to information within that scope, select controls appropriate to those risks, implement and operate those controls, monitor and measure their performance, and conduct regular internal audits and management reviews. None of this is cosmetic. An accredited auditor will look for evidence that each of these activities is actually happening.

What the Standard Covers

ISO 27001 covers the management of information security across three dimensions: confidentiality, integrity, and availability. The scope of the ISMS can be the entire organisation or a defined part of it, such as a specific product, service, or business unit. Within that scope, the standard requires a documented risk assessment methodology, a risk register, a Statement of Applicability, documented policies, and evidence of operational controls working as intended. The certification audit examines all of these elements, not just the documentation.

Annex A of the standard lists 93 controls across four themes: organisational controls, people controls, physical controls, and technological controls. These are not all mandatory. They are a reference set. Organisations must assess which controls are relevant to their risk profile, justify any that are excluded, and document that reasoning in the Statement of Applicability. That document is one of the most scrutinised artefacts in a certification audit, and auditors will cross-reference it against the risk register to verify that control selection was driven by genuine risk decisions rather than template defaults.

What ISO 27001 Does Not Require

The standard does not mandate specific technologies. It does not require a particular firewall vendor, a specific endpoint protection product, or a named security information and event management platform. It requires that controls appropriate to identified risks are in place and operating effectively. How an organisation achieves that is a matter of judgement, documented in the risk treatment plan and the Statement of Applicability.

ISO 27001 also does not guarantee that an organisation has never suffered a breach, that it is immune to attack, or that all its suppliers meet the same standard. Certification means that, at the time of audit, the ISMS was operating as documented and controls were functioning as designed. Maintaining that posture between audits is the organisation's responsibility, and it is what surveillance audits in years one and two are intended to verify.

What Certification Should Mean

A certificate issued by an accredited certification body following a genuine Stage 1 and Stage 2 audit means that an independent auditor has reviewed the ISMS, tested controls against documented scope, and found the system to conform with the standard's requirements. That is meaningful assurance. It is not the same as a self-assessment or a readiness report issued by a consultant without third-party verification.

We have guided clients including a Sydney-based learning platform and a document intelligence firm through first-pass ISO 27001 certifications within 11 to 12 months. In each case, the certificate reflected a programme that was built from genuine risk decisions, not template defaults. Customers and enterprise buyers increasingly know the difference, and so do the auditors who verify claims made in security questionnaires.

To discuss an ISO 27001 programme for your organisation, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?