ISO 27001
Definition
ISO/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published by the International Organization for Standardization and the International Electrotechnical Commission, it provides a systematic approach to managing sensitive information through risk management processes. ISO 27001:2022 is the current version, featuring 93 controls organized into four categories.
ISMS Clauses (4-10)
Clause 4: Context of the Organization -- understand internal and external issues, interested parties, and ISMS scope
Clause 5: Leadership -- top management commitment, information security policy, and organizational roles
Clause 6: Planning -- risk assessment methodology, risk treatment, and information security objectives
Clause 7: Support -- resources, competence, awareness, communication, and documented information
Clause 8: Operation -- operational planning, risk assessment execution, and risk treatment implementation
Clause 9: Performance Evaluation -- monitoring, internal audit, and management review
Clause 10: Improvement -- nonconformity handling, corrective action, and continual improvement
Annex A Control Categories (2022)
Organizational Controls (A.5)
37 controls covering policies, roles, asset management, access control, and supplier relationships.
People Controls (A.6)
8 controls covering screening, employment terms, security awareness, disciplinary processes, and post-employment responsibilities.
Physical Controls (A.7)
14 controls covering physical security perimeters, entry controls, equipment security, and secure disposal.
Technological Controls (A.8)
34 controls covering authentication, access rights, malware protection, logging, encryption, and secure development.