Person typing on a desktop computer
Information Security

ISO 27001 – Information Security is not all Information Technology. So what else is it?

Published: November 16, 2016
Person typing on a desktop computer
Information Security

There is increasing focus and interest in information security. Just think of recent events here in Australia… the census crashing because of overseas hackers; the almost continual reporting of people’s private information being compromised; phone hacking by unscrupulous news reporters desperate for the latest big story; and of course, people posting information they shouldn’t on social media.

Whilst all these major stories are centred around the failure of some aspect of information technology, ISO 27001 (the International Standard for information security management systems) does include many requirements for non-IT security of information… and that is what we are going to talk about here.

What can you do to keep your information secure that does not involve the IT department? We’ve picked nine specific ISO 27001- Information Security controls which are listed specifically in Annex A and have been directly derived from, and align with, ISO 27002. We also briefly explain what each means.

9 Information Security Controls

1. You have to do background checks on all candidates for employment, and you have to include information security requirements in their terms and conditions of employment (A.7.1.1).

Your HR department or recruitment organisation will need to ensure that when they do background checks on new recruits they ask questions about information security.

2. You have to educate and train your staff and contractors in information security as relevant to their positions, and you have to discipline those who breach your information security policy and procedures (A.7.2.2. & A.7.2.3).

Information security will need to be included in induction training, ongoing training and information sessions. It should be included as part of any daily pre start and toolbox talks as required. This will need to include staff, contractors and visitors.

3. Any information security assets have to be included on an inventory and the assets have to be owned. Upon termination of employment, people have to return any assets in their possession (A.8.1.1, A.8.1.2 & A.8.1.4).

You need a register of all of your information security assets, which will be more than just a list of your computers; it will also include smart phones, any locks and passcodes, storage boxes, transport vehicles, specifications and plans etc. You need to know who has what because you will need to get it back from them when they leave.

4. Information has to classified, and then protected according to its importance. Information has to be labelled according to it classification (A.8.2.1 & A.8.2.2).

Some information is more critical than other information; therefore it needs to be better protected than information that is not so critical. Whatever the classification, the information needs a label on it to show its classification level.  

5. When transporting physical media containing information it needs to be protected (A.8.3.3).

Any vehicles you or your contractors use need to be secure and in such a condition that information will not be damaged when it’s being moved around. This may include cars, motorbikes, couriers, trains, trucks and planes.

6. Physical entry controls need to be in place where information is stored and processed, and these areas also need to be protected against natural disasters, malicious attack or accidents (A.11.1.2 & A.11.1.4).

Two issues here… Firstly you need to keep unauthorised people out, which essentially means locks on doors – and doors need to be locked not propped open. Secondly, don’t store precious information in the basement if it’s likely to flood.

7. Unauthorised entry from delivery, loading and other such areas need to be prevented (A.11.1.6).

You don’t just need security on the front door. Make sure that other entrances are secure too. This can be awkward if entrances need to be left open to move things in and out, so ensure that sensitive information is not available –  and make sure the people in the loading dock understand this.

8. Desks need to be cleared of papers and removable storage devices (e.g. data sticks) when not in use (A.11.2.9).

People cannot leave things on their desk, or anywhere else come to that. Whenever people are away from their desk, information items should be cleared away, either in a locked drawer or a locker. The key word here is ‘locked’.

9. Any cables that carry data or supporting information services need to be protected from damage (A.11.2.3).

Data cabling – it’s normally blue or yellow – needs to be correctly routed so that it cannot be damaged. Cables should not be just trailed across the floor, left hanging from the ceiling, or exposed to be chewed by rodents. Some older cables may also have interference from other cables (power in particular). Different types of cables should be separated from one another.

Information security is no longer just a problem for IT – it affects all people, at all levels, in all businesses.

The information security controls listed above have been taken specifically from Annex A and have been directly derived from, and align with, ISO 27002. It challenges the idea that security is solely the responsibility of the IT department, when in fact many information security controls are implemented across the whole organisation.

Are you across all of its different aspects?

Interested in Information Security Management Systems or ISO 27001? Why not attend a training course?

Information Security Management Systems Lead Auditor

Related Articles


Back to Insights

“Excellent trainers with high level expertise, varied content to keep us engaged and quality resources leave me with confidence that I could implement what I’ve learned.”

“The presenters really helped to link the course material to real life situations. They were very professional and helped make the course very enjoyable.”

“Thoroughly enjoyable learning experience, facilitated to an excellent standard – Well adapted to the diversity of skill within the group.”

Fantastic course professionally run by a ‘real’ auditor working in the field which allowed for a fantastic bridge between theory and practical examples.

“It is rare to find a trainer with extensive practical and current industry knowledge of the topic. This is a real world training course for real world application. 100% recommend Pat to conduct any training in future.”

Need help finding a course?

Speak directly with a member of the RTP team to decide which course is right for you.