Skip to content

ISO/IEC 27001

ISO/IEC 27001

Information Security Management System (ISMS)

1. Overview: The International Standard for an Information Security Management System, ISO/IEC 27001

    flowchart LR
    A["Technology-centric security measures"] -- "Transition to systematic,<br/>risk-management-based governance" --> B["ISO/IEC 27001 (ISMS)"]
  

Definition: An international standard specifying requirements for the Information Security Management System (ISMS) that an organization establishes and operates to protect the confidentiality, integrity, and availability of its information assets.

Characteristics: (PDCA improvement) Continuously improves the information security management system through the Plan-Do-Check-Act cycle. (Risk-based) Adopts a risk-management-centered approach, establishing risk assessment and treatment plans per organizational asset. (Annex A controls) Systematically presents technical, operational, and physical security requirements through 93 controls in Annex A.


2. ISO/IEC 27001:2022 Structure and Controls

A. The PDCA-Based Management System Operating Model

    flowchart TD
    P["PLAN<br/>Establish policy, set scope<br/>Risk assessment, draft SoA"]
    D["DO<br/>Implement and operate<br/>security measures, training"]
    C["CHECK<br/>Internal audit, monitoring<br/>Management review"]
    A["ACT<br/>Correct nonconformities<br/>Continual quality improvement"]

    P --> D --> C --> A --> P

    style P fill:#E3F2FD,stroke:#1976D2
    style C fill:#FFF3E0,stroke:#F57C00
  
StageKey ActivitiesKey Outputs
PlanDefine information security policy, identify and assess riskRisk management plan, Statement of Applicability (SoA)
DoImplement the risk treatment plan, apply security controlsSecurity logs, training completion records
CheckMeasure effectiveness, perform internal auditsAudit reports, performance metrics
ActCorrect identified issues and take preventive actionCorrective action reports

B. Annex A Controls (2022 Revision)

    graph TD
    Root((ISO 27001:2022<br/>4 control domains))
    Root --> Org["Organizational controls"]
    Org --> OrgDet["37 controls — policy, roles & responsibilities, asset management, etc."]
    Root --> People["People controls"]
    People --> PeopleDet["8 controls — pre-, during-, and post-employment security, etc."]
    Root --> Phys["Physical controls"]
    Phys --> PhysDet["14 controls — access control, facility security, etc."]
    Root --> Tech["Technological controls"]
    Tech --> TechDet["34 controls — authentication, encryption, networking, etc."]
  
Key Change (v2022)DetailsNotes
Control consolidation/restructuringConsolidated from the previous 114 controls to 93 controlsImproves readability and efficiency
New controls introducedCloud security, threat intelligence, data leakage prevention, etc.Reflects the modern IT environment
AttributesHashtag-style attributes assigned to each controlEases mapping to other standards such as NIST CSF

3. Expected Benefits and Practical Application of ISO/IEC 27001 Certification

CategoryKey Expected BenefitApplication & Practical Use
Global businessBuilds external credibility and competitivenessMeets a requirement for global partnerships and overseas contracts
Systematic risk managementPrevents data leaks and security incidentsEfficient security investment through asset-centric risk assessment
ComplianceMeets domestic and international legal requirementsServes as a foundation for compliance with GDPR, ISMS-P, and other security regulations
Continual improvementRaises security maturity across the boardEstablishes a genuine security culture through internal audits and management review