ISO 27001:2013 Information Security Management System
What is Information Security Management System?
ISO 27001 Information Security Management System is a management system designed to ensure information security.
ISO/IEC 27001 requires that management:
- Systematically review the organization’s information security risks, taking into account threats, vulnerabilities and impacts
- Design and implement a consistent and comprehensive suite of information security controls and/or other forms of risk handling (such as risk avoidance or risk transfer) to address these unacceptable risks.
- Adopt a comprehensive management process to ensure that information security controls continue to meet the organization’s information security needs.
What controls will be tested as part of certification to ISO/IEC 27001 is dependent on the certification auditor. This can include any controls that the organisation has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.
As part of the ISO/IEC 27001 certification, which controls are tested depends on the certification auditor. This may include any control that the organization assumes is within the scope of BGYS, and these tests may be in any depth or scope as assessed by the auditor as necessary to test that the control has been implemented and is operating effectively.
Management determines the scope of BGYS for documentation purposes and can limit it to, for example, a single business unit or location. ISO/IEC 27001 certification does not mean that the rest of the organization outside the scope has a sufficient approach to information security management.
What are the Benefits of ISO 27001 Information Security System?
