ISO 27001 – The standard for Information Security management

What is the ISO/IEC 27001:2013 standard?

ISO/IEC 27001:2013 is a standard to implement the processes and controls that make up an Information Security Management System.

An effective Information Security management system (ISMS):

  • Provides management with a clear picture of Information Security risks.
  • Accounts for the detection, containment and learning from security incidents.
  • Includes an independent assessment of the security posture of the organization.
  • Is a management system, which is much more than a set of controls.

What’s in the ISO 27001:2013 standard?

The ISO/IEC 27001:2013 standard is composed of the following ten management system sections and an annex of information security control objectives and controls:


1 Scope.

2 Normative references.

3 Terms and definitions.

4 Context of the organization.

5 Leadership.

6 Planning.

7 Support.

8 Operation.

9 Performance evaluation.

10 Improvement.

Annex A Reference control objectives and controls.

ISO 27001 provides a reference of controls for an Information Security Management System. Beyond the requirements for specific controls mentioned in Annex A, ISO 27001 provides guidance on how to identify additinal controls from relevant stakeholders such as customers and regulators.

What are the ISO 27001 controls categories in Annex A?

Annex A in ISO 2001:2013 includes the categories below. The section numbers are those in the actual standard and start at number five following the numbering from the previous sections.

5 – Information security policy

6 – Organization of information security

7 – Human resources security

8 – Asset management

9 – Access control

10 – Cryptography

11 – Physical and environmental security

12 – Operations security

13 – Communications security

14 – System acquisition, development and maintenance

15 – Supplier relationships

16 – Information security incident management

17 – Information security aspects of business continuity management

18 – Compliance

What are the key drivers to implement ISO 27001?
Among the drivers for organizations to implement ISO 27001 are to:
meet the expectations of internal and external stakeholders ioncluding owners/stockholders, customers, regulators.
What are the reasons for organizations go after 27001 certification?
Organizations take the step to certify in order to
  1. meet customer requirements.
  2. obtain an independent review of the appropriateness of their Information Security program.
  3. provide assurance to interested parties of their framework of Information Security management processes and controls against a global standard.
  4. reduce the requirement for additional customer audits and reviews or limit their scope.