What is the ISO/IEC 27001:2013 standard?
ISO/IEC 27001:2013 is a standard to implement the processes and controls that make up an Information Security Management System.
An effective Information Security management system (ISMS):
- Provides management with a clear picture of Information Security risks.
- Accounts for the detection, containment and learning from security incidents.
- Includes an independent assessment of the security posture of the organization.
- Is a management system, which is much more than a set of controls.
What’s in the ISO 27001:2013 standard?
The ISO/IEC 27001:2013 standard is composed of the following ten management system sections and an annex of information security control objectives and controls:
2 Normative references.
3 Terms and definitions.
4 Context of the organization.
9 Performance evaluation.
Annex A Reference control objectives and controls.
ISO 27001 provides a reference of controls for an Information Security Management System. Beyond the requirements for specific controls mentioned in Annex A, ISO 27001 provides guidance on how to identify additinal controls from relevant stakeholders such as customers and regulators.
What are the ISO 27001 controls categories in Annex A?
Annex A in ISO 2001:2013 includes the categories below. The section numbers are those in the actual standard and start at number five following the numbering from the previous sections.
5 – Information security policy
6 – Organization of information security
7 – Human resources security
8 – Asset management
9 – Access control
10 – Cryptography
11 – Physical and environmental security
12 – Operations security
13 – Communications security
14 – System acquisition, development and maintenance
15 – Supplier relationships
16 – Information security incident management
17 – Information security aspects of business continuity management
18 – Compliance
- meet customer requirements.
- obtain an independent review of the appropriateness of their Information Security program.
- provide assurance to interested parties of their framework of Information Security management processes and controls against a global standard.
- reduce the requirement for additional customer audits and reviews or limit their scope.