An effective Information Security Framework:
- Provides management with a clear picture of Information Security risks.
- Accounts for the detection, containment and learning from security incidents.
- Includes an independent assessment of the security posture of the organization.
- Is a management system, which is much more than a set of controls.
ISO 27001 is a baseline reference for what it was created: An Information Security Management System. Beyond the requirements for specific controls mentioned in Annex A, ISO 27001 provides guidance on how to identify information security assests or what to protect, perform a security risk assessment, select controls using a risk-based approach and monitoring the effectiveness of controls. For more information see ISO 27001 a blueprint for success.