ISO 27001
An international standard specifying requirements for an information security management system (ISMS). The foundation for organisational security certification.
What is ISO 27001?
ISO/IEC 27001 is an international standard published by ISO (International Organization for Standardization) and IEC, specifying requirements for an information security management system (ISMS). The standard defines how an organisation should identify, assess and manage risks related to information security.
ISO 27001 is based on the PDCA (Plan-Do-Check-Act) cycle: the organisation identifies information assets and threats (Plan), implements controls (Do), monitors their effectiveness (Check) and improves the system based on results (Act). Annex A of the standard contains a catalogue of 93 controls grouped into four categories: organisational, people, physical and technological.
An organisation can implement an ISMS aligned with ISO 27001 for its own purposes or undergo certification by an accredited certification body. The ISO 27001 certificate is widely recognised and increasingly required by business partners, particularly in regulated sectors.
Why does it matter?
ISO 27001 provides a systematic framework for managing information security that goes beyond technical controls alone. It covers organisational aspects (policies, roles, responsibilities), people (training, awareness) and processes (change management, incident management, business continuity).
Implementing ISO 27001 facilitates compliance with regulatory requirements - NIS2 requires risk management measures that largely overlap with the standard’s requirements. An ISO 27001 certificate can serve as evidence of an organisation’s maturity in information security.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.