ISO 27001 FAQs

Absolutely not. ISO 27001 is about the Confidentiality, Integrity and Availability of data. Many people forget the second two. You could be a taxi company taking people to medical appointments or court, where confidentiality matters. You could be a shop fitting company needing to make sure the plans are correct, where integrity matters. You could also be a chemical provider that needs to ensure MSDS and COSHH sheets are available to the public. ISO 27001 is relevant in all cases.

No. In fact sometimes too much technical knowledge can blind you. You need to combine many skills and while understanding of technical elements is essential, you don’t need to be a technical expert.

Please don’t ask questions like this! However it’s understandable why one might get confused. The current certifiable standard is the 2013 version. However, due to the addition of other bodies such as EN, IEC etc., versions dated 2015 and 2017 have been issued. Also, some national versions have other issue dates. However, these are all identical to the 2013 version. If you are certified to the 2013 version (and this is the only one accredited by UKAS) you are working to the latest version. And don’t let anyone sell you anything different.

ISO 27002 is probably being issued October 2021 or possibly March 2022. It looks like there will be a major rewrite of Annex A. However, this is not – repeat not – a change to the auditable part of the standard. That is not likely to come for a couple of years and even then all organisations will have a transition period. So, there’s really no need to panic about this.

Yes – see above. But we must remember ISO 27001 isn’t just an IT standard: it’s as relevant to you if you use quill pens and parchment as the cloud. Also, not everyone is at the cutting edge of technology. Rewriting the standard so that it only covers the latest developments would not only date it very quickly it would also limit the applicability.

Possibly but also the ISO is going down the route of creating additional Codes such as ISO 27017, ISO 27018 and ISO 27701. These give them more flexibility of offering additional controls in specific sectors or industries without making the core standard into a monster that becomes unworkable to smaller organisations.

What you find is many standards and requirements cover similar but different ground. Certainly, many of the DFARS headings and ISO 27001 clauses are very similar but ISO 27001 tends to be broader, covering additional areas.

Explain, communicate, train but most important is Leadership.

Absolutely. The ISO 9001 management systems are based on Annex SL and designed to be integrated. You can save time and money with integrated management systems.

Contact the Alcumus ISOQAR sales team and they can point you in the direction of where you can get more information to help yourself if you want to implement the standard yourself. For example, watch our webinar recording. You can also go on an ISO 27001 training course. We often recommend you get support from an independent consultant listed on the Alcumus ISOQAR Associate Network.

Ask for a quote from the sales team at Alcumus ISOQAR. In the long term it should save you money. If it doesn’t –  chances are you’ve done it wrong!