Essentially, ISO 27001 is a specification for Information Security Management Systems (ISMS). ISMS is a framework of policies and procedures for the legal, physical, and technical controls involved in the information risk management process of a specific organization.
According to ISO’s official documentation, the specification was created to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and enhancing an information security management system.”
The implementation of ISO 27001 requires a top-down, technology-neutral, risk-based strategy.
The ISO specification also defines a six-step planning procedure.
- Establishing a Security Policy
- Determining the ISMS’s scope
- Conducting a risk assessment
- Administration of Identified Hazards
- Selection of Control Goals
- Preparation of an application statement.
The specification does not mandate specific information security protocols, but it does provide a compendium of ISO 270002-compliant code practices. Most organizations that implement ISO 27001 also implement ISO 27002