# ISO/IEC 27001:2013*

Information technology - Security techniques - Information security management systems - Requirements

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
IEC International Electrotechnical Commission
ISO International Organization for Standardization

# Overview

ISO/IEC 27001 was originally developed and created by the British Standards Institute, under the name of BS 7799. ISO 27001 is the standard to which organization's certify, as opposed to ISO 27002, which is the best practice framework to which many others align.

The standard provides "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management with an organization." It looks for the information security management system (ISMS) to address the relevant risks and components in a manner that is appropriate and adequate based on the risks.

# Components

An ISMS typically ensures that a structured, measured, and ongoing view of security is taken across an organization, allowing security impacts and risk-based decisions to be taken. ISO/IEC 27001 is a standard framework for implementing and managing an ISMS based on the PDCA model:

Establish all the necessary objectives and processes to deliver results in accordance with the expected output.

Implement the new processes.

Measure the results of the new processes and hold them against the expected results in order to determine the differences.

Analyze the differences generated in the check stage to determine their cause and decide where to apply changes.

ISO/IEC 27001 consists of 35 control objectives and 114 controls spread over 14 domains. The controls are mapped to address requirements identified through a formal risk assessment. The following domains make up ISO 27001:

Annex Control
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communication
A.14 System acquisition, development, and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance