ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action.
Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, a documented ISMS scope is one of the mandatory requirements for certification.
“Statement of Applicability” (SoA) , take the form of a matrix identifying various types of information risks on one axis, and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them.