UnixTime

Research Note

ISO 27001 Knowledge Base

ISO/IEC 27001 is the requirements standard. It defines the management-system requirements, the risk-based control selection requirement, and Annex A as the control reference set...

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This is the ISO/IEC 27001 section of the vault. It answers:

What is required for the ISMS?

ISO/IEC 27001 is the requirements standard. It defines the management-system requirements, the risk-based control selection requirement, and Annex A as the control reference set. It is the certifiable standard in this knowledge base.

Core relationship

Standard Role in the KB
ISO 27001 Knowledge Base MOC Requirements and certification logic
ISO 27002 Knowledge Base MOC Annex A control interpretation and implementation guidance
ISO 27005 Knowledge Base MOC Information security risk-management logic
ISO 27001 Implementer Guide MOC How to build the ISMS
ISO 27001 Auditor Guide MOC How to verify the ISMS

ISO 27001 source notes

Annex A controls

Implementation and audit views

Exam cues

  • Clauses 4-10 are mandatory management-system requirements.
  • Annex A controls are selected based on risk assessment, risk treatment, and the Statement of Applicability.
  • ISO/IEC 27002 explains control guidance; it is not the certifiable requirements standard.
  • ISO/IEC 27005 supports risk management; it does not replace ISO/IEC 27001 requirements.

Research basis

ISO describes ISO/IEC 27001 as the standard for information security management systems and notes that it helps organizations manage information security risks through people, policies, and technology.

External references