Fact Sheet: Introduction to ISO 27001

Information Security Management Systems

ISO 27001:2013 and data protection law

Whats the problem?

In 2015 PricewaterhouseCoopers released their 2014 survey on the Global State
of Information Security and revealed that the number of reported information
security incidents rose, on average, by 66% each year over a 5 year period. The
survey also reported that, in 2014, the total number of reported security
incidents had increased to 42.8 million across the world.
The UK Information Commissioners Office 2015/2016 annual report records that
it received 16,388 reports of potential data security breaches during the year.
Meanwhile, in June 2016
databreaches.net included:

alone,

typical

breaches

being

reported

by

360 million MySpace accounts hacked

45 million personal records stolen from domain host Verticalscope
Archived paper copies of patient medical records in East Riding of
Yorkshire lost by a private storage company
3000 patient medical records inappropriately accessed at West Wales
General Hospital by a nurse

Clearly, our data is leaking at an alarming rate and organisations that have a
duty to protect it could do much more.

EU & UK Law
The Data Protection Act has been in force since 1998 and lays down some
principles for data security:

design and organise your security to fit the nature of the personal data
you hold and the harm that may result from a security breach;

2016 The HSQE Department Ltd t/a Construction Certification

Registered Office: 2, Stafford Place, Weston-super-Mare, Somerset, BS23 2QZ
01934 316224/07909 528942
http://www.thehsqedepartment.com
VAT Registration Number: 107156144

Fact Sheet: Introduction to ISO 27001

Information Security Management Systems

be clear about who in your organisation is responsible for ensuring

information security;

make sure you have the right physical and technical security, backed up
by robust policies and procedures and reliable, well-trained staff; and

be ready to respond to any breach of security swiftly and effectively.

Moreover, the EU General Data Protection Regulation (GDPR) was ratified in April
2016. This regulation takes data protection to a significantly higher level and
organisations that hold personal data on citizens of member states have until
25th of May 2018 to comply with it. The UK Information Commissioners Office
has stated its opinion that, even if the Regulation isnt passed into UK law, it will
still be relevant for many organisations here. GDPR is designed to produce a
Single Digital Market by harmonising the existing 28 sets of national data
protection laws into one set of requirements. Fines for breaching GDPR are
potentially serious for organisations that lose data and will be to up to 4% of
turn-over, or 20 million, whichever is higher.

Who needs to comply?

Quite simply any organisation that holds data that, on its own or along with
other accessible data, can be used to identify an individual in the UK or the EU.

So what is ISO 27001?

ISO 27001 (formally ISO/IEC 27001:2013) is an international standard that
provides a specification for an information security management system (ISMS),
which is a framework of policies and procedures that includes all of the legal,
physical and technical controls involved in an organisation's information risk
management processes.
The ISO 27001 standard uses a top-down approach to the management of data
security risks, which can be used with all types of media for data storage. The
specification defines a six-part planning process:1.
2.
3.
4.
5.
6.

Define a security policy.

Define the scope of the ISMS.
Conduct a risk assessment.
Manage identified risks.
Select control objectives and controls to be implemented.
Prepare a plan that shows how the controls manage the risks that have
been identified.

ISO 27001 includes details for documentation, management responsibility,

internal audits, continual improvement, and corrective action. The standard
requires cooperation among all sections of an organisation. Although the 27001
standard isnt prescriptive about information security controls, it provides a
checklist of 114 measures that should be considered.
2016 The HSQE Department Ltd t/a Construction Certification
Registered Office: 2, Stafford Place, Weston-super-Mare, Somerset, BS23 2QZ
01934 316224/07909 528942
http://www.thehsqedepartment.com
VAT Registration Number: 107156144

Fact Sheet: Introduction to ISO 27001

Information Security Management Systems
How can ISO 27001 help my organisation?
The PWC research paper analysed the 20 biggest data breaches during 20142015 with the aim of identifying what companies did wrong and what should be
done to address the weaknesses. Victims generally had suitable technical
controls over the information, such as firewalls, antivirus and similar safeguards
but these werent sufficient because technology, on its own, wont protect data.
An important finding of the survey was that none of major victims were certified
to ISO 27001 at the time of the data breaches. They were either not
implementing ISO 27001 at all, or were failing to implement it fully. ISO 27001
goes beyond technical controls and takes into account training, awareness and
the behaviours of the people in the organisation.
The British Standards Institute (BSI) has published a white paper that shows how
ISO 27001 can provide a framework with which to comply with the EU General
Data Protection Regulation. Whats more, BSI commissioned a research paper by
the business school of Erasmus University that shows:

87% of organisations with ISO 27001 are positive or very positive about its
benefits
78% of certified organisations reported improved levels of legal
compliance
56% or organisations reported a reduced number of security breaches
47% of organisations reported a reduction on downtime of IT systems
43% of organisations reported an increase in sales

How can I get advice?

The HSQE Department Ltd has years of experience helping companies to
implement ISO management systems and so can reduce the time and cost
needed to achieve certification. We can carry out gap analyses to identify what
you need to do to comply with ISO 27001, help you to define a plan to implement
any changes, guide the preparation of the Information Security Management
System, carry out pre-certification checks on the compliance of your systems and
manage the certification visit.

2016 The HSQE Department Ltd t/a Construction Certification

Registered Office: 2, Stafford Place, Weston-super-Mare, Somerset, BS23 2QZ
01934 316224/07909 528942
http://www.thehsqedepartment.com
VAT Registration Number: 107156144