Information Security Management System ISO 27001

The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable regulatory requirements.

If an organization already has an operative business process management system (e.g. in relation with ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this existing management system.

ISO 27001 is the standard generic in nature applicable to all business sectors which globally recognized standard for information security management systems. It may be combined with certification to other management system standards, e.g. ISO 9001, ISO 14001 and OHSAS 18001.

The ISO 27001: 2022 certification standard provides a comprehensive approach to security of information needing protection, ranging from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Subjects to address include competence development of staff, technical protection against computer fraud, information security metrics and incident management as well as requirements common to all management system standards such as internal audit, management review and continuous improvement.

ISO 27001 Requirements

Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and the recorded results are reproducible.

It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives.

ISO 27001 Documentation Requirements

The ISMS documentation shall include:

• Documented statements of the ISMS policy and objectives
• The scope of the ISMS
• Procedures and controls in support of the ISMS
• A description of the risk assessment methodology
• The risk assessment report
• The risk treatment plan

• Management Understanding of the Value of Organisational Information
• Customer Confidence, Satisfaction and TRUST
• Business Partner Confidence, Satisfaction and TRUST
  e.g. Handling Sensitive Information of Customers & Business Partners
• Level of Assurance in Organisational Security & QUALITY
• Conformance to Legal and Regulatory Requirements

• Organisational Effectiveness of Communicating Security Requirements
• Employee Motivation and Participation in Security (Best Practices)
• Organisational Profitability
• Management and Handling of Security Incidents
• Ability to Differentiate Organisation for Competitive Advantage
• Organisational Credibility & Reputation