Key Takeaways
- ISMS: Information Security Management System. ISO 27001 doesn't tell you "Use Firewalls." It tells you "Have a Process to decide if you need Firewalls."
- Risk Assessment: The core of the standard. Identify assets, identify threats, evaluate risk, and implement controls (Annex A).
- The Badge: Companies get certified to show clients "We are safe." It is often a requirement to bid on government contracts.
You cannot just "buy" security. You must manage it. ISO 27001 is the paperwork that proves you aren't asleep at the wheel.
The CIA Triad
ISO protects three things:
- Confidentiality: Only authorized people see the data.
- Integrity: The data is accurate and not tampered with.
- Availability: The data is accessible when needed (Backups/Uptime).
The 114 Controls (Annex A)
The standard lists 114 potential security controls, including:
- A.5: Information Security Policies.
- A.7: Human Resource Security (Background checks).
- A.11: Physical Security (Badges, CCTV).
- A.12: Operations Security (Backups, Malware protection).
SOC 2 vs ISO 27001
ISO 27001 is global and rigid (Pass/Fail). SOC 2 is mostly US-centric and flexible (The auditor writes a report). Most SaaS companies need both.
Frequently Asked Questions (FAQ)
How long does it take?
6 to 18 months. It is painful. You have to document EVERYTHING. "How do you onboard a new employee?" Write it down.
Who audits you?
External accredited bodies (like BSI or Bureau Veritas). They visit your office, interview employees, and check if you actually follow your own rules.
What is the #1 cyber crime?
Read BEC Guide