100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

ISO 27001

IntermediateConcept1.7K learners

ISO 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), and organizations can be formally certified against…

Definition

ISO 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), and organizations can be formally certified against it.

Overview

Published by the International Organization for Standardization (jointly with the IEC), ISO 27001 takes a risk-based approach: organizations identify information security risks, select appropriate controls to mitigate them, and document how those controls are implemented and monitored. The standard's Annex A lists a comprehensive set of security controls spanning access control, cryptography, physical security, supplier relationships, and incident management, which organizations selectively apply based on their own risk assessment. Certification requires a formal audit by an accredited third-party certification body, and organizations must undergo periodic surveillance audits to maintain it — making ISO 27001 certification a recognized, externally verified signal of security maturity, often required by enterprise customers and in vendor due-diligence processes. It's frequently compared to the NIST Cybersecurity Framework, which is more flexible and outcome-based but not independently certifiable in the same way, and to SOC 2, which is more common among North American SaaS vendors. ISO 27001 is covered as part of governance and compliance training in Governance, Compliance & Career Readiness.

Key Concepts

  • International standard for an Information Security Management System (ISMS)
  • Risk-based approach: identify risks, select controls, document and monitor
  • Annex A provides a comprehensive catalog of selectable security controls
  • Formal third-party certification available, unlike many other frameworks
  • Requires periodic surveillance audits to maintain certification
  • Widely required in enterprise vendor due-diligence and procurement

Use Cases

Demonstrating security maturity to enterprise customers and partners
Structuring an organization-wide information security management program
Satisfying vendor risk assessments and procurement security requirements
Preparing for cross-border operations where ISO 27001 is a recognized baseline
Guiding internal audits of access control, cryptography, and incident response

Frequently Asked Questions