ISO/IEC 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within the context of an organization.
The standard defines a formal management system framework for:
- Identifying information security risks
- Selecting and applying risk treatment measures
- Assigning roles, responsibilities, and governance for information security
- Documenting policies, procedures, and controls
- Monitoring, reviewing, and improving security controls over time
Organizations can implement ISO/IEC 27001 as an internal reference framework or may undergo an independent audit to be certified as conforming to the standard.