The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations.
Founded on 23 February 1947, the organization develops and publishes worldwide technical, industrial and commercial standards.
ISO/IEC 27000 is part of a growing family of ISO/IEC Information standards, also called the ISO/IEC 27000 series. ISO/IEC 27000 is an international standard entitled: Information technology — Security techniques — Information security management systems — Overview and vocabulary.
There are about 60 different controls under the ISO 27000 family of controls.
For example:
For this presentation, we will focus on: ISO 27001 and ISO 27002
An information security management system (ISMS) is a framework of policies and controls that manage security and risks systematically and across your entire enterprise—information security. These security controls can follow common security standards or be more focused on your industry.
An Information Security Management System in accordance with ISO 27001:2013 will provide your organization with a set of processes that ensure a commonsense approach to the management of your organization. To be in control of your processes by understanding and managing your risks through policies, processes, procedures, risk assessments and forms that is used by the workforce.
Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. •The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
Gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).