ISO 27001 is divided into two main parts. The first part is the requirements definition, while the second part is Annex A security controls. The first part defines the context of an organisation (such as scope or stakeholders’ expectation), leadership (such as policy), planning (such as risk assessment) and support (resources). Besides that, the first section describes ISO 27001 evaluation measurement (such as monitoring), operation (operational planning and control) as well as an improvement (such as correction
actions). The second part consists of the controls and control domains. The controls categorised under each control objective are high level and can be classified as different features, such as physical, technical or human resource
ISO 27001:2013 Sections 1 and 2 describe the standard scope, and how the document is referenced. Section 3 explains terms and definitions. Section 4 describes the ISMS[Int05]. The information security requirements part of ISO 27001 consists of Sections 4 to 9 [Int13], which include security manuals, standards, and procedures, as well as records [MCW12]. ISO 27001 ISMS hierarchical mandatory levels provide a central point for security manuals (policy), standards, guidelines, and procedures enforcement (processes). The first managerial part could be in the form of rules and guidelines based on the security requirements; while the second practical part comprises the implemented mechanisms and countermeasures to support the execution of expected information security policies.
Annex A defines an extensive list of 114 controls, which provides a suitable solution for defining essential countermeasures in any organisation [Fre07]. Annex A controls are categorised into 14 groups, based on their common objectives, from domains A.5 (the information security policies) to A.18 (Compliance). An overview of the control domains is provided in the Appendix A of this thesis (see page 93). Most of the control domains
include distinctive subdomains, which demonstrate the relevant controls in more details. The main areas of the implementation of ISO 27001 are policy, responsibilities, asset classification, personnel security, communication and access control [SLP14]. As ISO 27001 comprises two managerial and practical parts of security requirements and controls, information security activities should integrate into both fields, which guarantees practicability of information security polices to form an acceptable information security
culture. The next section clarifies the main differences between two latest versions of ISO27001:2005 and 2013.