ISO 27001: What It Is, Why It Matters, and How Organizations Use It

Written by Coursera Staff • Updated on

Learn about ISO 27001, the industry standard for information security management, and how you and your organization can comply to help reduce cybersecurity threats.

[Featured Image] An instructor leads a discussion about ISO 27001, answering questions from learners about its role as a global standard and how it impacts ISMS.

Key takeaways

ISO 27001 stands as the global standard for information security management, helping organizations keep their information and systems safe.

  • To earn ISO 27001 certification, your organization must comply with the required clauses and controls and pass audits.

  • ISO 27001 certification is beneficial for a company not only for security purposes, but for building a positive reputation as well.

  • You can pursue a range of cybersecurity careers, such as a cybersecurity analyst and a penetration tester.

Learn how earning an ISO 27001 certification can be a positive step toward effectively securing your organization's information and systems. If you’re ready to start building cybersecurity skills, consider enrolling in the IT Fundamentals for Cybersecurity Specialization from IBM. This four-course series can help you develop skills in cloud security, incident response, malware protection, responsible AI, and more.

What is ISO/IEC 27001?

ISO 27001 is a global security management standard for information security, formally known as ISO/IEC 27001. ISO is the International Organization for Standardization, while IEC is the International Electrotechnical Commission. Together, these two parties created ISO/IEC 27001. By following ISO 27001 standards, you can ensure you have the necessary systems in place to provide adequate protection of your network, digital assets, and information. Organizations that wish to demonstrate their compliance with ISO 27001 can earn certification to help build confidence with investors, customers, and other organizations, showing their dedication to keeping systems and information secure.

The role of an information security management system (ISMS)

ISMS refers to an organization's approach to information security, serving as an overarching guideline that outlines policies and procedures to achieve security objectives and protect information against cyberattacks. Your exact ISMS approach depends on your organization's needs and the areas where you face higher risk. For example, a health care organization will place extra emphasis on securing patient data, while human resources departments can implement varying controls to determine which employees have access to sensitive information to mitigate the risk of insider threats.

What ISO 27001 requires organizations to do

ISO 27001 requires organizations to follow mandatory clauses and apply specific controls relevant to their needs. ISO 27001 includes 11 clauses. The first four serve as an introduction to the framework, while the final seven address the mandatory compliance requirements. Organizations must select the most relevant of the 93 different Annex A controls listed by ISO 27001 to comply. 

ISO 27001 requirements

Clauses 4 through 10 of ISO 27001 set the requirements to ensure your organization's compliance. For example, clause 4 deals with the context of the organization, requiring you to clearly define the scope of the ISMS and its assets, and explain how they apply. Details about clauses 5 through 10 include the following:

  • Clause 5: Leadership: Defining the roles and responsibilities of leadership with clear security objectives and commitment to providing the necessary resources.

  • Clause 6: Planning: Identifying vulnerabilities and documenting relevant security plans according to the findings.

  • Clause 7: Support: Providing the necessary support for ISMS implementation, such as technology, budget, and communication channels.

  • Clause 8: Operation: Planning security processes and how your organization intends to implement them, including documentation of these processes as they operate.

  • Clause 9: Performance evaluation: Organizations must monitor and evaluate the performance of their ISMS through internal audits.

  • Clause 10: Continuous improvement: It’s required to continue making improvements over time to your ISMS based on performance evaluations and correcting flaws that appear.

ISO 27001 controls

ISO 27001 contains 93 different controls, called Annex A controls, that support compliance through effective ISMS implementation. These Annex A controls break down into four categories under the themes of organizational controls, people controls, physical controls, and technological controls:

  • Annex A.5: Pertaining to organizational controls, including rules pertaining to access control policy, equipment, and expected user behavior.

  • Annex A.6: Provides people controls, such as skills and training programs, to adequately prepare users and teach safe ISMS practices.

  • Annex A.7: Covering the physical controls organizations can implement to protect against unauthorized access to equipment.

  • Annex A.8: Provides technological controls to keep systems secure, implemented through firmware, hardware, and software.

Is ISO 27001 a legal requirement?

ISO 27001 itself isn’t a legal requirement. However, it’s helpful for complying with legal requirements in industries with mandatory regulations, such as health care.

Getting certified vs. staying compliant

Getting ISO 27001 certified requires following several key steps, including preparing and developing a plan, auditing, and maintaining your ISMS, which requires recertification every three years. Receiving certification depends on your organization's ability to demonstrate compliance with the ISMS, which the audit portion of the certification process verifies.

ISO 27001 certification

To achieve ISO 27001 certification, a plan must first be in place, detailing the scope of your ISMS and who will be in charge of it. To determine the scope, conduct risk assessments to identify where you need protection, and implement controls accordingly. 

Once you implement a compliant ISMS, you can undergo internal and external auditing in three stages to first confirm you have the necessary documentation. Then, you will need to perform an examination of security functions and continue successful surveillance audits annually to maintain certification and demonstrate commitment to continuous improvement. Lastly, every three years, you’ll need to complete a recertification audit to renew your ISMS certification.

What it means to be an ISO 27001-certified company

Being an ISO 27001-certified company means customers and investors can put their trust in your organization, knowing you take your cybersecurity preparation seriously. It can positively impact your standing in your industry, helping you gain a competitive edge while enhancing your reputation. The added trust that comes with being an ISO 27001-certified company means you can face fewer barriers when entering new markets and expanding operations.

What is the difference between ISO 27001 and ISO 31000?

The difference between ISO 31000 and ISO 27001 is that ISO 31000 takes a much broader approach to risk management. It covers all areas of risk management within an organization, whereas ISO 27001 is specifically for information security management.

Why ISO 27001 matters for information security careers

As the global standard for information security management, familiarity with ISO 27001 is valuable for cybersecurity professionals. The core components of ISMS, assessing and managing risk of digital information and systems, directly fall under the responsibilities of various cybersecurity careers, such as cybersecurity analyst, information security analyst, and penetration tester. 

Read more: 5 Cybersecurity Career Paths (and How to Get Started)

Explore our free resources for cybersecurity professionals

Join Career Chat on LinkedIn to stay current with the latest trends in your career field. Continue your learning journey with cybersecurity with our other free digital resources:

If you want to develop new skills, get comfortable with ‌in-demand technology, or advance your abilities, you can keep growing with a Coursera Plus subscription. You’ll get access to over 10,000 flexible courses. 

Updated on
Written by:

Editorial Team

Coursera’s editorial team is comprised of highly experienced professional editors, writers, and fact...

This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.