ISO/IEC 27001, a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
ISO/IEC 27001 requires that management:
- Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.