Glossary- ISO 27001 security standard
The ISO 27001 standard is a set of requirements that are provided to Information Security Management Systems (ISMS) by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). This ISO 27001 security standard is a combined set of best practices that support various organizations in effectively managing their information security by addressing the people, processes, and technology that come in contact with them. This security standard applies to organizations of all sizes or types and is both technology and vendor-neutral.
The IEC/SOC 27001 security standard established a risk-based approach to information security and required organizations to identify potential security risks relevant to their organization based on the space in which they operate. It also requires them to choose the appropriate controls to address and avoid those potential risks.
In totality, ISO 27001 comprises 114 security controls that are divided into 14 different categories. There is no standard requirement to implement the complete list of these mentioned controls. However, there are possibilities for an organization to consider based on its specific needs. These 14 categories are:
- Information security policies
- Human resource security
- Supplier relationships
- Information asset management
- Employee access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Encryption and management of sensitive information
- Organization of information security and assignment of responsibility
- Information security incident management
- Information security aspects of business continuity management
Hence, it can be said that SO 27001 is a world-class security standard that can provide support to any organization in establishing its security practices for potential clients. The full security standard offers a wide range of security controls an organization can implement to ensure that its information security approach is fully comprehensive and effective.