In a world where cybersecurity has become a board-level priority \u2014 not just an IT concern \u2014 two questions keep surfacing in leadership meetings:<\/p>\n\n\n\n
\"What exactly do we need to do?\" and \"How do we know it's enough?\"<\/p>\n\n\n\n
ISO\/IEC 27001:2022 and Slovenia's Information Security Act (ZInfV-1) answer both. This article explains what the standard and the law actually require, why they matter for every organisation \u2014 not just regulated sectors \u2014 and how they complement each other as the foundation of a robust security posture.<\/p>\n\n\n\n
ISO\/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It was developed jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC); the current version was published in 2022.<\/p>\n\n\n\n
It is often mischaracterised as purely a \"certification standard.\" In reality, it is a risk management framework: a flexible, risk-based methodology that helps organisations:<\/p>\n\n\n\n
\nKEY POINT<\/strong> <\/p>\n\n\n\n
ISO 27001 does not prescribe a single solution. It requires organisations to understand their specific risks and respond to them deliberately. This makes it applicable to organisations of any size, in any sector.<\/p>\n<\/blockquote>\n\n\n\n
2. The structure: ten clauses and 93 controls<\/h2>\n\n\n\n
The standard follows the High Level Structure (HLS) common to all modern ISO management system standards. The ISMS core comprises ten clauses:<\/p>\n\n\n\n
Poglavje<\/strong><\/td> Vsebina<\/strong><\/td><\/tr> 4 \u2014 Context<\/td> Understanding the organisation, interested parties, and ISMS scope<\/td><\/tr> 5 \u2014 Leadership<\/td> Management commitment, security policy, roles and responsibilities<\/td><\/tr> 6 \u2014 Planning<\/td> Risk assessment, risk treatment plan, security objectives<\/td><\/tr> 7 \u2014 Support<\/td> Resources, competence, awareness, communication, documentation<\/td><\/tr> 8 \u2014 Operation<\/td> Control implementation, change management, supplier oversight<\/td><\/tr> 9 \u2014 Performance<\/td> Internal audits, management review, effectiveness measurement<\/td><\/tr> 10 \u2014 Improvement<\/td> Corrective actions, nonconformities, continual improvement<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Beyond the clauses, the standard includes Annex A \u2014 a catalogue of 93 security controls organised into four thematic groups: organisational, people, physical, and technological controls. Organisations do not implement all controls; they select those that address identified risks and justify any exclusions in the Statement of Applicability (SoA).<\/p>\n\n\n\n
3. Why ISO 27001 \u2014 and why now?<\/h2>\n\n\n\n
The standard delivers practical value regardless of whether an organisation pursues certification. Benefits operate on three levels:<\/p>\n\n\n\n
3.1 Risk management, not just compliance<\/strong><\/p>\n\n\n\n
The standard's central mechanism \u2014 risk assessment and treatment \u2014 forces organisations to approach security strategically. Rather than reactively patching holes, it builds a proactive, risk-informed security culture.<\/p>\n\n\n\n
3.2 Trust with clients and partners<\/strong><\/p>\n\n\n\n
ISO 27001 certification or a documented ISMS is increasingly required by public sector clients, financial services organisations, and critical infrastructure operators as a condition of doing business. It is becoming a market access requirement, not just an internal tool.<\/p>\n\n\n\n
3.3 A regulatory foundation<\/strong><\/p>\n\n\n\n
ISO 27001 is not itself a legal requirement, but it serves as the reference framework for most modern security regulations \u2014 including the NIS2 Directive and Slovenia's ZInfV-1. Organisations with an established ISO 27001 ISMS have a far easier path to demonstrating compliance.<\/p>\n\n\n\n
\nDID YOU KNOW?<\/strong> <\/p>\n\n\n\n
According to the ISO Survey 2023, ISO 27001 is one of the fastest-growing certification standards in the world. The number of certifications in Europe grew by more than 40% between 2019 and 2023 \u2014 a trend directly linked to the rise of NIS2.<\/p>\n<\/blockquote>\n\n\n\n
4. ZInfV-1: Slovenian law meets international standard<\/h2>\n\n\n\n
The Information Security Act (ZInfV-1), which transposed the EU NIS2 Directive (2022\/2555) into Slovenian law, requires essential and important entities to establish an information security management system and adopt proportionate technical and organisational measures to manage security risks.<\/p>\n\n\n\n
The law explicitly references requirements that map directly to ISO 27001:<\/p>\n\n\n\n
\n
- information security and risk management policies,<\/li>\n\n\n\n
- incident handling \u2014 including mandatory notification to SI-CERT within 72 hours,<\/li>\n\n\n\n
- business continuity and crisis management,<\/li>\n\n\n\n
- supply chain security,<\/li>\n\n\n\n
- staff training and awareness,<\/li>\n\n\n\n
- encryption and access control.<\/li>\n<\/ul>\n\n\n\n
Crucially, ZInfV-1 does not mandate a specific standard. It requires demonstrable, proportionate measures. ISO 27001 is the most widely recognised and accepted framework for meeting those requirements \u2014 with regulators and courts alike.<\/p>\n\n\n\n
\nIMPORTANT<\/strong> <\/p>\n\n\n\n
Fines for essential entities under ZInfV-1 reach up to EUR 10 million or 2% of annual turnover. For important entities: up to EUR 7 million or 1.4% of annual turnover. Determining which category applies to your organisation is the mandatory first step.<\/p>\n<\/blockquote>\n\n\n\n
5. ISO 27001 and ZInfV-1: Parallels and differences<\/h2>\n\n\n\n
ISO 27001<\/strong><\/td> ZInfV-1 \/ NIS2<\/strong><\/td><\/tr> Voluntary standard (certification optional)<\/td> Legal obligation for essential\/important entities<\/td><\/tr> Organisation defines ISMS scope<\/td> Scope determined by law (critical infrastructure sectors)<\/td><\/tr> Risk-based assessment and controls<\/td> Proportionate measures based on risk, size, and sector<\/td><\/tr> 93 controls in Annex A<\/td> Law sets minimum substantive requirements<\/td><\/tr> Incident notification per internal policy<\/td> Mandatory SI-CERT notification within 72 hours<\/td><\/tr> Internal and external audits<\/td> Oversight by national regulator<\/td><\/tr> Continual improvement<\/td> Periodic reporting to the regulator<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n The key insight: ISO 27001 and ZInfV-1 are not in conflict \u2014 they are complementary. The standard provides the methodology; the law sets the minimum obligations. An organisation that builds an ISMS to ISO 27001 gains a structure that maps directly onto ZInfV-1 requirements.<\/p>\n\n\n\n
6. Where to start: practical first steps<\/h2>\n\n\n\n
Building an ISMS to ISO 27001 does not require implementing everything at once. We recommend a staged, risk-based approach:<\/p>\n\n\n\n
\n
- Determine your regulatory status. Is your organisation an essential or important entity under ZInfV-1? The answer defines the scope of your legal obligations.<\/li>\n\n\n\n
- Assess your current state. Where do you stand today against the standard's requirements? Which areas are covered, and where do gaps exist?<\/li>\n\n\n\n
- Secure leadership commitment. An ISMS cannot succeed without top-level support. Security must be a strategic decision, not just an IT project.<\/li>\n\n\n\n
- Define your ISMS scope. Which processes, systems, and locations will be included? A well-defined scope is the foundation of everything that follows.<\/li>\n\n\n\n
- Conduct a risk assessment. Identify assets, threats, and vulnerabilities. Use the results to select appropriate controls from Annex A.<\/li>\n<\/ol>\n\n\n\n
Over the coming weeks, this series will examine each ISO 27001 clause in depth \u2014 from organisational context to continual improvement \u2014 mapping each one to the specific requirements of ZInfV-1.<\/p>\n\n\n\n
<\/p>\n\n\n\n
\nNEXT STEPS<\/strong> <\/p>\n\n\n\n
Before your next cybersecurity meeting \u2014 find out where your organisation stands today. Our free Information Security Maturity Assessment shows you in 10 minutes, across five key ISO 27001 domains aligned with ZInfV-1 requirements. Fill in the short form and your personalised assessment is waiting on the other side.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"
V svetu, kjer je kibernetska varnost postala strate\u0161ka prioriteta \u2014 ne le IT-jevska skrb \u2014 se dve vpra\u0161anji znova in znova pojavljata na mizah vodstvenih ekip: “Kaj dejansko moramo narediti?” in “Kako vemo, da je dovolj?” Standard ISO\/IEC 27001:2022 in slovenski Zakon o informacijski varnosti (ZInfV-1) ponujata odgovor na obe. Ta \u010dlanek pojasni, kaj standard […]<\/p>\n","protected":false},"author":1,"featured_media":1280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"1080","inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-nekategorizirano"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts\/1270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/comments?post=1270"}],"version-history":[{"count":10,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts\/1270\/revisions"}],"predecessor-version":[{"id":1315,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts\/1270\/revisions\/1315"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/media\/1280"}],"wp:attachment":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/media?parent=1270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/categories?post=1270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/tags?post=1270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}