ISO 27001

ISO 27001 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It formally specifies requirements for an Information Security Management System (ISMS).

The standard defines how an organization should:

• Establish an ISMS, including scope, objectives, roles, and responsibilities
• Identify, analyze, and evaluate information security risks using a defined risk assessment process
• Select and apply risk treatment options and controls, referenced in ISO 27001 and ISO 27002
• Document policies, procedures, and other required information to support the ISMS
• Monitor, measure, and review ISMS performance and the effectiveness of controls
• Apply corrective actions and continuous improvement activities to the ISMS

Organizations can implement ISO 27001 internally or seek independent certification by an accredited certification body to demonstrate that their ISMS conforms to the standard’s requirements.