ISO IEC 27001
2013 is an information security management standard.
It defines a set of information
security management requirements.
The official complete name of this standard is ISO/IEC 27001:2013
Information technology - Security techniques -
management systems - Requirements. These
be found in the following seven sections:
According to ISO IEC 27001, you must
meet every requirement
if you wish to claim that your information security
complies with this standard.
SCOPE OF STANDARD
ISO IEC 27001
is a generic information security management
standard. It can be used by any organization. It doesnít
what size it is or what it does.
The purpose of ISO IEC 27001 is to help
organizations to establish
and maintain an information security management system
An ISMS is a set of interrelated elements that
organizations use to
manage and control information security
and to protect and
preserve the confidentiality,
These elements include all of the policies, procedures,
plans, practices, roles, responsibilities, resources, and
that are used to manage security risks and to protect
While ISO IEC
27001 says that you must meet every single
requirement (sections 4 to 10), exactly how you do this is
you and will depend on your organization's objectives, its
information security risks
and requirements, and the needs and
expectations of interested parties. It will also be
influenced by its
inherent complexity and its corporate context.
Exactly how you
apply the standard will depend upon your organization's
structure, its legal, regulatory,
and the processes it uses to deliver its products and
HOW TO USE ISO IEC 27001
If you donít already have an information
you can use the ISO IEC 27001 2013
establish one. And once youíve established your
ISMS, you can use it to protect and preserve the
integrity, and availability of information and to manage and
control your information security risks.
ISO IEC 27001 is designed to be used for
Once you've established an ISMS that meets ISOís
and deals with your organization's unique
risks, you can ask a
registrar (certification body)
to audit your
system. If you pass the
audit, your registrar will issue an official certificate
that states that
your ISMS meets the ISO IEC 27001 2013 requirements.
While ISO IEC 27001 2013 is specifically
designed to be used
for certification purposes, you donít have to become
You can be in compliance without being formally registered
by an accredited certification body.
You can self-audit your information
system and then announce to the world that it complies with
the ISO IEC 27001 standard (assuming that it actually does).
Of course, your compliance claim may have more credibility
if an independent certification body or registrar has
your ISMS and agrees with your claim.