Because good research needs good data

Status message


Warning message

Just to let you know, we are no longer updating this section.
This is retained as a resource but nothing new has been added since late 2009. No further additions will be made by the DCC.

ISO/IEC 27001: Information Security Requirements

Date added 11 August 2009
Last edited 4 November 2009

Full Title

ISO/IEC 27001: Information Technology - Security Techniques - Information Security Management Systems - Requirements


ISO/IEC 27001 sets out the requirements for establishing, managing, documenting and continuously improving an Information Security Management System (ISMS) using a risk management approach. Implementers are mandated to identify, analyse and evaluate risks and reduce these to an acceptable level. Contingencies for treating these risks are selected from over 130 controls defined by the standard. These cover a range of areas where information security could be compromised, and focus on the preparation of adequate policies and procedures, and documentation of processes. The standard mandates that a compliant ISMS will: demonstrate management commitment through provision of resource, competent staff and training; undergo internal audit and management reviews; and undertake to continually improve effectiveness.

Standards Developing Organisations



No information

Lifecycle Actions

Access, Use and Reuse

Standard Framework

Digital Archive Standards

Standard Type

Security Standards

Current Version

Further Information

Alternative Current Versions


Previous Version

Referenced Standards

ISO/IEC 27002:2005, Information Technology - Security Techniques - Code of Practice for Information Security Management