A brief explanation of common standards such as ISO 27001, ISO 9001 and ISO 22301


What are standards?

Let’s start by looking at the definition of a standard. According to the Oxford Dictionary, a standard is:

  1. a level of quality or attainment.
  2. something used as a measure, norm, or model in comparative evaluations

In other words, a standard is an agreed and documented approach to performing specific tasks. There are plenty of standards available for the majority of things but in this section, we will strictly be speaking about a few examples of the more widely known ones around Information Security, Business Continuity, and Quality.

To come back to what a standard is, a standard is a set of technical specifications and criteria that needs to be used consistently across an organisation.

Why are they useful?

Standards are useful for some reasons, but the main one is that they ensure services and products are delivered in a consistent manner over several different interpretations of the same standard.

Organisations and companies work from the same book in their approach to achieve the same goal, a deliverable that matches internationally recognised criteria.


Below we will cover some examples, mainly around the Information Security and IT field, hoping that it gives you a bit more context around the different standards used.

ISO 27001

This is probably one of the most known standards in the IT field. ISO 27001 - Information Security Management. For this standard, organisations are required to have a set of policies and operational procedures that meet the criteria for managing information security.

There’s a large number of policies and documents required for this standard however there is a handful that is more recognisable (and easy to remember that is):

  • Statement of Applicability (SOA)
  • Asset Register
  • Risk Register
  • Business Continuity Procedure (BCP)
  • Starters, Leavers and Movers procedure

There are plenty more controls related to ISO 27001, however, I won’t go into too much detail on this page as they are only for reference purposes.

ISO 9001

This is a more widely wise standard over many industries and is related to the quality of your products, services and processes. This standard is looking for the applicant to have quality checks embedded across the whole service that they offer.

Depending on the scope of the certification this can be tailored to specific services(Service Desk, Delivery, SOC) or encompass the whole organisation where this approach is required.

ISO 9001 revolves around the following fundamental principles:

  • Engagement of People
  • Customer Focus
  • Leadership
  • Process Approach
  • Improvement
  • Evidence-based Decision Making
  • Relationship Management

I won’t dive into too much detail however if you or your organisation is interested in pursuing this certification, I highly recommend purchasing the standard.

ISO 22301

This is a standard that relates to an organisation's business continuity process. This standard requires organisations to have a business continuity management system(BCMS). This standard is focused on four major areas to ensure a well-rounded system:

  • Management support
  • Business impact analysis
  • Risk assessment
  • Business continuity Plan (obviously)

I won’t dive into too many details however parts of 27001 cover elements of 22301 but not to the extent that this certification requires.


As you probably noticed, all of the standards require that your organisation and especially the leadership team (C suite or board of directors) is engaged and involved. What they also have in common is that all of them require that you have policies and procedures (of course, each of them is aligned with the required standard).

All of the certifications have online resources available based on how an organisation advises you to implement the control, however, you should always follow the standard or consult with an expert who knows the ins and outs of the one you are working towards.


In your security journey, you will come across some, if not all of these standards at some point in time and it’s always good to have at least some awareness of what they are and why certain organisations implement them.