Category:
Security Certifications
ISO/IEC 27001 is an international standard for information security management published by the International Organization for Standardization. It defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) — a structured framework of policies, processes, and controls for managing information security risk.
Key components include:
- Context — understanding the organization, its stakeholders, and the scope of the ISMS
- Leadership — commitment from management and defined roles and responsibilities
- Planning — identifying risks and opportunities, setting security objectives, and planning to achieve them
- Support — ensuring adequate resources, competence, awareness, and documented information
- Operation — implementing and controlling processes to meet ISMS requirements
- Performance evaluation — monitoring, measurement, analysis, and evaluation of the ISMS
- Improvement — continual improvement of the ISMS based on evaluation results
ISO 27001 certification is awarded following an audit by an accredited certification body. Certification requires periodic surveillance audits and recertification to remain current. Accreditation bodies include ANAB (anab.ansi.org) and the ISO directly (iso.org).