ISO 27001 Defined

ISO27001 is an international standard for Information Security Management. The certification ensures the effectiveness of security controls and ensures all policies are in place. It provides a framework for organizations to follow and manage their information securely.

Is ISO27001 mandatory?

No. Although implementing ISO 27001 standards for information security controls is considered to be the industry best practice they are not mandatory for compliance.

Why is ISO27001 required?

ISO 27001 provides a standard framework for organizations to manage their information security and risk exposure. The ISO 27001 certification works as an assurance for clients and enhances the reliability and security of systems and information.

What type of business needs an ISO 27001 Certification?

ISO 27001 standards is a framework designed to protect the sensitive data of an organization. So, any organization that has sensitive information, can benefit from ISO 27001 Certification.

What is the difference between ISO27001 and ISO 27002?

The primary difference between ISO 27001 and ISO 27002 is that ISO 27002 is designed for reference when selecting security controls within the process of implementing an Information Security Management System based on ISO 27001.
Organizations can achieve certification to ISO 27001 but not for ISO 27002.

How many controls are there in ISO 27001 standard?

ISO27001 Standard comprises of 114 controls divided into 14 categories.

What are the 14 ISO 27001 control categories?

ISO 27001 controls are divided into 14 categories which include

Annex A.5 – Information security policies (2 controls)
Annex A.6 – Organisation of information security (7 controls)
Annex A.7 – Human resource security (6 controls)
Annex A.8 – Asset management (10 controls)
Annex A.9 – Access control (14 controls)
Annex A.10 – Cryptography (2 controls)
Annex A.11 – Physical and environmental security
Annex A.12 – Operations security (14 controls)
Annex A.13 – Communications security (7 controls)
Annex A.14 – System acquisition, development, and maintenance (13 controls)
Annex A.15 – Supplier relationships (5 controls)
Annex A.16 – Information security incident management (7 controls)
Annex A.17 – Information security aspects of business continuity management (4 controls)
Annex A.18 – Compliance (8 controls)