ISO 27001 Information Security Management Standard - Principle 9

Posted by Craig Thornton

Part 10 - Ensuring a comprehensive approach to information security management

As soon as people see terminology like “information security” and “certification to ISO 27001” their immediate reaction is that this is IT-related and therefore only belongs in the IT Department.  Or it belongs with the geeks and the nerds who service your computers or update your software once in a while. This reaction could not be further from the truth!

Information security involves all areas of your business. 

businessman hand working with modern technology and digital layer effect as business strategy concept.jpeg


So if you are wanting to create, implement and maintain an information security management system you need to involve as wide a group in your organisation as possible.  This will enable you to prove that you have taken a comprehensive approach.

Your information assets will not only reside in your IT department.  Your information assets are all over your business.

The requirements of ISO 27001 Annex A (as aligned with ISO 27002) is full of requirements that aren’t just for the IT department.

Here are just 5 examples of requirements that apply all over you business:

  1. 7.1.1 – Screening: Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
  2. 7.1.2 - Terms and conditions of employment: The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.
  3. 7.2.2 - Information security awareness, education and training: All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
  4. 7.2.3 - Disciplinary process: There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
  5. 8.1.1 - Inventory of assets: Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

So when developing and implementing your systems, be sure to highlight the fact that information security is across the whole organisation.  From top to bottom and for everyone in between.

Therefore take a comprehensive approach to everything you do when creating your information security management system. That doesn’t mean documenting everything and anything.  It just means that you need to consider your whole organisation and everyone that works there, including your suppliers and your contractors.

One further point you need to consider is; don’t make the ISO 27001 project a technology-only project.  There will be technology solutions for sure, but the success of your ISO 27001 will come down to your people.  Give them a system that they will be engaged in.  Give them a system that they will want to use.  A simple system will get used more than a complex and difficult to understand system.

Now go out there and be comprehensive!




View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents


Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification