Introduction to ISO IEC 27001

ISO IEC 27001 is an information security management standard. It defines a set of information security management requirements. These requirements are defined in sections 4, 5, 6, 7, and 8.

The purpose of ISO IEC 27001 is to help organizations establish and maintain an information security management system (ISMS). ISO IEC 27001 applies to all types of organizations. It doesn’t matter what your organization does or what size it is. ISO IEC 27001 can help your organization meet its information security management needs and requirements.

ISO IEC 27001 is designed to be used for certification purposes. In other words, once you’ve established an ISMS that meets both the ISO IEC 27001 requirements and your organization’s needs, you can ask a registrar to audit your system. If your registrar likes what it sees, it will issue an official certificate that states that your ISMS meets the ISO IEC 27001 requirements. According to ISO IEC 27001, you must meet every requirement (specified in clauses 4, 5, 6, 7, and 8) if you wish to claim that your ISMS complies with the standard.

However, while you must meet every requirement, the size and complexity of information security management systems varies quite a bit. How you meet each of the ISO 27001 requirements, and to what extent, depends on many factors, including your organization’s:

	Size and structure
	Needs and objectives
	Security requirements
	Business processes

ISO IEC 27001 also lists a set of control objectives and controls. These are listed in Annex A (our Part 9) and come from the ISO IEC 17799 2005 information security standard.

In addition to control objectives and controls, ISO 17799 also provides implementation guidance and other information. These last two items are not included in ISO 27001. As a result, you may find it helpful to also purchase the ISO IEC 17799 2005 standard.

While ISO IEC 27001 expects you to meet every requirement, it does allow you to exclude selected Annex A control objectives and controls (see our Part 9) if you can justify doing so. Briefly put, you may exclude or ignore Annex A control objectives and controls whenever they address risks you can live with, and whenever doing so will not impair your ability and obligation to meet all relevant legal and security requirements.

More precisely, you may ignore or exclude selected control
objectives and controls under the following circumstances:

	You may exclude selected control objectives and controls if they address security risks that you can accept and if you can show that your decision to accept these risks complies with your organization’s official risk acceptance criteria. You must also be able to justify your exclusion decision. You must also be able to show that accountable persons have accepted the associated risks.
	You may exclude selected control objectives and controls if you have used a risk assessment to identify your organization’s information security requirements and you believe that these requirements will, nevertheless, be met. You may exclude selected control objectives and controls whenever this does not impair your ability and responsibility to meet your organization’s information security requirements.
	You may exclude selected control objectives and controls if you can show that all applicable legal and regulatory requirements will, nevertheless, be met. You may exclude selected control objectives and controls whenever this does not impair your ability and responsibility to meet all applicable legal and statutory requirements.