The purpose of the standard is to…
… preserves the confidentiality, integrity and availability of information by applying a risk management process…
This standard is not an IT standard but rather an information security standard.
What it Means
ISO/IEC 27001 (below, ISO 27001) is a specification which outlines the exact requirements for what is deemed as best practice in information security. It is related to management system for information security and risk management. It has two parts:
- Management processes to implement
- List of technical controls
It is created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
Differences Between ISO/IEC 27001 and ISO/IEC 27002
ISO 27001 is the international standard.
ISO 27002 is the code of practice or implementation guidance document (can’t be certified for this one).
Structure of the Standard
- Clauses 0 - 3: General Definitions & Content
- Clauses 4 - 10: 7 Clauses about your ISMS, Mandatory Compliance
- Annex A -: 114 controls and over 14 domains, Mandatory Compliance
- Bibliography - References