ISO/IEC 27001

ISO/IEC 27001#

ISO/IEC 27001 provides a structured and systematic approach to information security management.

ISO/IEC 27001 provides guidelines for the best practices to initiate, implement, and improve information security management systems. There are four phases of the ISO/IEC 27001 standards namely plan, do, check, and act (PDCA). ISO 27001 is typically used in Fortune 5000 organizations.

The key objectives of ISO/IEC 27001 are to help organizations:

  • Identify and assess their information security risks.

  • Implement appropriate security controls and measures to mitigate those risks.

  • Establish a framework for managing information security processes.

  • Continuously monitor, review, and improve the effectiveness of the ISMS.

By achieving certification against ISO/IEC 27001, organizations can demonstrate their commitment to protecting sensitive information, managing risks, and implementing best practices in information security management. It provides assurance to stakeholders, customers, and partners that the organization has implemented a robust and effective information security framework.

The ISO/IEC 27001 is not an open standard! You have to pay to receive the document and certification means recurring cost since only certified bodies are endorsed to certify organizations.

There are 114 controls in 14 groups and 35 control categories. The categorization of groups is:

  1. A.5: Information security policies (2 controls)

  2. A.6: Organization of information security (7 controls)

  3. A.7: Human resource security - 6 controls that are applied before, during, or after employment

  4. A.8: Asset management (10 controls)

  5. A.9: Access control (14 controls)

  6. A.10: Cryptography (2 controls)

  7. A.11: Physical and environmental security (15 controls)

  8. A.12: Operations security (14 controls)

  9. A.13: Communications security (7 controls)

  10. A.14: System acquisition, development and maintenance (13 controls)

  11. A.15: Supplier relationships (5 controls)

  12. A.16: Information security incident management (7 controls)

  13. A.17: Information security aspects of business continuity management (4 controls)

  14. A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)