ISO 27001 — Technology Wiki

Overview

Direct Answer

ISO 27001 is an international standard published by the International Organisation for Standardisation that specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). It provides a systematic framework for identifying, managing and mitigating information security risks across an organisation.

How It Works

The standard operates on a Plan-Do-Check-Act cycle, requiring organisations to define a scope, establish an information security policy, conduct risk assessments, select and implement controls from Annex A, and monitor effectiveness through internal audits and management review. Compliance is demonstrated through documented evidence of control implementation, risk treatment decisions and continuous improvement activities aligned to an organisation's risk appetite.

Why It Matters

Certification signals credible security governance to clients, regulators and stakeholders, often becoming mandatory for government contracts or handling sensitive data. It reduces audit costs by consolidating compliance requirements across multiple regulatory frameworks (GDPR, HIPAA, PCI-DSS) into a single structured approach.

Common Applications

Financial institutions, healthcare organisations and software vendors pursue certification to meet contractual requirements and customer due diligence expectations. Cloud service providers and managed security firms widely adopt it to differentiate service offerings and demonstrate capability to enterprise clients.

Key Considerations

Certification alone does not guarantee absence of breaches; organisations must sustain rigorous implementation and adapt controls to evolving threat landscapes. The standard is principle-based rather than prescriptive, requiring significant interpretation effort and resource investment proportionate to organisational context and risk profile.

Cross-References(1)

Cybersecurity

Information Security

Related in Security Governance

Information Security

The practice of protecting information by mitigating information risks including unauthorised access, use, and disruption.

Security Audit

A systematic evaluation of an organisation's information system security by measuring compliance with established criteria.

Compliance Framework

A structured set of guidelines and best practices for meeting regulatory requirements and industry standards.

SOC 2

An auditing framework that evaluates the security, availability, processing integrity, confidentiality, and privacy of service organisations.

NIST Cybersecurity Framework

A set of voluntary guidelines for managing and reducing cybersecurity risk developed by the US National Institute of Standards.

Cyber Insurance

Insurance coverage protecting organisations against financial losses from cyberattacks, data breaches, and related incidents.

Threat Modelling

A structured approach for identifying, quantifying, and addressing security threats to a system or application.

Security by Design

An approach that integrates security considerations into every stage of the software development lifecycle.

DevSecOps

An approach integrating security practices within the DevOps process, making security a shared responsibility.

Software Supply Chain Security

Practices and tools that protect the integrity of software components, dependencies, build pipelines, and distribution channels from compromise and tampering.

Cloud Security Posture Management

Automated tools that continuously assess cloud infrastructure configurations against security best practices and compliance requirements, identifying and remediating misconfigurations.

More in Cybersecurity

Software Bill of Materials

Offensive Security

A comprehensive inventory of all software components, libraries, and dependencies used in an application, enabling vulnerability tracking and supply chain risk management.

End-to-End Encryption

Data Protection

A communication system where only the communicating users can read the messages, with encryption at both endpoints.

Attack Surface Management

Offensive Security

The continuous discovery, inventory, classification, and monitoring of all external-facing digital assets to identify and reduce an organisation's exposure to cyber threats.

Vulnerability Assessment

Offensive Security

The process of identifying, quantifying, and prioritising security vulnerabilities in systems and applications.

AI-Powered Threat Detection

Offensive Security

Security systems that leverage machine learning and behavioural analytics to identify sophisticated cyber threats, anomalous patterns, and zero-day attacks in real time.

Attack Vector

Offensive Security

The specific path, method, or scenario used by an attacker to gain unauthorised access to a system.

Secrets Management

Identity & Access

The secure storage, distribution, rotation, and auditing of sensitive credentials such as API keys, tokens, passwords, and certificates used by applications and services.

Cybersecurity

Offensive Security

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.