ISO 27001 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 specifies an Information Security Management System (ISMS), which comprises a comprehensive set of management controls, designed to provide oversight and conform to an acceptable standard of practice. ISO/IEC 27001 requires that management:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
A sister standard, ISO 27002 specifies a set of specific information security controls, most of which should be implemented by the organization. However, the organization may tailor the set to meet its needs, in accordance with its risk profile.
While many organizations may utilize ISO 27002 controls independently from each other, ISO 27001 specifies the system in which the controls work together to solidify a security infrastructure suitable to protect against most cyber threats. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
Do you need help with a strategy to comply with ISO 27001? CyberSafe 360 can help.