ISO 27001 / ISMS

ISO/IEC 27001 is a set of information technology standards designed to help organizations of any size in any industry implement an effective information security management system. The standard uses a top-down, risk-based approach and is technology neutral. Risk management is the central idea of ISO 27001: You must identify sensitive or valuable information that requires protection, determine the various ways that data could be at risk, and implement controls to mitigate each risk. Risk includes any threat to data confidentiality, integrity or availability. The standard provides a framework for choosing appropriate controls and processes.

ISO 27001 Requirements

1. Introduction — Describes the process for systematically managing information risks
2. Scope — Specifies generic ISMS requirements suitable for organizations of any type, size or nature
3. Normative References — Lists other standards that contain additional information relevant to determining ISO 27001 compliance (only one, ISO/IEC 27000, is listed)
4. Terms and Definitions — Explains the more complex terms used in the standard
5. Organizational Context — Explains why and how to define the internal and external issues that can affect an enterprise’s ability to build an ISMS, and requires the organization to establish, implement, maintain and continually improve the ISMS
6. Leadership — Requires senior management to demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles and responsibilities
7. Planning — Outlines processes to identify, analyze and plan to treat information risks and clarify the objective of information security initiatives
8. Support - Requires organizations to assign adequate resources, raise awareness, and prepare all necessary documentation
9. Operation — Details how to assess and treat information risks, manage changes, and ensure proper documentation
10. Performance Evaluation — Requires organizations to monitor, measure and analyze their information security management controls and processes
Improvement — Requires organizations to refine their ISMS continually, including addressing the findings of audits and reviews