What do the ISO 27001 requirements and structure look like?

The ISO 27001 standard offers requirements and a structure that will provide guidance in implementing an Information Security Management System (ISMS). As a management system, ISO 27001 is based on continuous improvement – in this article, you will learn more about how this is reflected in the ISO 27001 requirements and structure.

Two main parts of the standard

The standard is separated into two parts. The first, main part consists of 11 clauses (0 to 10). The second part, called Annex A, provides a guideline for 114 control objectives and controls. Clauses 0 to 3 (Introduction, Scope, Normative references, Terms and definitions) set the introduction of the ISO 27001 standard. The following clauses 4 to 10, which provide ISO 27001 requirements that are mandatory if the company wants to be compliant with the standard, are examined in more detail further in this article.

Annex A of the standard supports the clauses and their requirements with a list of controls that are not mandatory, but that are selected as part of the risk management process. For more, read the article The basic logic of ISO 27001: How does information security work?

Sponsorships Available

Sponsorships Available

Sponsorships Available

Clause 4: Context of the organization

One prerequisite of implementing an Information Security Management System successfully is understanding the context of the organization. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond.

With this in mind, the organization needs to define the scope of the ISMS. How extensively will ISO 27001 be applied to the company?

Read more about the context of the organization in the articles How to define context of the organization according to ISO 27001, How to identify interested parties according to ISO 27001 and ISO 22301, (Read more...)