ISO 27001 Information Security Management Standard - Principle 1

Posted by Craig Thornton

Part 2 - Analysing the Protection of Your Information and then Applying Controls

Organisations spend years and umpteen thousands of staff-hours gathering, creating, and sorting information.  A whole slew of people in every organisation – including all of those who went before – have spent, or will spend, countless hours gathering this material.  The information is sometimes hard-won, or the result of a set-back, or failure.  The information comes from many sources, including individuals, teams, contractors and customers.  The knowledge that your organisation holds is the sum total of many minds and many, many hours of work.  It doesn’t come cheap, nor does it come easy.

Security idea generation focus concept. Magnifying glass verifying a group of server gears representing internet protection from cyber crimes or teamwork leader concept

Organisations don’t spend a large portion of their time dealing with information because they think it’s a rather good idea.  No, they do so because information is what makes the difference between them succeeding at their goals, and them failing.  Information is an extremely valuable asset.  You wouldn’t let your factory just take care of itself.  Your team maintains the building.  You protect it.  You insure it.  You lock it up when it’s not being used.  It’s a vital asset, so you actively look after it.  Information should be no different.  It’s an investment.  To treat information in a nonchalant or haphazard way is to risk everything that you, your colleagues, shareholders and Boards have worked so hard for.

I believe that the best way to take care of your valuable information asset is to implement an information security management system (ISMS).  An ISMS will get you clarity and control.  It will help you deal with risk, and help you cope with many of the issues that come along with growth.  If you are serious about looking after your information asset, ISMS should be your tool of choice. 

The first principle you’ll need in creating your ISMS is a philosophy of care.  There needs to be a commitment from you and your team to analyse the protection of your information assets and then to apply controls to make sure these protections are effective.  Having a successful ISMS is a big undertaking and you’ll need everyone on board from the beginning.  Agreeing to a philosophy of care is a strong, foundational first step.

With your foundation set, your next move is to analyse the nitty-gritty of your information system.  I’m a huge fan of using the process approach to do this.  I’ve written about it in more detail here, but in a nutshell, the process approach is all about recognising that business activities are best understood as interrelated processes.  And while it’s important to use the process approach when implementing your system, it’s also important to use it when you’re maintaining your system.   

The next step, then, is list all your information assets.  What have you got, how is it stored, and by what means is the information transmitted?

Your information will be stored in multiple ways.  These could be:

  • Digital (e.g. data stored electronically)
  • Material form (e.g. on paper or on whiteboards)
  • Knowledge (e.g. know-how by employees or even your contractors and customers).

In addition your information can be transmitted in different ways.  These could be:

  • Digitally (e.g. email or messenger )
  • Physically (e.g. post or courier)
  • Verbally (e.g. during meetings with employees)

Once you have listed the information it can be further analysed with a risk assessment.  This involves identifying the risks associated with each piece of information.  Analysing these risks will help you to gain a deep understanding of what harm could be inflicted if that data is compromised.  Once you have a deep understanding, you then evaluate that risk against some kind of risk criteria to determine if the risk is acceptable to your business or not.  At this point it can be quite confronting to suddenly clearly see the gaps and weaknesses in your current system.  If ignorance is bliss, then reality can be very upsetting indeed.

Next you need to implement controls to ensure that your information assets continue to be well protected.  These could include things like:

  • Data being managed on a fully redundant hardware platform where there is no single point of failure.
  • Hard disks that can be hot-swapped (this means that a technician can replace a faulty drive while the storage system is still working without data loss).
  • Your building having 24/7 alarm monitoring.

Once these controls are in place you have to monitor, maintain and improve the effectiveness of the controls.  Information needs and demands change over time and with technology, so maintenance of the controls is an absolute must.

Organisations are at their most efficient when accurate and complete information is available in a timely manner to those with an authorised need.  A robust ISMS will ensure that you preserve the availability, confidentiality and integrity of the information you need.



  1. Implement the following philosophies for your business:
    • Analyse the protection of your information assets.
    • Take a risk assessment approach to the information assets
    • Apply controls to reduce risk to those assets.
  2. Commit to managing these philosophies using an information security management system.




Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification