- Introduction — Describes the process for systematically
managing information risks.
- Scope — Specifies generic ISMS requirements suitable for
organizations of any type, size or nature.
- Normative References — Lists other standards that contain
additional information relevant to determining ISO 27001 compliance (only one,
ISO/IEC 27000, is listed).
- Terms and Definitions — Explains the more complex terms used
in the standard.
- Organizational Context — Explains why and how to define the
internal and external issues that can affect an enterprise`s ability to build
an ISMS, and requires the organization to establish, implement, maintain and
continually improve the ISMS.
- Leadership — requires senior management to demonstrate
leadership and commitment to the ISMS, mandate policy, and assign information
security roles and responsibilities.
- Planning — Outlines processes to identify, analyze and plan
to treat information risks and clarify the objective of information security
initiatives.
- Support: Requires organizations to assign adequate resources,
raise awareness, and prepare all necessary documentation.
- Operation— Details how to assess and treat information risks,
manage changes, and ensure proper documentation.
- Performance Evaluation — requires organizations to monitor
measure and analyze their information security management controls and
processes.
- Improvement — requires organizations to refine their ISMS
continually, including addressing the findings of audits and reviews.
Reference Control Objectives and
Controls:
The second
part, Annex A, details a set of controls that can help you comply with the
requirements in the first section. Organizations should choose the controls that
best fit their specific needs and supplement them with other controls as
needed.
Controls are grouped into the following
domains:
Information Security Policy - Ensures that policies are written
and reviewed in accordance with the organization's security practices and
general guidelines.
Information Security Organization - Sharing of Responsibilities for
Specific Tasks Human Resource Security - Ensure that employees and contractors
understand their responsibilities.
Asset Management - Enables organizations to identify
information assets and define appropriate security responsibilities.
Access Control - Ensure that employees only see
information relevant to their job.
Encryption - Encrypts data to ensure
confidentiality and integrity. Physical and Environmental Security - Prevents
loss, damage or theft of software, hardware and physical files by protecting
against unauthorized physical access, damage or tampering of premises or data,
and maintenance of equipment.
Operational security - ensuring the security of information
processing facilities Communication Security - Secure your information network.
System Acquisition, Development, and
Maintenance - Secure
both internal systems and systems that provide services on public networks.
Supplier Relationships - Properly
manage contractual agreements with third parties.
Information Security Incident
Management - Ensures
effective management and reporting of security incidents.
Information Security Aspects of Business
Continuity Management - Minimizing Business Disruption.
Compliance
- To comply with applicable laws and regulations and to reduce the risk of
violations.
ISO 27001 compliant and certified:
Advantages:
By
voluntarily complying with ISO 27001 requirements, organizations can
proactively mitigate information security risks and improve their ability to
comply with data protection requirements. Taking it one step further, achieving
ISO 27001 certification allows you to demonstrate to your customers, partners,
suppliers and others your commitment to protecting your information assets.
This trust can enhance a company's reputation and give it a competitive
advantage.
Required Documents:
There are Several
documents are required to demonstrate compliance with ISO 27001, including: