What are the requirements of ISO 27001:2013/17?
The core requirements of the standard are addressed in Section 4.1 through to 10.2 and the Annex A controls you may choose to implement, subject to your risk assessment and treatment work, are covered in A.5 through to A.18.
ISO 27001 requirements
-
4.1 Understanding the organisation and its context
-
4.2 Understanding the needs and expectations of interested parties
-
4.3 Determining the scope of the ISMS
-
4.4 Information security management system (ISMS)
-
5.1 Leadership and commitment
-
5.2 Information Security Policy
-
5.3 Organisational roles, responsibilities and authorities
-
6.1 Actions to address risks and opportunities
-
6.2 Information security objectives and planning to achieve them
-
7.1 Resources
-
7.2 Competence
-
7.3 Awareness
-
7.4 Communication
-
7.5 Documented information
-
8.1 Operational planning and control
-
8.2 Information security risk assessment
-
8.3 Information security risk treatment
-
9.1 Monitoring, measurement, analysis and evaluation
-
9.2 Internal audit
-
9.3 Management review
-
10.1 Nonconformity and corrective action
-
10.2 Continual improvement
ISO 27001 Annex A Controls
-
A.5 Information security policies
-
A.6 Organisation of information security
-
A.7 Human resource security
-
A.8 Asset management
-
A.9 Access control
-
A.10 Cryptography
-
A.11 Physical and environmental security
-
A.12 Operations security
-
A.13 Communications security
-
A.14 System acquisition, development, and maintenance
-
A.15 Supplier relationships
-
A.16 Information security incident management
-
A.17 Information security aspects of business continuity management
-
A.18 Compliance
About ISO 27001
All you need is our all-in-one, cloud-based solution
- Trusted by hundreds of companies around the world
- Get a 77% head start on your ISO 27001 ISMS from the minute you log on
- Our Assured Results Method will get you to ISO 27001 certification first time
- Maintain your certification with our simplified, secure, sustainable platform