BS ISO/IEC 27001:2013
Information security management systems - Requirements
What is it?
BS ISO/IEC 27001:2013 is an internationally acclaimed standard for information security management. It is the foundation standard for implementing an Information Security Management System (ISMS).
Since their conception in the early 1990s, globally recognized standards in Information Security have grown in rigor and recognition. So have information security threats and the best ways to manage them. BS ISO/IEC 27001:2013 reflect current best practice for information security management. It provides specific recommendations to help you establish an ISMS, monitor its performance and implement improvements when necessary.
BS ISO/IEC 27001:2013 enables your organization’s information security to be externally assessed and certified.
How does it work?
BS ISO/IEC 27001:2013 follows the new high level structure common to all recent management system standards. This allows easy integration when implementing more than one management system within your organization, for example when combining information security with quality (BS EN ISO 9001:2015) or environmental management (BS EN ISO 14001:2015).
BS ISO/IEC 27001:2013 is not unnecessarily prescriptive, allowing great flexibility on how requirements are satisfied, giving organizations freedom to implement requirements in a manner best suited to them.
BS ISO/IEC 27001 uses BS ISO/IEC 27002, a Code of Practice for information security controls, as its source of possible security measures. BS ISO/IEC 27001:2013 is fully aligned with BS ISO/IEC 27002:2013.
BS ISO/IEC 27001 and BS ISO/IEC 27002 are supported by a wide range of other specialist standards in the 27000 series.
Who should buy it?
Anyone who is planning to build, operate, audit or certify an ISMS needs BS ISO/IEC 27001:2013. It is the baseline standard of the ISO 27000 series of information security management international standards.
BS ISO/IEC 27001:2013 will also be of interest to anyone with an interest in integrated management systems, or a general interest in assessing information security measures.
See the preview for contents.
BS ISO/IEC 27001 is supported by a wide range of other specialist standards in the 27000 series:
BS ISO/IEC 27000 Overview and vocabulary, is essential for anyone using 27001 or 27002 as it contains the definitions of the specialist terms used in these ISMS standards.
BS ISO/IEC 27002 Code of practice for information security controls, provides essential information on security controls that organizations should consider for incorporation within their ISMS.
BS ISO/IEC 27003 Information security management system implementation guidance, is essential for anyone building an ISMS as it explains how to implement ISMS requirements.
BS ISO/IEC 27004 Information security management systems measurement, is essential for anyone operating an ISMS as it explains how to assess the effectiveness of the ISMS in actual operation.
BS ISO/IEC 27005 Information security risk management, is essential for determining if an ISMS adequately protects against security risks.
BS ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems, is essential for anyone wishing to formally audit or certify an ISMS, and for those organizations seeking certification wishing to understand how certification audits work.
BS ISO/IEC 27007 Guidelines for information security management systems auditing, is essential for anyone operating an ISMS as it explains how to audit the ISMS in actual operation.
PD ISO/IEC TR 27008 Guidelines for auditors on information security controls, is an essential report for use by ISMS auditors that explains how to audit security controls.
BS ISO/IEC 27014 Governance of information security, explains how organizations can evaluate, direct and monitor the management of information security.
PD ISO/IEC TR 27016 Organizational economics, is a report explaining how management should make economic decisions concerning information security management.
As well as these generic standards, there are sector-specific ISMS standards for a range of specialist areas and applications:
BS ISO/IEC 27010 Information security management for inter-sector and inter-organizational communications, contains advice on how to apply BS ISO/IEC 27001 when sharing information between organizations.
BS ISO/IEC 27011 Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations, contains additional security controls and guidance for use by organizations providing telecommunications services.
BS ISO/IEC 27013 Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1, explains how to build an integrated management system covering both information security and service management.
BS ISO/IEC TR 27015 Information security management guidelines for financial services, is a report containing additional security controls and guidance for use by organizations providing financial services.
BS ISO/IEC 27018 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, contains additional privacy controls and guidance for use by organizations providing public cloud services.
PD ISO/IEC TR 27019 Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry, is a report containing additional security controls and guidance for use by energy utilities and related organizations.