ISO 27001

The full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.”

It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.

ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.

Purpose

ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).

Benifit

Apart from providing companies with the necessary know-how for protecting their most valuable information, ISO 27001 can also provide certificate to a company, in this way, company can prove to its customers and partners that it safeguards their data.

Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.

Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.

Certification Roadmap

The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – this means that all those requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.

The requirements from sections 4 through 10 can be summarized as follows:

  • Clause 4: Context of the organization - defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
  • Clause 5: Leadership - defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.
  • Clause 6: Planning - defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
  • Clause 7: Support - defines requirements for availability of resources, competencies, awareness, communication, and control of documents and records.

  • Clause 8: Operation - defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
  • Clause 9: Performance evaluation - defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
  • Clause 10: Improvement - defines requirements for nonconformities, corrections, corrective actions, and continual improvement.
  • Clause 9: Performance evaluation - defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
  • Clause 10: Improvement - defines requirements for nonconformities, corrections, corrective actions, and continual improvement.