The ISO 27001 is designed to offer a guide and explanation on information security management system (ISMS).
It covers a risk assessment process, organizational structure, Information classification, Access control mechanisms, physical and technical safeguards, Information security policies, procedures, monitoring, and reporting guidelines.
There are no specific tools, solutions, or methods, but instead functions as a compliance checklist.
ISO 27001 was first published in 2005, then revised in 2013. The latest is in 2018 with the title information technology, security techniques. The ISO is the most popular information security standard worldwide.
It consists of two parts,
- Annex A
There are 11 clauses starting from 0-10.
Clauses 0-3 are guidance clauses and not mandatory.
Clauses 4-10 are mandatory and must be implemented in an organization that wants to achieve compliance.
The ISO 27001 clauses are best implemented using the PDCA (Plan Do Check and Act) cycle.
Clauses 4-7 are the plan phase
Clause 8 is the do phase
Clause 9 is the check phase
Clause 10 is the act phase
Annex A is also known as Statement of Applicability (SOA). Because each organization differs, each organization must write its SOA. The Annex A of the ISO 27001 starts from A5-A18. These contain the information security operations controls which are important for managing and improving information security.