ISO 27001 is part of a set of standards published by the International Organization for Standards (ISO) that covers information security management systems. The entire 27000 series addresses information security in general, with 27001 specifically relating how to manage and assess risk in the information security field. The standard provides very little information about how to go about keeping information safe, but it instead focuses on setting up, operating, and reviewing an Information Security Management System (ISMS). It distinguishes between different organization types to help optimize security, and it provides information to help organize a chain of command to deal with information security and threats.
Information security involves making sure that only authorized people have access to data. It's not limited to digital mediums, such as databases and spreadsheets; paper information and assets also must be kept secure. While the ISO 27001 offers very little on the methodology of safety, it offers a great deal of information about how to implement, organize, maintain, and evaluate the systems required to keep that data secure.
ISO 27001 outlines how to plan for security by setting up an ISMS. There are methods and guidelines for how to implement, review, and monitor the security systems. There also are objectives and audits set in this standard so a company can test itself and ensure that it is properly secured against information theft.
Along with how to manage an information security system, ISO 27001 requires that a chain of command be set up. For example, it requires that some actions, such as deciding who has access to what information, only be performed by upper management or by approved employees in higher positions. It also provides methods for risk assessment, so employees can determine the treat to any particular type of information. The risk assessment methods are distinguished by organization, since not all companies face the same types of threats.
When it comes to implementing information security, ISO 27001 does not specifically address how the ISMS is set up. That is because all the controls are covered by the complementary standard, ISO 27002. These two standards were published separately because they were considered too large to be published as one. While ISO 27001 covers a security method control only briefly, ISO 27002 devotes an entire page or more to the same control, often focusing more on implementation.
ISO 27002 devotes more information to controls and actually securing information, an organization cannot be certified for this standard; it is an advisory standard, meaning that its recommendations can be applied differently to different types of organizations. This makes compliance testing difficult. Organizations can be certified for ISO 27001, however, with its focus on management systems themselves.