How does ISO 27001 work?

ISO 27001 works by setting out different controls that must be in place to meet certification requirements. These controls highlight the importance of identifying potential information security risks, creating a secure framework for implementing and managing controls and ensuring proper compliance with laws and regulations.

So how does it work? ISO 27001 primarily focuses on safeguarding enterprise information’s confidentiality, integrity, and availability. This involves recognizing potential information-related problems (risk assessment) and taking measures to prevent them through risk mitigation.

ISO 27001 comprises 11 clauses from its 2013 revision, with an annex listing specific controls. The first three clauses are optional, while the rest are mandatory for compliance:

Currently, there are 114 controls in 14 groups and 35 control categories:

• A.5: Information security policies (2 controls)
• A.6: Organization of information security (7 controls)
• A.7: Human resource security applied before, during, or after employment (6 controls)
• A.8: Asset management (10 controls)
• A.9: Access control (14 controls)
• A.10: Cryptography (2 controls)
• A.11: Physical and environmental security (15 controls)
• A.12: Operations security (14 controls)
• A.13: Communications security (7 controls)
• A.14: System acquisition, development, and maintenance (13 controls)
• A.15: Supplier relationships (5 controls)
• A.16: Information security incident management (7 controls)
• A.17: Information security aspects of business continuity management (4 controls)
• A.18: Compliance with internal requirements, such as policies, and with external requirements, such as laws (8 controls)