ISO/IEC 27001
ISO/IEC 27001
Information Security Management System (ISMS)
1. Overview: The International Standard for an Information Security Management System, ISO/IEC 27001
flowchart LR
A["Technology-centric security measures"] -- "Transition to systematic,<br/>risk-management-based governance" --> B["ISO/IEC 27001 (ISMS)"]
Definition: An international standard specifying requirements for the Information Security Management System (ISMS) that an organization establishes and operates to protect the confidentiality, integrity, and availability of its information assets.
Characteristics: (PDCA improvement) Continuously improves the information security management system through the Plan-Do-Check-Act cycle. (Risk-based) Adopts a risk-management-centered approach, establishing risk assessment and treatment plans per organizational asset. (Annex A controls) Systematically presents technical, operational, and physical security requirements through 93 controls in Annex A.
2. ISO/IEC 27001:2022 Structure and Controls
A. The PDCA-Based Management System Operating Model
flowchart TD
P["PLAN<br/>Establish policy, set scope<br/>Risk assessment, draft SoA"]
D["DO<br/>Implement and operate<br/>security measures, training"]
C["CHECK<br/>Internal audit, monitoring<br/>Management review"]
A["ACT<br/>Correct nonconformities<br/>Continual quality improvement"]
P --> D --> C --> A --> P
style P fill:#E3F2FD,stroke:#1976D2
style C fill:#FFF3E0,stroke:#F57C00
| Stage | Key Activities | Key Outputs |
|---|---|---|
| Plan | Define information security policy, identify and assess risk | Risk management plan, Statement of Applicability (SoA) |
| Do | Implement the risk treatment plan, apply security controls | Security logs, training completion records |
| Check | Measure effectiveness, perform internal audits | Audit reports, performance metrics |
| Act | Correct identified issues and take preventive action | Corrective action reports |
B. Annex A Controls (2022 Revision)
graph TD
Root((ISO 27001:2022<br/>4 control domains))
Root --> Org["Organizational controls"]
Org --> OrgDet["37 controls — policy, roles & responsibilities, asset management, etc."]
Root --> People["People controls"]
People --> PeopleDet["8 controls — pre-, during-, and post-employment security, etc."]
Root --> Phys["Physical controls"]
Phys --> PhysDet["14 controls — access control, facility security, etc."]
Root --> Tech["Technological controls"]
Tech --> TechDet["34 controls — authentication, encryption, networking, etc."]
| Key Change (v2022) | Details | Notes |
|---|---|---|
| Control consolidation/restructuring | Consolidated from the previous 114 controls to 93 controls | Improves readability and efficiency |
| New controls introduced | Cloud security, threat intelligence, data leakage prevention, etc. | Reflects the modern IT environment |
| Attributes | Hashtag-style attributes assigned to each control | Eases mapping to other standards such as NIST CSF |
3. Expected Benefits and Practical Application of ISO/IEC 27001 Certification
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Global business | Builds external credibility and competitiveness | Meets a requirement for global partnerships and overseas contracts |
| Systematic risk management | Prevents data leaks and security incidents | Efficient security investment through asset-centric risk assessment |
| Compliance | Meets domestic and international legal requirements | Serves as a foundation for compliance with GDPR, ISMS-P, and other security regulations |
| Continual improvement | Raises security maturity across the board | Establishes a genuine security culture through internal audits and management review |