The ISO/IEC 27001 international standard for “Information technology — Security techniques — Information security management systems — Requirements” was originally published by the ISO and IEC in 2005 and is based upon the earlier British standard BS7799. Revised in 2013 and again in 2022, ISO/IEC 27001 specifies the requirements that your ISMS will need to meet in order for your organization to become certified to the standard. The requirements in ISO/IEC 27001 are supplemented by guidance contained in ISO/IEC 27002 and this is where the controls in Annex A of ISO27001 come from. ISO/IEC 27002 is well worth reading as it fills in some of the gaps in understanding how the requirements in ISO/IEC 27001 should be met and gives more clues about what the auditor may be looking for.
- Understand your company risk picture.
- Protect your business from security threats.
- Ensure data privacy (PII*) and integrity.
- Avoid regulatory breaches and fines.
- Prevent financial loss caused by a security breach.
- Protect your company reputation.
- Reduce number of audits needed to meet contractual requirements.
- Gain a competitive edge.