ISO 27001
ISO 27001 is crucial for information security.
ISO 27001
ISO 27001 (Information Security Management) is a critical concept in quality, health, safety, and environmental management.
What Is ISO 27001?
ISO 27001:2022 is the international standard for information security management systems (ISMS). It provides a framework for establishing, implementing, maintaining, and continually improving information security controls to protect the confidentiality, integrity, and availability of information. The standard uses a risk-based approach — organisations must identify information security risks, determine treatments, and select controls from Annex A (93 controls across 4 themes: organisational, people, physical, technological). ISO 27001 is critical for any organisation that handles sensitive data, provides IT services, or operates in regulated industries. Over 70,000 certificates have been issued worldwide.
ISO 27001 Requirements Under UK Law
While not legally required, ISO 27001 demonstrates compliance with: UK GDPR (Data Protection Act 2018), NIS Regulations 2018 (network and information systems), PCI DSS (payment card data), NHS Data Security and Protection Toolkit, Cyber Essentials Plus (government supply chain), and sector-specific requirements. The Information Commissioner's Office (ICO) can fine up to £17.5 million or 4% of global turnover for GDPR breaches. NCSC (National Cyber Security Centre) recommends ISO 27001 as a foundation for cyber security. Q-Hub itself is ISO 27001 certified.
Key Components of ISO 27001
- Information security policy
- Risk assessment
- Access control
- Cryptography
- Physical security
- Operations security
- Communications security
- System acquisition/development
- Supplier relationships
- Incident management
- Business continuity
- Compliance
ISO 27001 in Practice
A SaaS company (90 employees, processing data for 500 client organisations) maintains ISO 27001 certification using Q-Hub. Their information security risk register contains 145 risks assessed against likelihood and impact. Access control reviews are conducted quarterly for all 90 user accounts. The security team manages 12 documented policies, 35 procedures, and conducts 6 internal audits per year. Penetration testing results, vulnerability scans, and incident logs are all tracked in Q-Hub. Their annual surveillance audit covers Annex A controls sampling — Q-Hub provides instant evidence retrieval. Time from audit request to evidence: 30 seconds (previously 2-3 hours).
How to Manage ISO 27001 with Q-Hub
Q-Hub provides comprehensive tools for ISO 27001 management. The Document Control module handles the core requirements, integrated with document control, audit scheduling, training management, and KPI dashboards to ensure your ISO 27001 processes are audit-ready at all times.
Related Terms
- Iso 9001 — related QHSE concept
- Risk Assessment — related QHSE concept
- Audit — related QHSE concept
- Document Control — related QHSE concept
- Management Review — related QHSE concept
Want to see how Q-Hub handles ISO 27001 in practice? Book a demo or see pricing.
Related QHSE Terms
- AS9100 — The aerospace quality management standard, based on ISO 9001 with additional requirements for aviati
- Audit — A systematic, independent examination of processes, products, or systems to verify compliance with d
- Bow-Tie Analysis — A visual risk assessment method that maps the causes of an event, the event itself, its consequences
- CAPA — Corrective and Preventive Action — a systematic approach to investigating root causes of non-conform
- COSHH — Control of Substances Hazardous to Health — UK regulations requiring employers to control exposure t