ISO 27001 (ISO/IEC 27001:2013) is the international standard that provides the specification for an information security management system (ISMS). ISO 27001 is technology and vendor neutral and is applicable to all organisations – irrespective of their size, type or nature.
The Standard is designed to help organisations manage their information security processes in line with international best practice while optimizing costs.

An ISMS provides a systematic approach to managing information security. It consists of policies, procedures and other controls involving people, processes and technology to help organisations protect and manage all their data.

ISO 27001 implementation is an ideal response to customer and legal requirements such as the General Data Protection Regulation (GDPR) and potential security threats including: cyber crime, personal data breaches, vandalism / terrorism, fire / damage, misuse, theft and viral attacks.

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment
   2. Security policy
   3. Organization of information security
   4. Asset management
   5. Human resources security
   6. Physical and environmental security
   7. Communications and operations management
   8. Access control
   9. Information systems acquisition, development and maintenance
   10. Information security incident management
   11. Business continuity management
   12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

What are the 3 ISMS security objectives?

The basic goal of ISO 27001 is to protect three aspects of information:

• Confidentiality: only the authorized persons have the right to access information.
• Integrity: only the authorized persons can change the information.
• Availability: the information must be accessible to authorized persons whenever it is needed.

What is an ISMS?

An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:

1. identify stakeholders and their expectations of the company in terms of information security
2. identify which risks exist for the information
3. define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
4. set clear objectives on what needs to be achieved with information security
5. implement all the controls and other risk treatment methods
6. continuously measure if the implemented controls perform as expected
7. make continuous improvement to make the whole ISMS work better

This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.