[En] What is ISO 27001?

What is ISO 27001?

ISO 27001 is an international standard that specifies requirements for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

Contents of ISO 27001

ISO 27001 is divided into 10 parts:

  1. Introduction
  2. Scope
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

Introduction

The introduction of ISO 27001 provides an overview of the standard and its purpose. It also explains the relationship between ISO 27001 and other standards.

Scope

The scope of ISO 27001 defines the applicability of the standard. It specifies the types of organizations that can use the standard and the types of information security management systems that can be certified.

Terms and definitions

The terms and definitions section of ISO 27001 defines the terms used in the standard. It also provides a list of terms that are used in other standards and are relevant to ISO 27001.

Context of the organization

The context of the organization section of ISO 27001 describes the organization’s external and internal issues that are relevant to information security. It also describes the organization’s information security policy and objectives.

Leadership

The leadership section of ISO 27001 describes the organization’s commitment to information security. It also describes the roles and responsibilities of the organization’s top management.

Planning

The planning section of ISO 27001 describes the organization’s information security risk management processes. It also describes the processes for establishing the information security policy, objectives and program.

Support

The support section of ISO 27001 describes the resources that are needed to implement and maintain the information security management system. It also describes the processes for acquiring and managing these resources.

Operation

The operation section of ISO 27001 describes the processes for implementing and maintaining the information security management system. It also describes the processes for monitoring and measuring the performance of the information security management system.

Performance evaluation

The performance evaluation section of ISO 27001 describes the processes for monitoring, measuring, analyzing and evaluating the performance of the information security management system. It also describes the processes for identifying opportunities for improvement.

Improvement

The improvement section of ISO 27001 describes the processes for implementing corrective and preventive actions. It also describes the processes for evaluating the effectiveness of these actions.

Explanation of every part of ISO 27001

Introduction

The introduction of ISO 27001 provides an overview of the standard and its purpose. It also explains the relationship between ISO 27001 and other standards. The introduction of ISO 27001 is divided into 3 parts: purpose, scope and relationship with other standards.

Purpose

The purpose of ISO 27001 is to provide a framework for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.

Scope

The scope of ISO 27001 defines the applicability of the standard. It specifies the types of organizations that can use the standard and the types of information security management systems that can be certified.

Relationship with other standards

The relationship with other standards section of ISO 27001 explains the relationship between ISO 27001 and other standards. It also explains how ISO 27001 can be used to meet the requirements of other standards.

Scope

The scope of ISO 27001 defines the applicability of the standard. It specifies the types of organizations that can use the standard and the types of information security management systems that can be certified. The scope of ISO 27001 is divided into 3 parts: applicability, certification and conformity assessment.

Applicability

The applicability section of ISO 27001 specifies the types of organizations that can use the standard. It also specifies the types of information security management systems that can be certified.

Certification

The certification section of ISO 27001 specifies the types of information security management systems that can be certified. It also specifies the types of conformity assessment that can be used to assess the conformity of an information security management system with ISO 27001.

Conformity assessment

The conformity assessment section of ISO 27001 specifies the types of conformity assessment that can be used to assess the conformity of an information security management system with ISO 27001. It also specifies the types of certification bodies that can be used to perform conformity assessment.

Terms and definitions

The terms and definitions section of ISO 27001 defines the terms used in the standard. It also provides a list of terms that are used in other standards and are relevant to ISO 27001. The terms and definitions section of ISO 27001 is divided into 2 parts: terms and definitions and terms used in other standards.

Terms and definitions

The terms and definitions section of ISO 27001 defines the terms used in the standard. It also provides a list of terms that are used in other standards and are relevant to ISO 27001.

Terms used in other standards

The terms used in other standards section of ISO 27001 provides a list of terms that are used in other standards and are relevant to ISO 27001. It also provides a list of terms that are used in other standards and are not relevant to ISO 27001.

Context of the organization

The context of the organization section of ISO 27001 describes the organization’s external and internal issues that are relevant to information security. It also describes the organization’s information security policy and objectives. The context of the organization section of ISO 27001 is divided into 3 parts: understanding the organization and its context, determining the scope of the information security management system and information security policy and objectives.

Understanding the organization and its context

The understanding the organization and its context section of ISO 27001 describes the organization’s external and internal issues that are relevant to information security. It also describes the organization’s information security policy and objectives.

Determining the scope of the information security management system

The determining the scope of the information security management system section of ISO 27001 describes the processes for determining the scope of the information security management system. It also describes the processes for determining the boundaries of the information security management system.

Information security policy and objectives

The information security policy and objectives section of ISO 27001 describes the processes for establishing the information security policy and objectives. It also describes the processes for communicating the information security policy and objectives to relevant interested parties.

Leadership

The leadership section of ISO 27001 describes the organization’s commitment to information security. It also describes the roles and responsibilities of the organization’s top management. The leadership section of ISO 27001 is divided into 2 parts: commitment to information security and roles and responsibilities.

Commitment to information security

The commitment to information security section of ISO 27001 describes the organization’s commitment to information security. It also describes the processes for establishing, implementing, maintaining and continually improving the information security management system.

Roles and responsibilities

The roles and responsibilities section of ISO 27001 describes the roles and responsibilities of the organization’s top management. It also describes the processes for delegating, authorizing and communicating these roles and responsibilities.

Planning

The planning section of ISO 27001 describes the organization’s information security risk management processes. It also describes the processes for establishing the information security policy, objectives and program. The planning section of ISO 27001 is divided into 2 parts: information security risk management and information security policy, objectives and program.

Information security risk management

The information security risk management section of ISO 27001 describes the organization’s information security risk management processes. It also describes the processes for identifying, analyzing, evaluating, treating and monitoring information security risks.

Information security policy, objectives and program

The information security policy, objectives and program section of ISO 27001 describes the processes for establishing the information security policy, objectives and program. It also describes the processes for communicating the information security policy, objectives and program to relevant interested parties.

Support

The support section of ISO 27001 describes the resources that are needed to implement and maintain the information security management system. It also describes the processes for acquiring and managing these resources. The support section of ISO 27001 is divided into 2 parts: resources and acquisition and management of resources.

Resources

The resources section of ISO 27001 describes the resources that are needed to implement and maintain the information security management system. It also describes the processes for acquiring and managing these resources.

Acquisition and management of resources

The acquisition and management of resources section of ISO 27001 describes the processes for acquiring and managing the resources that are needed to implement and maintain the information security management system. It also describes the processes for evaluating the effectiveness of these processes.

Operation

The operation section of ISO 27001 describes the processes for implementing and maintaining the information security management system. It also describes the processes for monitoring and measuring the performance of the information security management system. The operation section of ISO 27001 is divided into 2 parts: implementation and maintenance of the information security management system and monitoring and measurement of the information security management system.

Implementation and maintenance of the information security management system

The implementation and maintenance of the information security management system section of ISO 27001 describes the processes for implementing and maintaining the information security management system. It also describes the processes for evaluating the effectiveness of these processes.

Monitoring and measurement of the information security management system

The monitoring and measurement of the information security management system section of ISO 27001 describes the processes for monitoring and measuring the performance of the information security management system. It also describes the processes for evaluating the effectiveness of these processes.

Performance evaluation

The performance evaluation section of ISO 27001 describes the processes for evaluating the performance of the information security management system. It also describes the processes for determining whether the information security management system conforms to the requirements of ISO 27001. The performance evaluation section of ISO 27001 is divided into 2 parts: evaluation of the information security management system and determination of conformity.

Evaluation of the information security management system

The evaluation of the information security management system section of ISO 27001 describes the processes for evaluating the performance of the information security management system. It also describes the processes for determining whether the information security management system conforms to the requirements of ISO 27001.

Determination of conformity

The determination of conformity section of ISO 27001 describes the processes for determining whether the information security management system conforms to the requirements of ISO 27001. It also describes the processes for evaluating the effectiveness of these processes.

Improvement

The improvement section of ISO 27001 describes the processes for identifying opportunities for improvement of the information security management system. It also describes the processes for implementing these improvements. The improvement section of ISO 27001 is divided into 2 parts: opportunities for improvement and implementation of improvements.

Opportunities for improvement

The opportunities for improvement section of ISO 27001 describes the processes for identifying opportunities for improvement of the information security management system. It also describes the processes for evaluating the effectiveness of these processes.

Implementation of improvements

The implementation of improvements section of ISO 27001 describes the processes for implementing improvements to the information security management system. It also describes the processes for evaluating the effectiveness of these processes.

Annex A (normative)

The annex A (normative) section of ISO 27001 provides a list of the requirements of ISO 27001. It also provides a list of the requirements of ISO 27001 that are not applicable to the organization.

Annex B (normative)

The annex B (normative) section of ISO 27001 provides a list of the terms and definitions that are used in ISO 27001. It also provides a list of the terms and definitions that are used in ISO 27001 and are not applicable to the organization.

Annex C (normative)

The annex C (normative) section of ISO 27001 provides a list of the references that are cited in ISO 27001.

Annex D (informative)

The annex D (informative) section of ISO 27001 provides a list of the terms and definitions that are used in ISO 27001 and are not applicable to the organization.

References

  1. ISO 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, ISO, Geneva, Switzerland, 2013.