ISO 27001

International standard for information security management systems, requiring organisations to systematically manage sensitive data through risk assessment and controls.

What it is

ISO 27001 is an international standard that specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The standard provides a systematic approach to managing sensitive company and customer information based on periodic risk assessments.

Key requirements

Organisations must demonstrate they can: - Identify information security risks and assess their potential impact - Implement appropriate controls to mitigate identified risks - Monitor and review the effectiveness of these controls - Continually improve their information security processes - Maintain comprehensive documentation of policies and procedures

The standard includes Annex A, which lists 114 security controls covering areas such as access control, cryptography, physical security, and incident management.

Procurement relevance

ISO 27001 certification is increasingly specified as a mandatory requirement in UK public sector tenders, particularly for: - IT services and software development contracts - Data processing and cloud services - Any contract involving access to sensitive government or citizen data

Procuring authorities use ISO 27001 as objective evidence that suppliers can adequately protect information assets. The certification demonstrates due diligence in supplier selection and helps satisfy data protection obligations under UK GDPR.

Verification process

Certification requires independent third-party audit by accredited certification bodies. Certificates are valid for three years, with annual surveillance audits required to maintain certification status. Suppliers must provide current certificates and evidence of ongoing compliance throughout contract performance.