ISO 27001
ISO 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), and organizations can be formally certified against…
Definition
ISO 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), and organizations can be formally certified against it.
Overview
Published by the International Organization for Standardization (jointly with the IEC), ISO 27001 takes a risk-based approach: organizations identify information security risks, select appropriate controls to mitigate them, and document how those controls are implemented and monitored. The standard's Annex A lists a comprehensive set of security controls spanning access control, cryptography, physical security, supplier relationships, and incident management, which organizations selectively apply based on their own risk assessment. Certification requires a formal audit by an accredited third-party certification body, and organizations must undergo periodic surveillance audits to maintain it — making ISO 27001 certification a recognized, externally verified signal of security maturity, often required by enterprise customers and in vendor due-diligence processes. It's frequently compared to the NIST Cybersecurity Framework, which is more flexible and outcome-based but not independently certifiable in the same way, and to SOC 2, which is more common among North American SaaS vendors. ISO 27001 is covered as part of governance and compliance training in Governance, Compliance & Career Readiness.
Key Concepts
- International standard for an Information Security Management System (ISMS)
- Risk-based approach: identify risks, select controls, document and monitor
- Annex A provides a comprehensive catalog of selectable security controls
- Formal third-party certification available, unlike many other frameworks
- Requires periodic surveillance audits to maintain certification
- Widely required in enterprise vendor due-diligence and procurement