What is the ISO 27001 Security Standard?
The ISO/IEC 27001 standard provides requirements for information security management systems (ISMS). The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO 27001 security standard is a set of best practices that support organizations in managing their information security by addressing people, processes, and technology. The standard is applicable to organizations of any size or type, and is technology- and vendor-neutral.
The ISO/IEC 27001 standard engages a risk-based approach to information security, requiring organizations to identify information security risks pertinent to their organization and the space in which they operate, and to select the appropriate controls to address those risks.
ISO 27001 comprises 114 controls divided into 14 categories. There is no requirement to implement the full list of ISO 27001’s controls; rather, they are possibilities for an organization to consider based on its particular needs. The 14 categories are:
Information security policies
Organization of information security and assignment of responsibility
Human resource security
Information asset management
Employee access control
Encryption and management of sensitive information
Physical and environmental security
System acquisition, development, and maintenance
Information security incident management
Information security aspects of business continuity management
ISO 27001 is a world-class standard that can support an organization in proving its security practices to potential customers. The full standard provides a wide range of controls that an organization can utilize to ensure that its approach to information security is comprehensive.
View Drata Glossary
Learn more about other compliance and cybersecurity concepts in our glossary.