Compliance & Frameworks

ISO 27001 is the international standard for Information Security Management Systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a framework for establishing, implementing, maintaining, and continually improving an organisation's information security programme. What ISO 27001 covers: • Organisational context — Understanding the organisation, its stakeholders, and the scope of the ISMS. • Leadership — Management commitment, security policies, and defined roles/responsibilities. • Risk assessment — Identifying information security risks to assets, assessing their likelihood and impact. • Risk treatment — Choosing controls from Annex A (93 controls across 4 themes in ISO 27001:2022) to mitigate accepted risks. • Operational controls — Implementing security controls across people, processes, and technology. • Performance evaluation — Monitoring, measuring, internal audits, and management review. • Continual improvement — Corrective actions and ongoing improvement of the ISMS. What certification means: An organisation achieves ISO 27001 certification by: 1. Implementing an ISMS aligned with the standard. 2. Undergoing a Stage 1 audit (documentation review) and Stage 2 audit (implementation verification) by an accredited certification body (e.g., BSI, Bureau Veritas). 3. Passing the audit and receiving certification (valid for 3 years with annual surveillance audits). Certification demonstrates to customers, regulators, and partners that the organisation has a systematic, risk-based approach to information security — not just ad hoc controls. ISO 27001 does not mandate specific technologies but requires evidence-based risk management and documented processes.