What is ISO 27001?
ISO/IEC 27001:2022 (ISO 27001) is an international standard that helps organizations manage the security of their information assets. It provides a management framework for implementing an ISMS (information security management system) to ensure the confidentiality, integrity, and availability of all corporate data (such as financial information, intellectual property, employee details or information managed by third parties).
The ISO 27001 framework was published in 2013 by the ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) and belongs to the ISO 27000 family of standards. It is the only internationally recognized certifiable information security standard.
ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2022, which explains how to implement information security controls for managing information security risks.
Purchase your copy of the ISO 27001 standard (PDF).
ISO 27001 and ISO 27002 2022 updates
ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.
Organizations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).
For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organization, please visit ISO 27001 and ISO 27002: 2022 updates
Download your copy of ISO 27001:2022 here
Download your copy of ISO 27002:2022 here
Free PDF download: Information Security and ISO 27001 – An introduction
This free green paper helps you understand how ISO 27001 works, highlights key implementation points, and explores the benefits of implementing an ISMS and achieving ISO 27001 certification.
How do ISO 27001 audits work?
Certification can be obtained once a certification body has conducted an external audit. Auditors will review the organization’s practices, policies, and procedures to assess whether the ISMS meets the requirements of the Standard.
Certification usually lasts for three years, but organizations have to conduct routine internal audits as a continual improvement process.
Once certified, a certification body will usually conduct an annual assessment to monitor compliance.
What is an ISMS (information security management system)?
An ISMS is a defined, documented management system that consists of a set of policies, processes, and systems to manage risks to organizational data to ensure acceptable levels of information security risk. Ongoing risk assessments help identify security threats and vulnerabilities that need to be managed through a set of controls.
Having an established ISO 27001-compliant ISMS helps you manage the confidentiality, integrity, and availability of all corporate data in an optimized and cost-effective way
To find out more about what an ISMS is, download our free PDF
Speak to an ISO 27001 expert
For more information about ISO 27001 and how we can help you implement an ISMS – whatever your size, budget, or level of expertise – get in touch with one of our experts today.
ISO 27001 and risk management
Risk management forms the foundations of an ISMS. Routine risk assessments help to identify specific information security risks. ISO 27001 recommends, a set of controls that can be applied to manage and reduce information security risks.
ISO 27001 controls and requirements
ISO 27001 consists of 93 controls (included in Annex A and expanded on in ISO 27002) that provide a framework for identifying, treating, and managing information security risks.
A summary of the ISO/IEC 27001: 2022 controls
- A.5 Organizational controls
- A.6 People controls
- A.7 Physical controls
- A.8 Technological controls
The management clauses of ISO/IEC 27001:2022
In addition to the controls, ISO 27001 compromises ten management system clauses that guide an ISMS's implementation, management and continual improvement.
- 1, 2, and 3: Scope, normative references, and terms and definitions
- 4: Context of the organization
- 5: Leadership
- 6: Planning
- 7: Support
- 8: Operation
- 9: Performance evaluation
- 10: Improvement
Ready to simplify your security? Let’s get started
Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.
How IT Governance USA can help you
- Our implementation methodology has been honed over 15 years
- We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799)
- We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else
- You benefit from real-world practitioner expertise, not just academic knowledge
- We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide
- We’ve helped hundreds of consultancy clients achieve certification to and compliance with ISO 27001
- We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization
- Our pricing and proposals are completely transparent, so you won’t get any surprises
- We can help small organizations prepare for ISO 27001 certification in three months