IT risk management

ISO 27001 IT security management standard


ISO 27001 is an international standard that describes best practices for information security management systems. It belongs to a 27000 family of standards, all of which aim to help keep your business' information assets secure.

ISO 27001 controls

The standard specifies controls that are key to maintaining security. These cover (amongst other things):

  • security policy - what an information security policy is, what it should cover and why your business should have one
  • organisational security - how you should manage information security in a business.
  • asset classification and control - eg how to audit and manage information itself, computers, software and services
  • staff security - eg training, responsibilities, vetting procedures, and response to incidents
  • physical and environmental security - eg keeping key locations secure as well as physical control of access to information and equipment
  • communications and operations management - secure operation of information processing facilities during day-to-day activities, especially computer networks
  • access control - right to use information and systems based on business and security needs, specifically controlling who can do what with your information resources
  • system development and maintenance - if you develop your own software, you will need to consider its design and maintenance to keep it secure and maintain information integrity
  • business continuity management - ie the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor local issues
  • compliance - with relevant national and international laws

Like other ISO management system standards, you can certify your business to ISO/IEC 27001, but certification isn't mandatory.

You may choose to implement the standard in order to benefit from the best practice it contains, or you may wish to certify to reassure customers and clients that you follow information security management best practices.

See more on standards for best business practice.