Structure of the ISO/IEC 27001:2013 standard

ISO/IEC 27001:2013 has the following sections:

0  Introduction – the standard uses a process approach.

1  Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.

2  Normative references – only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.

3  Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.

4  Context of the organization – understanding the organizational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS.  Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” a compliant ISMS.

5  Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.

6  Planning – outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.

7  Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.

8  Operation – a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).

9  Performance evaluation – monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.

10  Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS

Annex A  Reference control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002.  The annex is ‘normative’, implying that certified organizations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information security risks.

Bibliography – points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information.  In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.