ISO 27001 (also known as ISO/IEC 27001) is an international standard established by the International Organization for Standardization for creating an information security management systems (ISMS). ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an organization’s information security management system.
It is the best known standard in the ISO 27000 family of standards. It helps organizations manage the cybersecurity of a variety of assets, including financial information, intellectual property, employee personal information, and third-party data. It also includes requirements for the information security risk assessment and risk management. ISO 27001 can be used by any organization, no matter the type, size or nature.
ISO defines an ISMS as “a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
“It can help small, medium and large businesses in any sector keep information assets secure.”
ISO/IEC 27001:2013 comprises two main parts:
- Sections 4-10 outlines the requirements for Information Security Management Systems (ISMS)
- Annex A spells out 114 controls divided into 14 clauses, or “control objectives”:
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security
- A.8: Asset management
- A.9: Access control
- A.10: Cryptography
- A.11: Physical and environmental security
- A.12: Operations security
- A.13: Communications security
- A.14: System acquisition, development and maintenance
- A.15: Supplier relationships
- A.16: Information security incident management
- A.17: Information security aspects of business continuity management
- A.18: Compliance with internal requirements, such as policies, and with external requirements, such as laws
ISO 27001 certification is one of the most widely used ISO standard certifications, along with ISO 9001, which governs quality management systems (QMS).