ISO 27001 


A deeper dive into the ISO 27001 Package, risk assessment techniques and implementation details.

The ISO 27001 Package

The ISO 27001 Standard can be complicated to understand, as each clause hosts a large amount of information. In the process of achieving certification, it is important to refer to the other books in the ISO 27000 series. They provide reference and allow for execution of each clause as  intended. Depending on your familiarity with Information Security, it's important to understand what you are trying to accomplish. ISO 27001 is The Standard. Implementations will differ for certain industries and businesses.  

ISO 27001 Package:


Information technology — Security techniques — Information security

management systems — Overview and vocabulary


Information technology — Security techniques — Information security

management systems — Requirements


Information technology — Security techniques — Code of practice for

information security controls


Information technology — Security techniques — Information security

management system implementation guidance


Information technology — Security techniques — Information security

management — Measurement


Information technology — Security techniques — Information security risk



Information technology — Security techniques — Requirements

for bodies providing audit and certification of information security

management systems


Information technology — Security techniques — Guidelines for information security management systems auditing


Information technology — Security techniques — Information security

management for inter-sector and inter-organizational communications


Information technology — Security techniques — Code of practice for

protection of personally identifiable information (PII) in public clouds

acting as PII processors


Information technology — Security techniques — Guidelines for



Information technology — Security techniques — Information security incident management


Information technology — Security techniques — Information security for supplier relationships

ISO 27001 at a Glance

The table of contents for ISO 27001 is very close in structure to ISO 9001, except for the information security elements.  Keep in mind the Annex A is another set of controls that need to be specifically addressed in your implementation.  There are 114 controls which are designed to complete your security framework.

ISO 27001 Table of Contents (Clauses)


Note: you can purchase the ISO27001 Package from





4   Context of the organization 

4.1 Understanding the organization and its context 

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the information security management system

4.4 Information security management system

5.   Leadership 

5.1 Leadership and commitment

5.2 Policy 

5.3 Organizational roles, responsibilities and authorities

6    Planning

6.1. Actions to address risks and opportunities 

6.2. Information security objectives and planning to achieve them


7     Support

7.1   Resources

7.2  Competence 

7.3  Awareness

7.4  Communication 

7.5  Documented information

8    Operation

8.1  Operational planning and control 

8.2  Information security risk assessment

8.3. Information security risk treatment


9.    Performance evaluation 

9.1  Monitoring, measurement, analysis and evaluation

9.2  Internal audit

9.3  Management review

10   Improvement

10.1 Nonconformity and corrective action

10.2 Continual improvement 


Annex A is a list of Security Controls.  These controls are used to help identify risks associated with your ISMS Security Framework.  There are a total of 114;  some may or may not apply to your implementation.

Annex A - Reference control objectives and controls

Screen Shot 2019-06-29 at 12.16.46

ISO 27001 Risk Management

Risk Management is one of the key components of an effective ISO 27001 program. ISO 27005 provides some guidance and techniques to identify and manage risks.  For some applications this is not enough, and ISO 31000 will be more appropriate. Risk Activities will be based on the controls listed in the Annex A.

Risk Process

Risk Process

Principles, Framework and Process

Screen Shot 2019-06-29 at 12.15.57


ISO 27004 provides guidance on Monitoring, Measurement, Analysis and Evaluation of your ISO 27001 program.



ISO 27004 Table of Contents



5.   Rationale.

5.1 The need for measurement

5.2 Fulfilling the ISO/IEC 27001 requirements

5.3 Validityof results

5.4 Benefits

6.   Characteristics 

6.1 General

6.2 What to monitor

6.3 What to measure 

6.4 When to monitor, measure, analyse and evaluate 

6.5 Who will monitor, measure, analyse and evaluate

7.    Types of measures 

7.1 General

7.2 Performance measures

7.3 Effectiveness measures

8    Processes

8.1  General

8.2 Identify information needs

8.3 Create and maintain measures

8.3.1 General

8.3.2 Identify current security practices that can support information needs

8.3.3 Develop or update measures

8.3.4 Document measures and prioritize for implementation 

8.3.5 Keep management informed and engaged

  1.   Establish procedures 

  2.   Monitor and measure

  3.   Analyze results 

  4.   Evaluate information security performance and ISMS effectiveness

  5.   Review and improve monitoring, measurement, analysis and evaluation processes

8.9  Retain and communicate documented information


Measurement and analysis are very important. They provide and gauge the health of your ISO 27001 implementation. This is necessary to determine the effectiveness and provides facts to establish continual improvement direction and programs.


Going Over Data

ISMS Implementation Steps

Below are guidelines to help you through high level implementation. The steps may vary depending on your application.

Screen Shot 2019-06-30 at 7.48.32 PM.png

Implementation should be viewed as a plan, using all of the stages to manage them effectively.  PDCA should also be applied in all stages of your implementation.


ISO 27001 Implementation

When creating your ISMS processes use the elements of a single effective process schematic (Source ISO 9001:2015).

Process schematic.jpg


For a free quote from an ISO specialist, contact: 

Encompass Head Offices:

San Jose


San Bernardino

Extended Locations:



Los Angeles


San Diego


San Francisco

Northern California

Southern California

Tele(408) 657-8269