This article aims at explaining the foundation stones of the ISO 27001 certification which is the renowned international accreditation of the Information Security Management System (ISMS) in organisations.

Most organisations consider that Information Security Management System (ISMS) in organisations require only a strong technology base. Technology definitely plays a crucial role in the implementation of the ISMS but it is not everything. It cannot alone make an entire organisation safe from security breaches, cyber thefts and malicious attacks. There are two other cornerstones or pillars of ISMS. They are members of the organisation and processes of the organisation. Consequently, these three are also the pillars of the ISO 27001 certification, which is purposely designed by ISO (International Organisation for Standardisation) for information security management. Therefore, achieving it validates an organisation’s ISMS and ensures that it follows the best practices to preserve the confidentiality and security of information assets. Here this article describes, in brief, the three cornerstones of the ISO certification to help organisations understand how to achieve it.

3 Basics of the ISO 27001 Certification for Information Security Management System

Members of the Organisation

The first pillar of ISMS is ‘people’ of the organisation, because they collect, use, generate, save and exchange information within and outside the organisation. Therefore, it is of course necessary to make them aware of their responsibilities to protect the information and minimise any kind of threats. They must be trained regularly and instructed on how to handle sensitive information assets, spot any suspicious cyber activities, and comply with applicable data security regulations. Also, the members of the organisation need to be very aware of the specific controls, technology methods and latest practices that they should apply to protect against a wide range of security threats. Most organisations designate the responsibility of applying these specific controls and mitigating/preventing threats to some selected technically adept staff. Therefore, in every way, the active participation of the organisation’s members in the ISMS are necessary which eventually ensures its successful ISO 27001 certification.

Processes of the Business

The organisation’s routine processes that are integral for running a business successfully are the second pillar of ISMS as well as its ISO certification. The processes use up various information, produce new data, and define how the information is to be transferred across the organisation. Therefore, it is essential to keep a close track of the processes, their documentation and information devices used in those processes. It helps them to assess the risks and potential cyber threats that can arise out of the processes. Also, cyber threats change over time and new challenges can come up for the organisation. Hence, it is crucial for the organisation to regularly assess the processes and ensure that all information security controls and practices are efficiently applied.


The third and most crucial pillar of the ISO 27001 certification is what we have mentioned earlier, technology! The organisation can identify its potential cyber security threats or any existing risks but what about the next step, i.e., preventing or mitigating them depends on their efficiency in technologies. They need to determine the controls and technology applications required to prevent, treat, alleviate, and mitigate the risks. Promptness is most essential for risk assessment and the organisation should be prepared with all types of technology defences for taking prompt responses against any identified threats. Therefore, technology robustness is a fundamental part of the ISMS. It ensures that the organisation’s information security personnel are trained in various cybersecurity and IT methods and can determine what preventive/corrective actions to put in place.

With these three pillars assured in your organisation’s ISMS, it becomes eligible for the ISO 27001 certification. The certification is a major business differentiator today when cybersecurity thefts and information security breaches are triggering concerns around the world. It demonstrates that your organisation is committed to ensuring the security of its information assets and confidential data. The certification advertises that your business puts special emphasis on information security which can help attract clients, suppliers, investors and other stakeholders. Therefore, your business can get numerous prospects along with ensuring the security of its sensitive information.

Author's Bio: 

Damon Anderson is the owner of a trusted ISO certification consultancy that provides advisory and assurance services to businesses to get them ISO certified successfully. He is a specialised the ISO 27001 certification consultant and likes to share his knowledge through his articles with the business owners and make them aware of information security management.