International Organization for Standardization (ISO) 27001

ISO/ICE 27001 lists out requirements for an information security management system under the ISO/ICE 27000 family of standards. ISO/ICE 27000 outlines international standards for organizations’ information security management process. Any organization requiring managing information assets like financial information, intellectual property, employee details, and information related to third parties should comply with these ISO standards.

ISO 27001 Annex A controls #

ISO 27001 Annex A control lists security control measures for a good Information Security Management System (ISMS). The measures are categorized across below mentioned 14 categories,
  • A.5 Information security policies
  • A.6 Organisation of information security
  • A.7 Human resource security
  • A.8 Asset management
  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operations security
  • A.13 Communications security
  • A.14 System acquisition, development, and maintenance
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

ISO 27001 requirements #

The requirements under ISO 27001 are listed in section 4.1 through section 10.2. These requirements discuss the general compliance criteria for organizations needing to get ISO 27001 certification. The requirements are represented below,
  • 4.1 Understanding the organization and its context
  • 4.2 Understanding the needs and expectations of interested parties
  • 4.3 Determining the scope of the ISMS
  • 4.4 Information security management system (ISMS)
  • 5.1 Leadership and commitment
  • 5.2 Information Security Policy
  • 5.3 Organisational roles, responsibilities, and authorities
  • 6.1 Actions to address risks and opportunities
  • 6.2 Information security objectives and planning to achieve them
  • 7.1 Resources
  • 7.2 Competence
  • 7.3 Awareness
  • 7.4 Communication
  • 7.5 Documented information
  • 8.1 Operational planning and control
  • 8.2 Information security risk assessment
  • 8.3 Information security risk treatment
  • 9.1 Monitoring, measurement, analysis, and evaluation
  • 9.2 Internal audit
  • 9.3 Management review
  • 10.1 Nonconformity and corrective action
  • 10.2 Continual improvement

Powered by BetterDocs

Ready to get Started?

Experience our Award-winning GRC platform!

Drive efficiency and value across your business with VComply’s user-friendly platform.
Product Enquiry
For any product enquiries, get in touch with a product specialist today!
Help Desk
Find your answers in our expansive knowledge base.
Start for Free
Speak to Our Compliance Expert
Get Case Study
Get Case Study
Get Case Study
Get Case Study
Get Case Study
Start a Free Trial