← Full glossary

ISO 27001

The international standard for information security management systems (ISMS). It requires an organisation to systematically identify its information security risks and manage them through policies, controls and continual improvement; the control catalogue is found in Annex A and elaborated in ISO 27002. Certification is performed by an accredited certification body and is voluntary, but increasingly demanded by customers and in tenders. For SMEs, full certification is often oversized, but the principles — risk assessment, access control, logging and incident response — are a good model for security work.