The ISO 27001 standard requires organizations to assess the risks to their information assets and select appropriate security controls to mitigate those risks. This standard also provides a list of security controls to be used by the organizations. ISO 27002 provides guidelines on how to implement the security controls listed in ISO 27001:2013. ISO 27001:2013 allows organizations to integrate requirements from multiple regulations (e.g. SOX, HIPAA) into a single Information Security Management System (ISMS) and manage it as a single system, as opposed to, managing multiple systems in isolation. ISO 27001 can act as a base for some regulations, such as the General Data Protection Regulation and NIST 800 Series.
ISO 27001:2013 is applicable to all types of businesses regardless of size, complexity and geographic location. This is especially important for the businesses dealing with confidential information including banking and financial firms, healthcare organizations and IT services companies.
Why ISO/IEC 27001?
- Assures compliance to a range of regulatory requirements like HIPAA, FISMA, GLBA, etc.
- Establishes general controls required for SOX, SSAE 16 type audits
- Globally recognized as a standard for ISMS
- Applicable to all organizations regardless of size, type or nature
- Continual assessment helps to keep security controls effective
- Increased customer confidence
- Ability to quickly detect and isolate any security breach