


The information security controls from ISO/IEC 27002 are summarised in annex A to ISO/IEC 27001, rather like a menu. ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. retail, banking, defense, healthcare, education and government). commercial enterprises, government agencies, non-profits) of all sizes (from micro-businesses to huge multinationals) in all industries ( e.g. The standard covers all types of organizations ( e.g. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS. The ISMS is an overarching framework through which management identifies, evaluates and treats (addresses) the organisation’s information risks. ISO/IEC 27001 formally specifies an Information Security Management System, a governance arrangement comprising a structured suite of activities with which to manage information risks (called ‘information security risks’ in the standard). ISO/IEC 27001:2013 - Information technology - Security techniques - Information security management systems - Requirements (second edition)Ībstract “This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the business activities of the organization and the risks it faces.” Introduction
