ISO/IEC 27001

Overview

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a framework for establishing, implementing, maintaining, and continually improving information security across an organization.

The standard is certifiable — organizations can undergo third-party audits to achieve ISO 27001 certification, which is widely recognized as the gold standard for information security management.

Core Structure

ISO 27001 follows the Plan-Do-Check-Act (PDCA) cycle and is structured around:

1. Context of the organization — understanding internal/external issues and stakeholder needs
2. Leadership — management commitment, policy, roles and responsibilities
3. Planning — risk assessment, risk treatment, statement of applicability
4. Support — resources, competence, awareness, communication, documented information
5. Operation — operational planning and control, risk treatment implementation
6. Performance evaluation — monitoring, measurement, internal audit, management review
7. Improvement — nonconformity, corrective action, continual improvement

Annex A Controls

The standard includes Annex A, a catalog of 93 controls organized into 4 themes (in the 2022 revision):

• Organizational controls (37 controls) — policies, roles, classification, access control, cryptography
• People controls (8 controls) — screening, terms of employment, awareness, disciplinary process
• Physical controls (14 controls) — secure areas, equipment, media handling, clearing equipment
• Technological controls (34 controls) — authentication, logging, monitoring, backup, resilience, testing

Each control has a code (e.g., A.5.1, A.8.9) and a descriptive title. Organizations select which controls apply based on their risk assessment.

Key Concepts

• Statement of Applicability (SoA) — documents which Annex A controls are selected, why, and how they are implemented
• Risk Assessment — systematic process for identifying, analyzing, and evaluating information security risks
• Risk Treatment — selecting and implementing controls to modify risks
• Continual Improvement — ongoing enhancement of the ISMS through PDCA cycles

Certification Process

1. Implement ISMS per the standard
2. Conduct internal audit and management review
3. Engage a certified certification body for Stage 1 (document review) and Stage 2 (implementation audit)
4. Receive certification valid for 3 years, with annual surveillance audits

Relationship to Other Standards

• ISO 27002 — Provides detailed implementation guidance for Annex A controls
• ISO 27005 — Information security risk management guidelines
• NIST Cybersecurity Framework — Complementary framework used alongside ISO 27001
• SOC 2 — Complementary audit framework for service organizations

References

• ISO 27001:2022 official standard
• NIST SP 800-53 — U.S. federal counterpart control catalog
• Pki