27001ISO/IEC
International Standard

Information Security Management Systems

The world's best-known standard for ISMS. It defines how organisations establish, implement, maintain, and continually improve a framework for managing information security risks — recognised in 150+ countries with 70,000+ valid certificates.

ISO/IEC 27001:202293 Annex A Controls7 Mandatory Clauses70,000+ Certificates Worldwide

Core Principles — The CIA Triad

C
Confidentiality
Only authorised individuals can access sensitive information and data assets.
I
Integrity
Information remains accurate and unaltered by unauthorised parties.
A
Availability
Information and systems are accessible to authorised users when needed.

Annex A — 93 Controls Across 4 Themes

Organisational
37 controls
Policies, risk management, supplier security, incident response, business continuity planning.
People
8 controls
HR security, awareness training, remote work policies, nondisclosure, and incident reporting.
Physical
14 controls
Building access, equipment maintenance, asset protection, and environmental threat controls.
Technological
34 controls
Access control, encryption, network security, data leakage prevention, web filtering, and SIEM.

Mandatory Clauses 4–10

  • 4
    Context of the OrganisationDefine internal/external issues, identify interested parties, and determine the scope of the ISMS.
  • 5
    LeadershipTop management must show accountability for the ISMS, establish security policy, and assign roles and responsibilities.
  • 6
    PlanningConduct risk assessments, select risk treatment options, and define measurable information security objectives.
  • 7
    SupportEnsure resources, competence, awareness, communication, and version-controlled documented information.
  • 8
    OperationImplement risk treatment plans, maintain a current risk register, and manage day-to-day security operations.
  • 9
    Performance EvaluationMonitor, measure, conduct internal audits, and hold management reviews of ISMS effectiveness.
  • 10
    ImprovementAddress nonconformities with corrective actions and drive continual improvement of the ISMS.

Business Benefits

  • Reduces vulnerability to cyber-attacks by proactively identifying and addressing weaknesses before they are exploited
  • Protects financial statements, intellectual property, employee data, and information entrusted by third parties
  • Builds customer trust and competitive advantage — recognised proof of security maturity in regulated markets
  • Supports compliance with GDPR, DPDPA, and other legal data protection regulatory frameworks
  • Applicable to all sectors and sizes — from SMEs to global enterprises and government bodies
  • Integrates with ISO 9001 and ISO 42001 for a unified, efficient management system approach