This International Standard provides requirements for establishing, implementing, maintaining, and continually improving an information security management system. The standard aligns directly with many other ISO international standards including ISO 9001, 14,000, AS9100 and 45001. If an organization was already certified to one of these standards and incorporated its information technology processes, then that organization could operate under one management operating system.
The main focus of ISO 27001 is to preserve the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately controlled.
One of the main differentiators of this standard is that it provides specific details on which controls need to be put in place to mitigate risks. These controls are specified in the standard under Annex A, Table A.1 — Control objectives and controls. This matrix of controls should be incorporated into your information security management system.
The standard also overlaps with continuity planning. Information security planning just makes good business sense. A breakdown in information processes can directly impact your performance and ability to continue to service your customers.
It is important that the information security management system be integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. Whether your organization decides to become certified to the standard or not, it is advisable to utilized the standard as a guideline when formulating your information security management processes.