ISO/IEC 27001

The purpose of the standard is to…

… preserves the confidentiality, integrity and availability of information by applying a risk management process…

—ISO/IEC 27001:2013 Standard section 0.1

This standard is not an IT standard but rather an information security standard.

What it Means

ISO/IEC 27001 (below, ISO 27001) is a specification which outlines the exact requirements for what is deemed as best practice in information security. It is related to management system for information security and risk management. It has two parts:

  • Management processes to implement
  • List of technical controls

It is created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Differences Between ISO/IEC 27001 and ISO/IEC 27002

ISO 27001 is the international standard.

ISO 27002 is the code of practice or implementation guidance document (can’t be certified for this one).

Structure of the Standard

  1. Clauses 0 - 3: General Definitions & Content
  2. Clauses 4 - 10: 7 Clauses about your ISMS, Mandatory Compliance
  3. Annex A -: 114 controls and over 14 domains, Mandatory Compliance
  4. Bibliography - References

In Practice

See ISO/IEC 27001 in Practice#