ISO/IEC 27001 – Information security management system

In brief

The ISO 27001 standard encourages the adoption of a process approach to the implementation, operation, monitoring, re-examination, updating and improvement of a company’s information security management system. Annex A of the standard is ISO/IEC 27002.

The company must identify and manage a number of activities to ensure it is operating efficiently. Any activity involving the use of resources in such a way as to transform input elements into output elements may be considered as a process.

“The process approach” is the name given to the application of a process system within a company, as well as the identification, interactions and management of these processes.

The process approach for information security management system given in the standard highlights the importance of:

  1. understanding the requirements relating to the security of the company’s information and the necessity of introducing a security policy and objectives;
  2. implementing and using security-related risk management measures in the context of the global risks related to the organisation’s activity;
  3. monitoring and re-examining the ISMS’s performances;
  4. continuously upgrading the system based on objective measurements.