ISO 27001 (also known as ISO/IEC 27001) is an international standard established by the International Organization for Standardization for managing information security management systems (ISMS).

It is the most popular in the ISO 27000 family of standards. It helps organizations manage the cybersecurity of a variety of assets, including financial information, intellectual property, employee personal information, and third-party data.

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an organization’s information security management system.

It also includes requirements for the information security risk assessment and risk management. ISO 27001 can be used by any organization, no matter the type, size or nature.

ISO defines an ISMS as “a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

“It can help small, medium and large businesses in any sector keep information assets secure.”

ISO/IEC 27001:2013 comprises 114 security controls in 14 clauses:

A.5: Information security policies

A.6: Organization of information security

A.7: Human resource security

A.8: Asset management

A.9: Access control

A.10: Cryptography

A.11: Physical and environmental security

A.12: Operations security

A.13: Communications security

A.14: System acquisition, development and maintenance

A.15: Supplier relationships

A.16: Information security incident management

A.17: Information security aspects of business continuity management

A.18: Compliance with internal requirements, such as policies, and with external requirements, such as laws


ISO 27001 certification is one of the most popular ISO standard certifications, along with ISO 9001, which governs quality management systems (QMS).