ISO/IEC 27001, part of the expanding ISO/IEC 27001 standards family, is an Information Security Management System (ISMS) standard first published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The full title of the standard is ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems — Requirements.

ISO/IEC 27001 outlines a formal management system designed to place information security under explicit managerial control. As a formal specification, it mandates specific requirements. Organizations claiming to have adopted ISO/IEC 27001 can be formally audited and certified as compliant with the standard (further details below).

How the Standard Works

Many organizations have various information security controls in place. However, without an Information Security Management System (ISMS), these controls tend to be fragmented and disconnected, often implemented as isolated solutions for specific issues or based on convention. Security controls typically focus on IT or data security, leaving non-IT assets (such as physical documents and proprietary knowledge) less protected overall. Additionally, business continuity and physical security may be managed separately from IT or information security, while Human Resources may overlook the need for defined information security roles across the organization.

ISO/IEC 27001 requires management to:

• Systematically assess the organization’s information security risks, considering threats, vulnerabilities, and impacts.
• Design and implement a comprehensive set of information security controls or other forms of risk management (such as risk avoidance or transfer) to address risks deemed unacceptable.
• Establish an ongoing management process to ensure the information security controls continue to meet the organization’s evolving needs.
  
  

While other information security control sets can be used within an ISO/IEC 27001 ISMS, ISO/IEC 27002 (the Code of Practice for Information Security Management) is typically used alongside ISO/IEC 27001. Annex A of ISO/IEC 27001 succinctly lists the information security controls from ISO/IEC 27002, with ISO/IEC 27002 providing additional details and guidance on how to implement the controls.

Organizations implementing ISO/IEC 27002’s controls are likely to meet many ISO/IEC 27001 requirements but may lack some of the broader management system elements. Conversely, obtaining ISO/IEC 27001 certification guarantees that an organization has a management system for information security, but it doesn’t necessarily reflect the actual state of information security within the organization. Technical security measures, like antivirus software and firewalls, are typically not audited in ISO/IEC 27001 certification audits. The presence of an adequate ISMS is assumed as long as it meets the requirements of ISO/IEC 27001. Furthermore, management defines the scope of the ISMS for certification, which may be limited to a specific business unit or location. Therefore, the ISO/IEC 27001 certification doesn’t necessarily imply that the rest of the organization has a sufficient approach to information security.

Other standards in the ISO/IEC 27001 family, such as ISO/IEC 27005, provide additional guidance on specific aspects of designing, implementing, and operating an ISMS, like information security risk management.