ISO IEC 27001 2013 is an
information security management standard.
It defines a set of
information security management requirements.
The official complete name of this standard is
Information technology -
Security techniques - Information security
management systems - Requirements.
These requirements can
be found in the following seven sections:
According to ISO IEC 27001, you must meet
if you wish to claim that your information
complies with this standard.
SCOPE OF STANDARD
ISO IEC 27001 is a
generic information security management
standard. It can be used
by any organization. It doesnít matter
what size it is or what it
The purpose of ISO IEC 27001 is to help
organizations to establish
and maintain an information
security management system (ISMS).
An ISMS is a set
of interrelated elements that organizations use to
control information security
risks and to
These elements include all of the policies,
plans, practices, roles, responsibilities,
resources, and structures
that are used to manage security risks
and to protect information.
While ISO IEC 27001
says that you must meet every single
requirement (sections 4 to
10), exactly how you do this is up to
you and will depend on your
organization's objectives, its unique
security risks and requirements, and
the needs and
expectations of interested parties. It will also be
influenced by its
inherent complexity and its corporate
context. Exactly how you
apply the standard will depend
upon your organization's unique
legal, regulatory, and
and the processes it uses to deliver its
products and services.
HOW TO USE ISO IEC 27001
If you donít already have an information security
you can use the ISO IEC 27001 2013 standard to
establish one. And once youíve established your organizationís
ISMS, you can
use it to protect and preserve the confidentiality,
availability of information and to manage and
control your information
ISO IEC 27001 is designed to be used for
Once you've established an ISMS that meets
and deals with your organization's
unique risks, you can ask a
registrar (certification body) to
audit your system. If you
audit, your registrar will issue an official certificate
that states that
your ISMS meets the ISO IEC 27001 2013 requirements.
While ISO IEC 27001 2013 is specifically
designed to be used
for certification purposes, you donít have to
You can be in compliance without being formally
by an accredited certification body.
You can self-audit your information security
system and then announce to the world that it complies
the ISO IEC 27001 standard (assuming that it actually does).
Of course, your compliance claim may have more credibility
independent certification body or registrar has audited
and agrees with your claim.