Smithers provides ISO 27001 certification and assessment services. With all of the focus on the NIST 800-171 and CMMC standards over the last few years, ISO 27001 has not received as much attention as it should. This article will detail what ISO 27001 requires, who should pursue the certification, and how ISO 27001 relates with other certifications.


What is the ISO 27001 Certification?

If your organization has an information security management system (ISMS), you should definitely consider pursuing an ISO 27001 certification. An ISMS includes the processes, people, technology, and procedures that will protect sensitive data. The ISO 27001 ensures all facets of your ISMS are working efficiently and effectively. ISO itself defines the ISO 27001 as a standard that “provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.” Being able to place the ISO 27001 certification on your company website reflects to your partners, vendors, and customers that you are following international standards and best practices. If you are a manufacturer and are wondering if you should pursue the ISO 27001, there are a few things to consider:

- If you have already earned the ISO 9001 certification, you are on your way toward ISO 27001 certification. The process will be less complex and will take less time.

- If you want to pursue the NIST/CMMC certification, ISO 27001 will help you get on the right path while also earning you an additional certification.

- If you sell internationally, an ISO 27001 is highly beneficial.

- Of course, if your client mandates the ISO 27001, you certainly want to get that certification as soon as possible.

How is ISO 27001 Going to Benefit My Company?

Helping to prevent a serious data breach is the most obvious benefit of earning an ISO 27001 certification, but there are several other benefits as well. Here are just a few.

ISO 27001 and Business Agility

Cybersecurity is perpetually changing, but with an ISO 27001 certification your company will be. With every technological innovation, new opportunities and new risks arise. Once your company has the ISO 27001 management system in place, these changes will not inspire panic. You will be able to pivot as a whole team and adapt to whatever the changes are.

ISO 27001: Information Security Management Systems (ISMS)

The people that you work with want to know that their data is protected when they submit it to you. Being able to present an ISO 27001 certification on your website immediately signifies that you have policies and procedures in place to ensure data is kept as safe and secure as possible. A strong ISMS will help diminish the severity of cyber attacks and will also help to limit the number of attacks over time.

ISO 27001 Focuses on the Human Factor

In the 2023 Verizon Data Breach Investigations Report, it is noted that approximately 74% of data breaches that occurred were spurred by a human error. Part of earning an ISO 27001 certification is creating awareness, training methodologies, and resources to help prevent human error that can lead to serious cybersecurity issues.

Cybersecurity Done Right is a Money Saver

Although earning an ISO 27001 can represent a heavy lift both in terms of time and money, the value quickly amortizes the cost. For every avoided cyberattack, your business can save hundreds of thousands of dollars. Additionally, the clients that will stay with you and the new clients that you earn will quickly offset any expenses derived from the process. It is a solid investment simply by the nature of the ISO 27001 structure.

Need Some Help? Contact Us Today.

Show Policy

Follow us on LinkedIn

The Three ISO 27001 Principles, or the CIA Triad

The heart of ISO 27001 consists of three key principles. They are Confidentiality, Integrity, and Availability. Let’s explore each of these in some detail.


This is the most intuitive of the three principles. Confidentiality simply means that only the right people can access information, whatever that information may be. A risk type that confidentiality assists with is a criminal accessing information and making it widely available.


Preserving the integrity of your data means that your organization is properly storing important data. That means not only that it is secure but also that no one is damaging or erasing the data. Damaging or erasing data can be done on purpose or accidentally, but with ISO 27001, data is set up so that accidents are far less likely to happen.


You might find it strange that availability is a principle of a cybersecurity certification like ISO 27001, but being able to get information into the right hands is just as essential as keeping confidential information out of the wrong hands. A business needs to be able to make data accessible for customers and employees while also ensuring security. Anyone who accesses your information will know that their information is protected but available to them whenever they need it. That is how companies can instill confidence with their customer base in the current cybersecurity era.

What are the ISO 27001 Requirements?

The ISO 27001 document begins with a detailed overview. ISO 27001 begins in a similar manner to ISO 9001, starting with clause four and carrying on through to clause ten. Let’s dig into those seven clauses in some detail. There are slight differences in these first seven clauses between the two ISO standards.

Clause Four

Clause four can be summarized as “context of the organization.” While this may sound simple, clause four is one of the more expanded clauses in the standard. Overall, context means understanding the internal and external factors in which an organization is running. As part of your ISO 27001 process you will need to make sure you accomplish the following about your organization’s context: - What do your customers, vendors, and employees need? - What is the scope of your ISMS going to be? You should be able to answer this question quickly for an auditor or for any interested party who asks. - How is your leadership going to be a resource throughout the process? Leadership commitment is essential.

Clause Five

Speaking of leadership, clause five deals entirely with the role management should place in the ISMS implementation process. It is the responsibility of management to distribute policies to employees, set objectives, define roles and responsibilities, and more. Who will be monitoring the ISMS? Who will be responsible for implementing the information security policy? All of these questions stop with the management of an organization in the ISO 27001 process.

Need some help? Contact one of our cybersecurity experts.

Click Here

Clause Six

Clause six defines how you will handle both risks and opportunities. The goal with this clause is to set objectives that can be measured with ease. Tracking progress is important as is showing continuous improvement. A good example of a goal for this clause is, “We want to reduce incidents by 20% over the next year.”

Clause Seven

We have mentioned resources a couple of times in passing, but clause seven deals entirely with resources. It easy to think of resources only as “things” or “supplies,” but they are defined differently in ISO 27001. Resources can be:
- Competence of employees

- Awareness of the information security policy and employee roles/responsibilities

- Documented information and guidance, how to store these documents and where to store them

Remember, all data must be secure yet accessible for the people who need it.

Clause Eight

Now that you have defined roles, responsibilities, the scope of your organization’s ISMS, and more, it is time to establish how your ISMS and associated policies will be assessed. At a minimum, the ISMS should be audited once a year in detail to assess the controls, but realistically, the ISMS needs to be touched daily. Especially when the ISMS is in its first months of operation, the Chief Information Security Officer (CISO) or whomever is responsibly for day-to-day operations should look for places where policies might need to be updated or where information needs to be deleted. As part of this clause, the organization needs to look at potential risks and how to eradicate those risks.

Clause Nine

While clause eight covers monitoring of controls, clause nine covers monitoring/assessing performance of the ISMS. This work is done both internally and by an external auditor.

Clause Ten

Finally, there is clause ten, which deals with non-conformities, or areas where there were weaknesses or errors in the ISMS. These non-conformities have to be documented carefully and then a treatment plan needs to be established and implemented. Once actions have been taken, those need to be documented along with the final results.

Annex A

The heart of ISO 27001 is Annex A, a series of 93 controls that truly differentiate ISO 27001 from ISO 9001.

The controls are categorized as follows:

5: Organizational - 37 controls

Ranging from how information is labeled to how information is secured during disruptions.

6: People - 8 controls

Ranging from screening to physical security monitoring.

7: Physical - 14 controls

Includes equipment maintenance, media storage, and more.

8: Technological - 34 controls

Contain many complex controls ranging from cryptography to securing the system's architecture and network.

ISO 27001: An Organizational Standard from Top to Bottom

As you can see, the decision to pursue an ISO 27001 certification requires a “full body workout” on the part of the organization. Everyone needs to be involved and coordinated with clarity on roles and responsibilities. ISO 27001 places a lot of emphasis on the role of management, not only to support the process but also to monitor performance and ensure all employees are receiving the training they need. If you are interested in learning more about this standard or if you have any questions, please contact us today. 
ISO 27001 Controls

Latest Resources

See all resources