ISO 27001 (officially known as ISO/IEC 27001:2005) is an information security management system guideline (ISMS). An information security management system (ISMS) is a set of rules and procedures that encompasses all legal, social, and technical controls that are used in an organization's information risk management operations.
ISO 27001 was created to "present a model for establishing, implementing, running, measuring, analyzing, managing, and improving an information security management system," according to its literature.
ISO 27001 is a risk-based, top-down approach that is technology agnostic. A six-part planning procedure is defined in the specification:
1. Create a security policy to follow.
2. Describe the ISMS's scope of operation.
3. Conduct a risk analysis.
4. Manage the hazards that have been identified.
5. Choose the control objectives and controls that will be used.
6. Create an applicability declaration.
Documentation, managerial responsibility, regular audits, continuous improvement, and corrective and preventative action are all included in the standard. The standard necessitates collaboration amongst all levels of an organization.
Although the ISO/IEC 27001 standard does not enforce specific information security measures, it can provide a checklist of controls that should be considered in the ISO/IEC 27002:2005 standards of practice. This second standard outlines a comprehensive range of data security control objectives as well as a set of security measures that are generally acknowledged as best practices.
