ISO/IEC (International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), 27001:2013 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system. The standard’s goal is to establish an Information Security Management System (ISMS) to ensure a formal risk-based approach to managing risks to the confidentiality, integrity, and availability of an organization’s information assets.
The standard consists of ISMS requirements and Annex A controls. The ISMS part of the standard outlines the required components and activities within the program management and Annex A lists security controls that must be selected and implemented based on a security risk assessment.
ISO 27001 is a certifiable standard, meaning companies can obtain a formal certification against the standard. Additionally, an ISO 27002:2013 standard provides guidance on implementing ISO 27001 Annex A controls. As opposed to ISO 27001, ISO 27002 is not a certifiable standard. ISO 27002 is an implementation guide based upon best practice suggestions and supports ISO 27001.
ISO 27001 certification is valid for three years. However, certified companies are required to conduct annual surveillance audits in order to maintain certification status.