ISO/IEC 27001 is an international standard titled:
“Information technology — Security techniques — Information security management systems — Requirements”
It specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
ISO 27001’s requirements and controls are largely aimed at preserving confidentiality of sensitive data.
Quality Attributes Required or Emphasized
The standard is centered around information security and risk management. The primary quality attributes are:
| Attribute | Relevance in ISO/IEC 27001 |
|---|---|
| Security | Holistic protection of information assets via risk management. Encompasses policies, controls, and continuous monitoring within the ISMS. |
| Confidentiality | Ensuring that information is accessible only to authorized individuals or systems. |
| Integrity | Maintaining the accuracy and completeness of information and preventing unauthorized modification. |
| Availability | Ensuring that authorized users have timely and reliable access to information when needed. |
| Authenticity | Authenticity is defined in the ISO vocabulary as the property that an entity is what it claims to be. This means mechanisms are in place to verify that users, systems, or data are genuine (e.g. digital signatures to confirm a message’s origin). By ensuring authenticity, ISO 27001 helps prevent impersonation and unauthorized entity access. |
| Non-repudiation | The ability to prove the occurrence of a claimed event or action and its originating entities. In practice, it means a party cannot deny (repudiate) the authenticity of their signature on a document or a sent message. |
| Compliance | A key driver for implementing the standard is to ensure legal, statutory, regulatory, and contractual requirements are met. |
| Reliability | Addressed through requirements for business continuity, system and network security, and operational procedures. |
Note: ISO/IEC 27001 provides a framework for managing information security risks. The specific controls are listed in Annex A and are further detailed in ISO/IEC 27002.
References
Related Standards
- ISO/IEC 27000 provides terms and definitions used in the ISO 27k series of standards.
- ISO/IEC 27002 provides provides guidelines for the implementation of controls listed in ISO 27001 Annex A.
- ISO/IEC 27004 provides guidelines for the measurement of information security — it fits well with ISO 27001, as it explains how to determine if the ISMS has achieved its objectives.
- ISO/IEC 27005 provides guidelines for information security risk management. It supplements ISO 27001, because it gives details on how to perform risk assessment and risk treatment, likely the most difficult stage in the implementation.
- ISO/IEC 27017 provides guidelines for information security in cloud environments. It is based on ISO/IEC 27002 for cloud services.
- ISO/IEC 27018 provides guidelines for the protection of privacy in cloud environments.
- ISO/IEC 27031 provides guidelines on what to consider when developing business continuity for information and communication technologies (ICT).