What is ISO 27001?
Definition
ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It follows a risk-based approach to managing sensitive information.
In Depth
ISO 27001 is the most widely recognized international standard for information security management, with certification accepted across industries and geographies. The standard follows a risk-based approach where organizations must identify information security risks, select appropriate controls to address those risks, and document their rationale in a Statement of Applicability (SoA). Annex A of the standard provides a reference set of 93 controls (in the 2022 revision) organized into four themes: Organizational, People, Physical, and Technological. Certification involves a two-stage audit by an accredited certification body: Stage 1 reviews documentation and readiness, while Stage 2 assesses the operational effectiveness of the ISMS. Certification is valid for three years with annual surveillance audits. The standard's emphasis on continual improvement through the Plan-Do-Check-Act (PDCA) cycle distinguishes it from point-in-time assessments, making it particularly valued by organizations seeking to build a mature, evolving security program.
Related Frameworks
Related Terms
ISMS
An Information Security Management System (ISMS) is a systematic framework of policies, processes, and controls that an organization implements to manage and reduce information security risks. It encompasses people, processes, and technology in a holistic approach to security governance.
Risk Assessment
Risk assessment is the systematic process of identifying, analyzing, and evaluating information security risks to an organization. It involves determining the likelihood and impact of threats exploiting vulnerabilities, then prioritizing risks for treatment through mitigation, transfer, avoidance, or acceptance.
Asset Management
Asset management in information security involves maintaining an accurate inventory of all hardware, software, data, and cloud resources an organization uses. It ensures all assets are identified, classified, assigned ownership, and protected according to their value and sensitivity.
NIST Framework
The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the US National Institute of Standards and Technology for managing cybersecurity risk. It organizes security activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
Generate compliance docs with PoliWriter
Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.
Get Started Free