ISO/IEC 27001:2013 and ISO/IEC 27002:2013
ISO/IEC 27001:2013 – Information technology: Security techniques: Information security management systems and requirements
ISO/IEC 27001:2013 “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation”.
ISO/IEC 27002:2013 – Information technology: Security techniques: Code of practice for information security controls
ISO/IEC 27002:2013 “gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation’s information security risk environment(s)”.
It is often designed to be used by organisations intending to:
- Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001:2013
- Implement commonly accepted information security controls;
- Develop their own information security management guidelines.
What are the benefits?
ISO/IEC 27001:2013 and ISO/IEC 27002:2013 offer an excellent framework for any organisation wanting to develop and enhance their network security and provides guidelines on how to secure any sensitive data within a company. Some of the benefits companies have discovered are:
- A valuable framework for resolving security issues
- Enhancement of client confidence and perception of your organisation
- Enhancement of business partners’ confidence and perception of your organisation
- Provides confidence that you have managed risk in your own security implementation
- Enhancement of security awareness within an organisation
- Assists in the development of best practice
- Can often be a deciding factor between competing organisations