Browse Definitions :

ISO 27001

What is ISO 27001?

ISO 27001, formally known as ISO/IEC 27001:2022, is an information security standard created by the International Organization for Standardization (ISO), which provides a framework and guidelines for establishing, implementing and managing an information security management system (ISMS).

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization.

The goal of ISO 27001 is to help organizations protect their critical information assets and comply with applicable legal and regulatory requirements.

Organizations should apply the controls specified in ISO 27001 appropriately, in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance but not required as individual controls depend on the unique risks of each business.

Introduction to ISO 27001

ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a set of security controls that are divided into 14 sections, each containing specific requirements.

ISO 27001 also includes a set of control objectives and activities to help organizations reduce the risk of data breaches and other security incidents. Organizations may use ISO 27001 as part of their overall information security strategy, or they can choose to be certified by an ISO-accredited certification body.

ISO 27001 certification shows an organization's commitment to protecting their critical data assets and complying with applicable laws and regulations.

how does information security management system (ISMS) work
ISO 27001 provides a framework and guidelines for establishing, implementing and managing an ISMS, which provides organizations with a systematic approach to managing an organization's information security and includes policies and procedures for managing its data.

The 14 phases of ISO 27001

ISO 27001 is currently the most widely adopted international information security standard and is used by organizations all over the world. By following ISO 27001, organizations can be confident that their ISMSes are up to date and comply with current best practices.

To do so, ISO 27001 provides a comprehensive framework that helps organizations develop and maintain a secure ISMS. ISO 27001 is divided into 14 phases:

  1. Information Security Policy
  2. Organization of Information Security
  3. Risk Assessment and Treatment
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development and Maintenance
  11. Supplier Relationships
  12. Compliance with Legal Requirements and Industry Standards
  13. Information Quality Management
  14. Risk Monitoring and Review
IT security frameworks, standards and regulations
ISO 27001 is one of many IT security frameworks and standards for organizations to choose from.

Best practices for preparing for ISO 27001 certification

ISO 27001 is a powerful tool for organizations to use when creating a secure ISMS, but it's important to remember that ISO 27001 is a framework, not an inflexible set of rules.

That means it must be studied, adapted and applied in the context of each organization's unique needs and circumstances. ISO 27001 provides best practices and guidance, but it's up to each organization to develop its own ISO 27001-compliant information security system.

Organizations should find an ISO-accredited certification body to assess their ISO 27001 compliance and provide training on topics such as risk assessment, access control, cryptography, physical security, communications security and more.

Organizations should also ensure they have the resources in place to plan and implement ISO 27001-compliant processes and controls.

Getting prepared for ISO 27001 certification

Using the steps below, organizations can ensure that they are properly prepared for ISO 27001 certification. Doing so helps protect their critical data assets and comply with applicable laws and regulations:

  • Step 1. Build an ISO 27001-compliant ISMS.
  • Step 2. Identify risks, and develop risk treatment strategies.
  • Step 3. Implement ISO 27001-compliant processes and controls.
  • Step 4. Have ISO-accredited certification body assess compliance.
  • Step 5. Monitor your ISO 27001 compliance regularly.
security incident response checklist

By following ISO 27001, organizations can reduce the risk of data breaches and other security incidents, protect their critical information assets, and comply with applicable legal and regulatory requirements.

Other standards in the 27000 family

There are several other standards being developed in the 27000 family:

  • ISO/IEC 27003 -- implementation guidance;
  • ISO/IEC 27031 -- resilience;
  • ISO/IEC 27005 -- risk management guidance;
  • ISO/IEC 27032 -- cybersecurity guidance;
  • ISO/IEC 27033 -- network security guidance;
  • ISO/IEC 27034 -- application security guidance;
  • ISO/IEC 27035 -- incident management guidance;
  • ISO/IEC 27036 -- information exchange protection guidelines for cloud and other outsourced services; and
  • ISO/IEC 27037 -- digital evidence handling guidelines.

Learn about the different types of cybersecurity controls and how to place them, and see how organizations can make educating their employees on cybersecurity risks interesting. Explore compliance and its related security concerns and nine common risk management failures and how to avoid them.

This was last updated in December 2022

Continue Reading About ISO 27001

  • unshielded twisted pair (UTP)

    Unshielded twisted pair (UTP) is a ubiquitous type of copper cabling used in telephone wiring and local area networks (LANs).

  • Multiprotocol Label Switching (MPLS)

    Multiprotocol Label Switching (MPLS) is a switching mechanism used in wide area networks (WANs).

  • computer network

    A computer network is a group of interconnected nodes or computing devices that exchange data and resources with each other.

  • three-factor authentication (3FA)

    Three-factor authentication (3FA) is the use of identity-confirming credentials from three separate categories of authentication ...

  • cyber espionage

    Cyber espionage (cyberespionage) is a type of cyber attack that malicious hackers carry out against a business or government ...

  • role-based access control (RBAC)

    Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an ...

  • knowledge-based systems (KBSes)

    Knowledge-based systems (KBSes) are computer programs that use a centralized repository of data known as a knowledge base to ...

  • Sarbanes-Oxley Act

    The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies.

  • project charter

    A project charter is a formal short document that states a project exists and provides project managers with written authority to...

  • employee engagement

    Employee engagement is the emotional and professional connection an employee feels toward their organization, colleagues and work.

  • talent pool

    A talent pool is a database of job candidates who have the potential to meet an organization's immediate and long-term needs.

  • diversity, equity and inclusion (DEI)

    Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...

Customer Experience
  • sales development representative (SDR)

    A sales development representative (SDR) is an individual who focuses on prospecting, moving and qualifying leads through the ...

  • service level indicator

    A service level indicator (SLI) is a metric that indicates what measure of performance a customer is receiving at a given time.

  • customer data platform (CDP)

    A customer data platform (CDP) is a type of software application that provides a unified platform of customer information that ...