ISO/IEC 27001 Information Security
With its inestimable value, information and data are the core of modern organizations. The need for protection goes far beyond technical IT security. Correspondingly, "IT service management" processes run like lifelines through the entire company and enable high-quality IT services at reduced costs.
The entire field of information security is developing with extreme dynamism. Security incidents, from global virus attacks to image-damaging data breaches, have raised awareness of the need for controllable information security management systems (ISMS).
The international standard ISO/IEC 27001 "Information technology - Security techniques - Information security management systems - Requirements" specifies the requirements for establishing, implementing, operating, monitoring, maintaining and improving a documented information security management system, taking into account the risks throughout the organization.
All types of organizations (e.g. commercial enterprises, government organizations, non-profit organizations) are considered.
- Highest protection of data and information
- Protection of intangible assets: analog and digital information
- Implementation of technical and organizational measures with effectiveness checks and optimization loops
- Introduction of an information security management system from a single source
- Systematic assessment and minimization of security gaps
This standard is suitable for organizations of any size and industry.
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
This document also includes requirements for the assessment and handling of information security risks tailored to the needs of the organization.
Information about transfer to the version ISO/IEC 27001:2022
The new version of ISO/IEC 27001 was published in October 2022. The following requirements must be observed in this regard:
- The transfer shall be completed before October 2025, any
- ISO/IEC 27001:2013 certificate will be withdrawn by 31 October 2025.
- The transition from ISO/IEC 27001:2013 to the version 2022 can take place in the course of a re-certification audit.
- If the transition takes place in the course of a surveillance audit or a special audit, at least 8 additional hours must be scheduled for this purpose (depending on complexity of the organization/controls). If the transition takes place in the course of a recertification audit, there are 4 additional hours.
- The certificate ISO/IEC 27001:2022 will keep the original certification cycle.
With effect from 1 November 2023, initial certifications may only be carried out according to the new version ISO 27001:2022.
ISO/IEC 27001:2022 includes management system requirements specified in Clauses 4 to 10 and 93 information security controls in 4 Clauses (organizational controls, people controls, physical controls, technological controls) outlined in Annex A.
ISO 27001 is based on the ISO High Level Structure and can be combined efficiently with other standards such as ISO 9001 and ISO 14001 due to the same structure and format.
While ISO/IEC 27001 offers guidance on a broad range of information security controls that are commonly applied in many different organizations, other documents in the ISO/IEC 27000 family provide complementary advice or requirements on other aspects of the overall process of managing information security.
Refer to ISO/IEC 27000 for a general introduction to both ISMS and the range of documents. ISO/IEC 27000 provides a glossary, defining most of the terms used throughout the ISO/IEC 27000 family of documents, and describes the scope and objectives for each member of the norm family.
There are sector-specific standards that include additional controls which aim at addressing specific areas (e.g. ISO/IEC 27017 for cloud services, ISO/IEC 27701 for privacy, ISO/IEC 27019 for energy, ISO/IEC 27011 for telecommunications organizations and ISO 27799 for health).