ISO/IEC 27001 is an international standard on how to manage information security. Originally it was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. In Europe, an update was published in 2017.
The official title of this standard is “Information technology — Security techniques — Information security management systems — Requirements”
This standard precises requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The purpose of an ISMS is to help organizations make their information assets (i.e., financial information, intellectual property, employee details or information entrusted by third parties) more secure.
Organizations that meet these requirements can choose to be assessed through an audit then certified by an accredited certification body, such as LSTI Worldwide.
ISO/IEC 27001:2013 has ten short clauses and a long annex, which cover:
- Scope of the standard
- How the document is referenced
- Reuse of the terms and definitions in ISO/IEC 27000
- Organizational context and stakeholders
- Information security leadership and high-level support for policy
- Planning an information security management system; risk assessment; risk treatment
- Supporting an information security management system
- Making an information security management system operational
- Reviewing the system’s performance
- Corrective action
Annex A: List of controls and their objectives
Like any other management system standards, being certified to ISO/IEC 27001 is possible but not mandatory. Some organizations choose to implement the standard to benefit from the best practice it contains, whilst others decide they want to get certified to reassure customers.