We are independent & ad-supported. We may earn a commission for purchases made through our links.
Advertiser Disclosure
Our website is an independent, advertising-supported platform. We provide our content free of charge to our readers, and to keep it that way, we rely on revenue generated through advertisements and affiliate partnerships. This means that when you click on certain links on our site and make a purchase, we may earn a commission. Learn more.
How We Make Money
We sustain our operations through affiliate commissions and advertising. If you click on an affiliate link and make a purchase, we may receive a commission from the merchant at no additional cost to you. We also display advertisements on our website, which help generate revenue to support our work and keep our content free for readers. Our editorial team operates independently of our advertising and affiliate partnerships to ensure that our content remains unbiased and focused on providing you with the best information and recommendations based on thorough research and honest evaluations. To remain transparent, we’ve provided a list of our current affiliate partners here.
Industry

Our Promise to you

Founded in 2002, our company has been a trusted resource for readers seeking informative and engaging content. Our dedication to quality remains unwavering—and will never change. We follow a strict editorial policy, ensuring that our content is authored by highly qualified professionals and edited by subject matter experts. This guarantees that everything we publish is objective, accurate, and trustworthy.

Over the years, we've refined our approach to cover a wide range of topics, providing readers with reliable and practical advice to enhance their knowledge and skills. That's why millions of readers turn to us each year. Join us in celebrating the joy of learning, guided by standards you can trust.

What Is ISO 27001?

By Alex Newth
Updated: May 17, 2024
Views: 4,028
Share

ISO 27001 is part of a set of standards published by the International Organization for Standards (ISO) that covers information security management systems. The entire 27000 series addresses information security in general, with 27001 specifically relating how to manage and assess risk in the information security field. The standard provides very little information about how to go about keeping information safe, but it instead focuses on setting up, operating, and reviewing an Information Security Management System (ISMS). It distinguishes between different organization types to help optimize security, and it provides information to help organize a chain of command to deal with information security and threats.

Information security involves making sure that only authorized people have access to data. It's not limited to digital mediums, such as databases and spreadsheets; paper information and assets also must be kept secure. While the ISO 27001 offers very little on the methodology of safety, it offers a great deal of information about how to implement, organize, maintain, and evaluate the systems required to keep that data secure.

ISO 27001 outlines how to plan for security by setting up an ISMS. There are methods and guidelines for how to implement, review, and monitor the security systems. There also are objectives and audits set in this standard so a company can test itself and ensure that it is properly secured against information theft.

Along with how to manage an information security system, ISO 27001 requires that a chain of command be set up. For example, it requires that some actions, such as deciding who has access to what information, only be performed by upper management or by approved employees in higher positions. It also provides methods for risk assessment, so employees can determine the treat to any particular type of information. The risk assessment methods are distinguished by organization, since not all companies face the same types of threats.

When it comes to implementing information security, ISO 27001 does not specifically address how the ISMS is set up. That is because all the controls are covered by the complementary standard, ISO 27002. These two standards were published separately because they were considered too large to be published as one. While ISO 27001 covers a security method control only briefly, ISO 27002 devotes an entire page or more to the same control, often focusing more on implementation.

ISO 27002 devotes more information to controls and actually securing information, an organization cannot be certified for this standard; it is an advisory standard, meaning that its recommendations can be applied differently to different types of organizations. This makes compliance testing difficult. Organizations can be certified for ISO 27001, however, with its focus on management systems themselves.

Share
WiseGeek is dedicated to providing accurate and trustworthy information. We carefully select reputable sources and employ a rigorous fact-checking process to maintain the highest standards. To learn more about our commitment to accuracy, read our editorial process.

Editors' Picks

Discussion Comments
Share
https://www.wisegeek.net/what-is-iso-27001.htm
Copy this link
WiseGeek, in your inbox

Our latest articles, guides, and more, delivered daily.

WiseGeek, in your inbox

Our latest articles, guides, and more, delivered daily.