You are on page 1of 10

ISO IEC 27001 is an information security management standard.

It takes a very
broad approach. In the context of this standard, the term information includes
data, documents, messages, communications, conversations, transmissions,
recordings, drawings, and photographs. It includes all forms of information.
This page presents an overview of ISO IEC 27001 2013. It does not provide detail.
We start with section 4 because the standard's security requirements start there.
4. Contextual Requirements
4.1. Understand your organization and its particular context.
Identify and understand your organization's context before you
establish its information security management system (ISMS).
Identify the internal issues that are relevant to your organization's
purpose and consider the influence these issues could have on
its ability to achieve the outcomes that its ISMS intends to achieve.
Determine the influence your internal stakeholders could have.
Determine the influence your approach to governance could have.
Determine the influence your organization's capabilities could have.
Determine the influence your organization's culture could have.
Determine the influence your organization's contracts could have.
Identify the external issues that are relevant to your organization's
purpose and consider the influence these issues could have on
its ability to achieve the outcomes that its ISMS intends to achieve.
Determine the influence environmental conditions could have.
Determine the influence key trends and drivers could have.
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
1 of 10 18/05/14 2:11 pm
Determine the influence external stakeholders could have.
4.2. Define the needs and expectations of your interested parties.
Identify all of the parties that have an interest in your organization's ISMS.
Identify their requirements including their needs and expectations.
4.3. Figure out what your ISMS should apply to and clarify its scope.
Consider what your organization's ISMS should apply to and what its
boundaries should be when you think about what its scope ought to be.
Think about how internal and external issues could influence
your information security management system`s ability to
achieve intended outcomes.
Think about how your organization`s stakeholders
could influence your information security management
system`s ability to achieve intended outcomes.
Think about how your organization`s activities, interfaces, and
interdependencies could influence your information security
management system`s ability to achieve intended outcomes.
Clarify the scope of your organization's ISMS.
Make sure that your ISMS statement of scope
is documented and available when it is needed.
4.4. Develop an ISMS that complies with this international standard.
Establish an ISMS in accordance with the ISO IEC 27001 2013 standard.
5. Leadership Requirements
5.1. Provide leadership and show that you support your ISMS.
Demonstrate a commitment to your ISMS.
Ensure that ISMS policies are established.
Ensure that ISMS objectives are established.
Ensure that ISMS achieves its intended outcomes.
Ensure that ISMS requirements become an
integral part of your organization's processes.
Ensure that necessary ISMS resources
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
2 of 10 18/05/14 2:11 pm
are available when they are needed.
Communicate a commitment to your ISMS.
Make sure that people understand how
important information security actually is.
Encourage managers to demonstrate their leadership and
commitment to information security within their own areas.
5.2. Establish an appropriate information security policy.
Establish an information security policy for your organization.
Make sure that your information security policy is
appropriate and supports your organization's purpose.
Make sure that your information security policy either includes
security objectives or can be used to establish these objectives.
Make sure that your information security policy makes a commitment
to comply with all relevant information security requirements.
5.3. Assign responsibility and authority for your ISMS.
Allocate responsibility and authority for carrying out information
security roles to the appropriate people within your organization.
Communicate all relevant information security
management roles, responsibilities, and authorities.
6. Planning Requirements
6.1. Specify actions to manage risks and address opportunities.
6.1.1. Consider risks and opportunities when your plan your ISMS.
Identify the risks and opportunities that could influence the
effectiveness of your organization's ISMS or disrupt its operation.
Consider how your internal and external issues could affect
how well your ISMS is able to achieve intended outcomes.
Consider how your legal and regulatory requirements could affect
how well your ISMS is able to achieve its intended outcomes.
Figure out what you need to do to address the risks and
opportunities that could influence the effectiveness of
your organization's ISMS or disrupt its operation.
6.1.2. Establish an information security risk assessment process.
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
3 of 10 18/05/14 2:11 pm
Define an information security risk assessment process.
Figure out how youre going to perform risk assessments.
Figure out how youre going to identify risk owners.
Figure out how youre going to ensure that your risk
assessments produce consistent and valid results.
Assess your organizations information security risks.
Identify your organizations information security risks.
Analyze your organizations information security risks.
Evaluate your organizations information security risks.
Prioritize your organizations information security risks.
Document your information security risk assessment process.
6.1.3. Develop an information security risk treatment process.
Define an information security risk treatment process.
Figure out how youre going to select appropriate
information security risk treatment options.
Figure out how youre going to select the controls that
will be needed to implement your risk treatment options.
Figure out how youre going to formulate
an information security risk treatment plan.
Apply your information security risk treatment process.
Document your information security risk treatment process.
6.2. Set security objectives and develop plans to achieve them.
Establish your organization's information security objectives.
Establish plans to achieve information security objectives.
Specify what must be done to achieve your objectives.
Specify who will be responsible for achieving objectives.
7. Support Requirements
7.1. Support your ISMS by providing the necessary resources.
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
4 of 10 18/05/14 2:11 pm
Identify and provide the resources that your ISMS needs.
7.2. Support your ISMS by making sure that people are competent.
Identify the competence requirements of those under your organization's
control who have an impact on its information security performance.
Acquire the necessary competence whenever current personnel fail to
meet your organization's information security competence requirements.
Evaluate the effectiveness of any actions taken to acquire the
information security competence your organization needs to have.
7.3. Support your ISMS by making people aware of their responsibilities.
Make sure that the people who work for your organization
understand and are aware of its information security policy.
Make sure that the people who work for your organization understand
how they can support and help enhance the effectiveness of your ISMS.
7.4. Support your ISMS by identifying your communication needs.
Identify your organization's internal ISMS communication needs.
Identify your organization's external ISMS communication needs.
7.5. Support your ISMS by managing all relevant information.
7.5.1. Include the information and documents that your ISMS needs.
Figure out how extensive your ISMS documentation needs to be.
Identify all the documents and records that your ISMS needs.
7.5.2. Manage the creation and modification of your ISMS documents.
Manage the creation and modification of your organization's
ISMS documents and records (documented information).
Make sure that your ISMS documents and
records are properly identified and described.
Make sure that your ISMS documents and
records are properly formatted and presented.
Make sure that your ISMS documents and
records are properly reviewed and approved.
7.5.3. Control your organization's ISMS information and documents.
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
5 of 10 18/05/14 2:11 pm
Control all of the information security documents and records
(documented information) that your organization needs.
Control all documents and records that your ISMS needs in order to
preserve the confidentiality, integrity, and availability of information.
Control all the documents and records required by this standard.
Control how ISMS documents and records are controlled.
Control how ISMS documents and records are created.
Control how ISMS documents and records are identified.
Control how ISMS documents and records are distributed.
Control how ISMS documents and records are stored.
Control how ISMS documents and records are retrieved.
Control how ISMS documents and records are accessed.
Control how ISMS documents and records are used.
Control how ISMS documents and records are protected.
Control how ISMS documents and records are changed.
Control how ISMS documents and records are preserved.
8. Operational Requirements
8.1. Carry out operational planning and control your processes.
Establish the processes that your organization needs in order to meet
its information security requirements and implement the actions needed
to address its information security risks and opportunities.
Plan the development of your ISMS processes.
Develop your organization's ISMS processes.
Implement your organization's ISMS processes.
Control internal and outsourced ISMS processes.
Maintain your organization's ISMS processes.
Implement plans to achieve your organizations information
security objectives (these plans were developed in part 6.2).
8.2. Conduct regular information security risk assessments.
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
6 of 10 18/05/14 2:11 pm
Perform regular information security risk assessments.
Prioritize your risks whenever risk assessments are done.
Maintain a record of your of risk assessment results.
8.3. Implement your information security risk treatment plan.
Implement your information security risk treatment plan.
Maintain a record of your risk treatment results.
9. Evaluation Requirements
9.1. Monitor, measure, analyze, and evaluate your information security.
Figure out how youre going to assess the performance of your
information security and determine the effectiveness of your ISMS.
Figure out how youre going to monitor the performance of your
organization`s information security and the effectiveness of its ISMS.
Figure out how youre going to measure the performance of your
organization`s information security and the effectiveness of its ISMS.
Figure out how youre going to analyze the performance of your
organization`s information security and the effectiveness of its ISMS.
Figure out how youre going to evaluate the performance of your
organization`s information security and the effectiveness of its ISMS.
Assess the performance of your information security
and determine the effectiveness of your ISMS.
9.2. Set up an internal audit program and use it to evaluate your ISMS.
Plan the development of an internal ISMS audit program.
Make sure that your audit program is capable of determining
whether or not your ISMS conforms to requirements.
Make sure that your audit program is capable of determining
whether or not your ISMS has been implemented effectively.
Establish your internal ISMS audit program.
Establish your internal audit methods.
Establish internal audit responsibilities.
Establish internal audit planning requirements.
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
7 of 10 18/05/14 2:11 pm
Establish internal audit schedules and routines.
Establish internal audit reporting requirements.
Implement your internal ISMS audit program.
Maintain your internal ISMS audit program.
9.3. Review performance of your ISMS at planned intervals.
Establish a management review process.
Plan your organizations ISMS review process.
Review the performance of your ISMS.
Generate management review outputs.
Retain a record of management review results.
10. Improvement Requirements
10.1. Identify nonconformities and take corrective actions.
Identify nonconformities when they occur.
React to your organization's nonconformities.
Evaluate the need to eliminate or control causes.
Implement corrective actions to address causes.
Review the effectiveness of your corrective actions.
Change your organizations ISMS whenever necessary.
10.2. Enhance the overall performance of your ISMS.
Improve the suitability, adequacy, and effectiveness of your ISMS.

ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
8 of 10 18/05/14 2:11 pm
This web page summarizes the ISO IEC 27001 2013 standard.
It highlights the main points. It does not present detail. To get the
complete Plain English standard, please consider purchasing
Title 35: ISO IEC 27001 2013 Translated into Plain English.
Our Plain English ISO IEC 27001 standard is 94 pages long.
It includes all information security requirements,
definitions, control objectives, and controls.
Our Title 35 is detailed, accurate, and complete. It uses language
that is clear, precise, and easy to understand. We guarantee it!
Title 35 TOC Sample PDF Place Order See Prices Our License
MORE ISO 27001 PAGES
Introduction to ISO IEC 27001 2013
Plain English Outline of ISO IEC 27001 2013
Plain English Overview of ISO IEC 27001 2013
ISO IEC 27000 2014 Definitions in Plain English
ISO IEC 27001 2005 versus ISO IEC 27001 2013
Plain English Information Security Checklist
Introduction to ISO IEC 27001 2013 Annex A
Information Security Gap Analysis Tool
ISO IEC 27002 2013 PAGES
ISO IEC 27002 2013 Introduction
Overview of ISO IEC 27002 2013 Standard
Information Security Control Objectives
How to Use ISO IEC 27002 2013 Standard
ISO IEC 27002 2013 versus ISO IEC 27002 2005
ISO IEC 27002 2013 Translated into Plain English
ISO IEC 27002 2013 Information Security Audit Tool
Plain English ISO IEC 27002 2013 Security Checklist
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
9 of 10 18/05/14 2:11 pm
RELATED PLAIN ENGLISH STANDARDS
ISO 22301 2012 Business Continuity Standard in Plain English
ISO 31000 Risk Management Standard Translated into Plain English
ISO 28000 Supply Chain Security Standard Translated into Plain English
Updated on May 9, 2014. First published on November 12, 2013.
Home Page Our Libraries A to Z Index Our Customers
How to Order Our Products Our Prices Our Guarantee
Praxiom Research Group Limited help@praxiom.com 780-461-4514
Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.
Copyright 2013 - 2014 by Praxiom Research Group Limited. All Rights Reserved.
ISO IEC 27001 2013 Translated into Plain English http://www.praxiom.com/iso-27001.htm
10 of 10 18/05/14 2:11 pm