ISO/IEC 27001 is the international standard for Information Security. Unlike PCI (which focuses on card data), ISO 27001 focuses on EVERYTHING. People, Processes, and Technology.
Annex A Controls
You must implement the controls listed in Annex A (updated in 2022).
- A.5.7 Threat Intelligence: Do you proactively look for threats?
- A.8.9 Configuration Management: Do you have a baseline secure configuration for laptops?
- A.6.3 Awareness Training: Do employees know not to pick up USB sticks in the parking lot?
1. The ISMS (Information Security Management System)
The core of ISO 27001 is the ISMS.
It is a continuous cycle of: Plan, Do, Check, Act.
You don't just "get secure" once. You must prove you are improving every year.
2. Getting Audited
An external auditor will visit your office.
They will ask random employees: "Where is your clean desk policy?"
If the employee has passwords on sticky notes, you receive a "Non-Conformity". Too many, and you fail certification.