DIN ISO/IEC 27001:2008 Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2005); English version of DIN ISO/IEC 27001:2008-09
1.1 General
This International Standard covers all types of organizations (e.g. commercial enterprises, government
agencies, non-profit organizations). This International Standard specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the
context of the organization's overall business risks. It specifies requirements for the implementation of security
controls customized to the needs of individual organizations or parts thereof.
The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect
information assets and give confidence to interested parties.
NOTE 1: References to 'business' in this International Standard should be interpreted broadly to mean those activities
that are core to the purposes for the organization's existence.
NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls.
1.2 Application
The requirements set out in this International Standard are generic and are intended to be applicable to all
organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4,
5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and
evidence needs to be provided that the associated risks have been accepted by accountable persons. Where
any controls are excluded, claims of conformity to this International Standard are not acceptable unless such
exclusions do not affect the organization's ability, and/or responsibility, to provide information security that
meets the security requirements determined by risk assessment and applicable legal or regulatory
requirements.
NOTE: If an organization already has an operative business process management system (e.g. in relation with
ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this
existing management system.
DIN ISO/IEC 27001:2008 Referenced Document
ISO/IEC 17799:2005 Information technology - Security techniques - Code of practice for information security management
2017DIN EN ISO/IEC 27001:2017 Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015); German version EN ISO/IEC 27001:2017
2015DIN ISO/IEC 27001:2015 Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2013 + Cor. 1:2014)
2008DIN ISO/IEC 27001:2008 Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2005); English version of DIN ISO/IEC 27001:2008-09