It is interesting to note the number of searches for ISO 27001 pdf, or even the number of searches for a free version of the standard. This presents some interesting questions and considerations, not least those of ethics!
Regardless of the fact that most ISO standards are derived by a group of volunteers, the copyright is held by the International Standards Organisation, who develop and publish the standards. Certainly, there must be concerns about the sharing of these documents; the British Standards Institute now have the standards protected so that they can be opened on no more than 3 devices.
But lets take a look at ISO 27001 itself….with some reference to ISO 27002, the guidance document
Cost of ISO 27001 pdf
On the face of it, standards do seem expensive, particularly given that they are compiled by volunteers and that you do not actually get that many pages for your money. You probably would not pay that much for a book of 19 pages, particularly given the whole thing will be updated within 5 or 6 years, so will need replacing!
There is also an argument that suggests that the more that standards are freely available, the easier it will be for organisations to see what is involved and to follow and, therefore, there is potentially a greater uptake. It is interesting that BSI did make a number of risk and business continuity-related standards available free of charge during Covid, whilst ISO also made some technical standards available.
However, regardless of personal thoughts on costs, ISO 27001 (and other management system standards) requires that top management demonstrate leadership and commitment by ‘ensuring that the resources needed for the information security management system are available’. It later states that the organisations needs to ‘provide the resources needed for the establishment, implementation, maintenance and continual improvement’ of the ISMS.
If an organisation is planning to implement an accredited management system, I would be concerned at a reluctance to pay £120 for the ISO 27001 pdf (price correct at time of writing!).
There are additional issues that should be considered from a Statement of Applicability perspective.
The obvious control that needs to be considered is 5.32 ‘Intellectual Property Rights’, with ISO 27002 explicitly referencing ‘not copying, in full or in part, standards (eg ISO/IEC International Standards)’, and clarifying that this control applies to ‘software or document copyright’.
An ISO 27001 consultant will have a copy of the standard. however, if you are serious about adhering to the requirements or going for accreditation, then I would strongly suggest that you make the investment!