ABOUT ISO/IEC 27001:2013

ISO/IEC 27001:2013 standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

This standard is an ISMS framework for monitoring and controlling security, minimizing risk and ensuring compliance to the standards for an organization.

The standard regulates some of ISMS implementation process as follows:

 All activities should be in accordance with the purpose and process of information security that are clearly defined and documented in policies or procedures.

• Provide security controls that can be used by the organization during the implementation based on specific needs.

• All security measurements that being used in the ISMS as outcome of risk analysis should be implemented to eliminate or reduce the level of risks at an acceptable levels.

• Existence of processes to verify all information security system elements through audit and reviews to ensure continuous improvement.

• Existence of processes to ensure continuous improvement of all ISMS elements. Organization are able to adopt other continuous improvement approach, however PDCA cycle could also be used.

ISO/IEC 27001 standard is intend to be used within organization for the following purposes:

1. As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met.
2. Formulating information security requirements and objectives.
3. Ensuring compliance with laws and regulations.
4. As a way to ensure information security risks are being managed cost-effectively.
5. Defining new information security management processes.
6. Identifying and clarifying existing information security management processes.
7. Determining the status of information security management activities.
8. Providing relevant information about information security policies, directives, standards and procedures to partners.
9. Implementing information security for business enablers.
10. Provide relevant information about information security management  to the customers.

ISO/IEC 27001:2013 standard does not formally mandate any specific information security controls, but information security controls from another ISO standard, ISO/IEC 27002:2013 are noted in annex A of ISO/IEC 27001 standard.

Therefore, organizations adopting ISO/IEC 27001 have a  freedom to choose any applicable information security controls and potentially supplement with other security control from other standard, depending on their security situations. Moreover, ISO/IEC 27001 standard incorporates a summary of controls from ISO/IEC 27002 under Annex A section.

ISO/IEC 27001 standard using  ISO/IEC 27002 standard code of practice to indicate suitable information security controls within ISMS. The standard composes of 14 security clauses, 35 domains and 114 controls.