ISO IEC 27001 2013 Plain English

This web page presents a brief Plain English overview of the
ISO IEC 27001 information security standard. For a more detailed
please see ISO IEC 27001 2013 Translated into Plain English.

Also see NIST Cybersecurity Framework and NIST Privacy Framework.

Overview of ISO 27001 Information Security
                Management Standard

Part 4 Context asks you to understand your organization and its context before
you establish its information security management system (ISMS). It asks you
to identify the issues that are relevant to your organization's purpose and to
consider the influence these issues could have on its ability to achieve the
and objectives that its ISMS needs to achieve.

This means that you need to understand your organization's approach
to governance, its capabilities, its culture, its contracts, its stakeholders, its
interested parties, its environmental conditions, and its legal obligations before
you develop its ISMS. Why? Because your ISMS will need to be able to cope with
all of these influences. Once youíve considered all of this, you're ready to define
the scope of your ISMS and to begin its development.

Part 5 Leadership expects your organization's top management to provide
leadership for the ISMS by showing they support it, by making sure that people
understand how important information security actually is, by assigning
responsibility for it, and by establishing an information security policy.

Part 6 Planning asks you to identify the risks and opportunities that could
influence the effectiveness of your organization's ISMS or disrupt its operation
and then to figure out what you need to do to address these risks and opportunities.

It also asks you to assess your organizationís information security risks, to select
risk treatment
options, to choose the information security controls that are needed
to implement these options, and to formulate a risk treatment plan.

Finally, it asks you to establish information security objectives at all relevant
levels and for all relevant functions within your organization and to develop
plans to achieve these objectives.

Part 7 Support expects your organization to support its ISMS by providing
resources.  It asks you to ensure the competence of the people who have an
impact on your organization's security and to ensure that they are aware of their
responsibilities. It then asks you to figure out how extensive and detailed your
organizationís ISMS documents and records need to be. It then asks you to
include all necessary documents and records and to manage and control
their creation and modification.

Part 8 Operation asks you to establish the processes that your organization
needs in order to meet its information security requirements, to carry out
the actions needed
to address its information security risks and opportunities,
and to implement the plans needed to achieve its information security objectives.

Part 8 also asks you to perform regular information security risk assessments,
to prioritize your risks, and to maintain a record of risk assessment results. And,
finally, it asks you to implement your information security risk treatment plans
and to maintain a record of your risk treatment results.

Part 9 Evaluation asks you to monitor, measure, analyze, audit, and evaluate
your organization's ISMS and to review its suitability, adequacy, and effectiveness
at planned intervals.

Part 10 Improvement asks you to identify nonconformities, to take appropriate
corrective actions, and to enhance the suitability, adequacy, and effectiveness
of your organization's ISMS.

MORE ISO 27001 2013 PAGES

Introduction to ISO IEC 27001 2013

Plain English Outline of ISO IEC 27001 2013

ISO IEC 27000 2014 Definitions in Plain English

ISO IEC 27001 2013 Translated into Plain English

ISO IEC 27001 2013 versus ISO IEC 27001 2005

Plain English Information Security Checklist

Introduction to ISO IEC 27001 2013 Annex A

Information Security Gap Analysis Tool

ISO IEC 27002 2013 PAGES

ISO IEC 27002 2013 Introduction

Overview of ISO IEC 27002 2013 Standard

Information Security Control Objectives

How to Use ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27002 2013 Translated into Plain English

ISO IEC 27002 2013 Information Security Audit Tool

Plain English ISO IEC 27002 2013 Security Checklist

Updated on April 5, 2021. First published on November 12, 2013.

Home Page

Our Library

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited        780-461-4514

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2013 - 2021 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited