What is the ISO/IEC 27001:2013 standard?

The International Organization for Standardization and the International Electrotechnical Commission have developed the ISO/IEC 27001:2013 standard. The standard specifies a set of requirements that helps organizations to manage the security of their assets which can be anything from information to people, buildings, and even reputation. The standard is intended for any organization regardless of its size, sector or industry, and is the most widely accepted approach for information security.

Download the ISO/IEC 27001:2013 certificate.


What are the requirements?

The standard has a number of requirements which focus on specific aspects of information security.

1. Scope

The scope of the standard specifies what the standard is intended to cover.

2. Normative References

This section specifies what other standards are necessary to use the ISO/IEC 27001:2013 standard. For example, the standard relies heavily on the ISO/IEC 27002:2013 standard which provides a set of security controls.

3. Terms and Definitions

The standard defines a set of terms that are used throughout the document.

4. Context of the Organization

This part of the standard specifies the importance of understanding the context of the organization. The context of the organization refers to the internal and external factors that influence the organization. These factors can be anything from internal factors such as culture, human resources, and assets, to external factors such as the market, suppliers, and customers. Organizations need to understand the context in which they operate to be able to identify the risks that they face.

5. Leadership

Leadership is a key requirement of the standard. This part of the standard specifies that top management needs to show commitment to the information security management system (ISMS) and should be involved every step of the way.

6. Planning

This part of the standard specifies that organizations need to plan the implementation of the ISMS. This includes identifying the risks to information security and ways to address them.

7. Support

This part specifies that an organization needs to provide resources to support the ISMS. These resources include human resources, training, and awareness.

8. Operation

This part of the standard specifies the importance of identifying, documenting, and implementing measures to address the risks identified in the planning phase.

9. Performance Evaluation

This part of the standard specifies the importance of monitoring, measuring, analyzing and evaluating the performance of the ISMS.

10. Improvement

This part of the standard specifies that organizations should constantly look for ways to improve their ISMS.

Download additional compliance reports from the Exoscale compliance center.


Contact our Compliance Team

A doubt? Unsure if we comply to a specific regulation not listed here?

Contact our Compliance Team and let us know your requirements. It may be covered by other certifications or regulations we comply to.