ISO-IEC 27001: 2013 - Information security certification scheme
Programme name: ISO/IEC 27001:2013 - Information technology – Security techniques – Information security management systems - Requirements
Governing of the standard: ISO – ISO/IEC – JTC 1
Accreditation Body/Bodies: Numerous, including UKAS , ANAB , JAS-ANZ
Scope: Information Security
Cloud-relevance: ISO 27001 covers all areas of information security and is applicable to cloud services.
Type of certifiable organisation: Any - SaaS, PaaS, IaaS
Type of trust models applicable: self-attestation/third-party/benchmark-test: Third party assessment with accreditation programs in place for certifying bodies.
Is the certification proprietary or open: Open
Programme, status (operational, in development): Operational
ISO/IEC 27001 is the international standard for information security management. It outlines how to put in place an independently assessed and certified information security management system. This allows you to more effectively secure all financial and confidential data, so minimizing the likelihood of it being accessed illegally or without permission.
With ISO/IEC 27001 you can demonstrate commitment and compliance to global best practice, proving to customers, suppliers and stakeholders that security is paramount to the way you operate.
The main body of the standard outlines the requirements of a system to manage information security. There is also an Annex A, which contains and extensive list of controls. These controls, along with others as required, are selected by assessing the risks facing the organisation and the applicability of the controls to manage those risks. The combination of the controls and the management system to maintain these controls makes ISO 27001 a highly effective information security standard.
The standard follows the approach common in International management systems standards, making it easy to integrate with other systems and organisation might already have in place. The 7 core elements of the new version of the standard published in 2013 are:
- Context of the Organization
- Performance Evaluation