Information Security Management System (ISO 27001:2013)
ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).
ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks.
It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.
Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement.
An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system