The standard has a number of requirements which focus on specific aspects of information security.
The scope of the standard specifies what the standard is intended to cover.
2. Normative References
This section specifies what other standards are necessary to use the ISO/IEC 27001:2013 standard.
For example, the standard relies heavily on the ISO/IEC 27002:2013 standard which provides a set of security controls.
3. Terms and Definitions
The standard defines a set of terms that are used throughout the document.
4. Context of the Organization
This part of the standard specifies the importance of understanding the context of the organization.
The context of the organization refers to the internal and external factors that influence the organization.
These factors can be anything from internal factors such as culture, human resources, and assets, to external factors such as the market, suppliers, and customers.
Organizations need to understand the context in which they operate to be able to identify the risks that they face.
Leadership is a key requirement of the standard.
This part of the standard specifies that top management needs to show commitment to the information security management system (ISMS) and should be involved every step of the way.
This part of the standard specifies that organizations need to plan the implementation of the ISMS.
This includes identifying the risks to information security and ways to address them.
This part specifies that an organization needs to provide resources to support the ISMS.
These resources include human resources, training, and awareness.
This part of the standard specifies the importance of identifying, documenting, and implementing measures to address the risks identified in the planning phase.
9. Performance Evaluation
This part of the standard specifies the importance of monitoring, measuring, analyzing and evaluating the performance of the ISMS.
This part of the standard specifies that organizations should constantly look for ways to improve their ISMS.