ISO 27001 – Information Security Management System


ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

According to its documentation, ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”

ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process. The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO/IEC 27001:2013 (ISO 27001) is the latest international standard that describes best practice for an ISMS Information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practices, and provides an independent, expert verification that information security is managed in line with international best practice and business objectives. ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013