Professional Documents
Culture Documents
ISO 27001 Training Module 3 - Cl1 To Cl6 in Detail
ISO 27001 Training Module 3 - Cl1 To Cl6 in Detail
Module 3
Cl1 to Cl6 in Detail
ISO 27001 Contents
■ ISO 27001:2013 is divided into ten clauses, an Annex and a Bibliography, this module
covers clauses 1 – 6.
1. Scope
2. Normative References
5. Leadership
6. Planning
■ Note that we refer to “the ISO 27001:2013 standard” throughout, simply as “27001”.
General
■ ISO27001 provides the requirements for establishing, implementing, maintaining and
continually improving an Information Security Management System (ISMS).
■ the design and implementation of an ISMS needs to take into account an organisation’s size
and structure, processes, complexity, needs and objectives, and security requirements.
■ It is expected that all of these influencing factors will change over time.
■ The ISMS preserves the confidentiality, integrity and availability of information by applying a
risk management process and gives confidence to interested parties that risks are adequately
managed.
■ It is expected that an ISMS implementation will be scaled in accordance with the needs of the
organisation.
■ The order in which requirements are presented in the standard does not reflect their relative
importance.
Compatibility with other
management system standards
■ 27001 applies the high-level structure, identical sub-clause titles, identical text,
common terms, and core definitions as defined in Annex SL of ISO Directives,
Part 1, Consolidated ISO Supplement, and therefore maintains compatibility
with other management system standards, such as 9001 and 14001.
■ This common approach defined in Annex SL will be useful for those
organisations that choose to operate a single management system (often called
‘integrated management system’ or IMS) that meets the requirements of two or
more management system standards.
Clause 1: Scope
■ 27001 sets out generic requirements that can be implemented in all types and sizes of
organisation, such as commercial entities, government agencies, non-profit
organisations, irrespective of the nature of their activities.
■ 27001 specifies the requirements for establishing, implementing, maintaining and
continually improving an information security management system within the context of
the organisation.
■ 27001 also includes requirements for the assessment and treatment of information
security risks tailored to the needs of the organisation.
■ Organisations cannot claim conformity to 27001 if they exclude any of the requirements
set out in clauses 4 to 10 of the standard.
■ If an organisation already has an operative management system (say, ISO9001 or
ISO14001, it is often preferable to satisfy the requirements of ISO 27001 within that
existing management system.
Clause 2: Normative References
■ ISO uses the Term “Normative Reference” to reference documents which ISO
consider to be indispensable in implementing the standard.
■ ISO 27001:2013 references ISO 27000 Information technology - Security
techniques - Information security management systems - Overview and
vocabulary, which is termed “indispensable” for the application of ISO
27001:2013.
Clause 3: Terms and Definitions
■ For the purposes of ISO 27001:2013, the terms and definitions given in ISO 27000
apply.
■ Please refer to Module 2 of this training material for many of these terms and
definitions.
Clause 4: Context of the organisation
■ This section/clause of the standard has the following sub-clauses:
■ The internal and external issues that are determined in clause 4.1 can result in risks and
opportunities to the organisation or to the ISMS.
■ The organisation needs to determine which of those risks and opportunities need to be
addressed and managed.
■ The organisation are also required to monitor and review information about these
external and internal issues.
4.2 Understanding the needs and expectations of
interested parties
■ Due to their effect, or potential effect, on an organisation’s ability to achieve
information security, organisations are required to determine:
– the interested parties that are relevant to the information security management
system
– the requirements, that are relevant to the information security management
system, of those interested parties
■ Note that the requirements of interested parties may include legal and regulatory
requirements and contractual obligations.
■ Organisations must also monitor and review information about those interested
parties, and their relevant requirements.
4.3 Determining the scope of the ISMS
5.2 Policy
■ Top management must ensure that the responsibilities and authorities for roles
relevant to information security are assigned and communicated, including: