ISO 27001-Information technology — Security techniques — Information security management systems — Requirements (second edition)

ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.

The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.

ISO/IEC 27001 Audit Checklist

4. Information security management system 4.2.1a) Review the documented ‘scope and boundaries’ of the ISMS, particularly any exclusions.  To what …

Planning and Preparation to Get Certified for ISO 27001

The overall ISMS scope is broken down into greater detail, typically by generating an ISMS audit workplan/checklist (please see the …