ISO/IEC 27001:2013
ISO/IEC 27001:2013 is an international standard that sets out the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It provides a systematic and risk-based approach to managing the security of sensitive information within an organization.
By implementing ISO/IEC 27001:2013, organizations can demonstrate their commitment to protecting sensitive information and mitigating information security risks.
It provides a systematic and structured approach to managing information security, helping organizations establish a robust framework to protect their assets and maintain the confidentiality, integrity, and availability of information.
The core concepts of ISO/IEC 27001:2013 are:
Information cecurity management system (ISMS): The standard emphasizes the establishment and maintenance of an ISMS, which is a framework of policies, procedures, processes, and controls that manages an organization's information security risks. The ISMS should be based on a risk assessment and consider the organization's overall business objectives.
Context of the organization: ISO/IEC 27001:2013 requires organizations to identify the internal and external issues that could affect the security of their information assets. This includes understanding the organization's needs and expectations, the interested parties involved, and the scope of the ISMS implementation.
Leadership and management commitment: Top management plays a crucial role in supporting and demonstrating commitment to information security. They are responsible for establishing the information security policy, assigning roles and responsibilities, providing necessary resources, and promoting a culture of security awareness and continuous improvement
Risk assessment and treatment: The standard emphasizes the importance of identifying and assessing information security risks. Organizations are required to adopt a systematic approach to risk assessment and treatment, which includes identifying risks, evaluating their potential impact, implementing appropriate controls to mitigate or accept risks, and monitoring their effectiveness.
Control objectives and controls: ISO/IEC 27001:2013 provides a comprehensive list of control objectives and controls that organizations can consider implementing to address information security risks. These controls are organized into 14 domains, covering areas such as access control, cryptography, incident management, business continuity, and compliance with legal and regulatory requirements.
Performance evaluation: The standard emphasizes the need for monitoring, measurement, analysis, and evaluation of the ISMS to ensure its effectiveness and identify areas for improvement. This includes conducting internal audits, management reviews, and periodic assessments of the ISMS against the established objectives and performance criteria.
Continuous improvement: ISO/IEC 27001:2013 promotes a culture of continuous improvement in information security management. Organizations are encouraged to set objectives for enhancing their information security performance, taking into account the results of performance evaluations, and implementing corrective and preventive actions as necessary.
For more information see iso.org