ISO/IEC 27001

Securing Excellence: Navigating Information Security with ISO Certification.

Global Standard for ISMS

ISO/IEC 27001 provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. It is the world's most recognized standard for Information Security Management Systems (ISMS).

ISO/IEC 27001:2013

Standard Components

Introduction

Provides an overview of the standard and its purpose.

Scope

Defines the scope of the ISMS, specifying what information is covered and the boundaries of the management system.

Normative References

Lists other standards and documents referenced in ISO 27001:2013.

Terms and Definitions

Provides a comprehensive list of terms and definitions relevant to the standard.

Context of the Organization

Requires organizations to understand the internal and external context in which they operate, and to identify interested parties and their relevant requirements.

Leadership

Emphasizes leadership commitment, policy, and the role of top management in the ISMS.

Planning

Addresses risk assessment, risk treatment, and the development of the information security objectives and plans to achieve them.

Support

Covers resources, competence, awareness, communication, and documented information.

Operation

Details the implementation of the ISMS controls, including risk assessment, risk treatment, and the management of documents and records.

Performance Evaluation

Focuses on monitoring, measurement, analysis, and evaluation of the ISMS, including internal audits and management reviews.

Improvement

Deals with nonconformity and corrective action, continual improvement, and the updating of the ISMS.

Core Concepts

Risk Assessment and Treatment

ISO 27001 places a strong emphasis on identifying and managing information security risks through a systematic risk assessment and treatment process.

PDCA Cycle

The standard follows the Plan-Do-Check-Act (PDCA) cycle for continual improvement, encouraging organizations to plan, implement, monitor, and continually improve their ISMS.

Controls

ISO 27001 Annex A provides a set of 114 controls categorized into 14 sections, covering a broad range of information security areas.

Certification

Organizations can undergo a certification process to demonstrate compliance with ISO 27001. Certification is typically conducted by accredited certification bodies.

ISO/IEC 27001:2022

The 2022 update specifies 93 controls in 4 overarching groups. DiGRC provides native mapping for these controls to streamline your transition.

Organizational (37 controls):

Information policies, cloud service use, asset use, etc.

People (8 controls):

Remote work, confidentiality, non-disclosures, screening, etc.

Physical (14 controls):

Security monitoring, storage media, maintenance, facilities security, etc.

Technological (34 controls):

Authentication, encryption, data leak prevention, etc.

Evolution of the Standard

93Total Controls

Down from 114

4Domain Groups

Condensed from 14

11New Controls

Focused on Digital Risk

The mandatory clauses (4-10) remain largely consistent, ensuring a smooth transition for organizations already certified under the 2013 standard.