General This standard applies to all types of organizations (eg, commercial enterprises, government agencies, non-profit organizations). This standard specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system (ISMS) from the perspective of the organization's overall business risk. It specifies requirements for the implementation of security controls that are customized to suit the needs of different organizations or their departments. The design of an ISMS should ensure that appropriate and appropriate security controls are selected to adequately protect information assets and give interested parties confidence. Note 1: The term "business" in this standard should be broadly interpreted as the core activities related to the survival of an organization. Note 2: GB/T 22081 2008 provides implementation guidance that can be used when designing control measures. 2 Application The requirements specified in this standard are generic and applicable to organizations of all types, sizes and characteristics. When an organization claims compliance with this standard, the requirements of Chapter 4, Chapter 5, Chapter 6, Chapter 7 and Chapter 8 cannot be deleted. Any deletion of controls necessary to meet the risk acceptance criteria must be justified and evidence must be provided that the relevant risks have been accepted by the responsible personnel. Compliance with this standard cannot be claimed unless the deletions do not affect the organization's ability and/or responsibility to meet security requirements as determined by risk assessment and applicable legal and regulatory requirements. Note: If an organization already has an operational business process management system (for example, related to GB/T, 19001-2000 or GB/T 24001-2004), then in most cases it is preferable to implement this The requirements of this standard are met within the existing management system.
ISO/IEC 27001:2005 history
2024ISO/IEC 27001:2022/Amd 1:2024 Information security, cybersecurity and privacy protection — Information security management systems — Requirements — Amendment 1: Climate action changes
2022ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection - Information security management systems - Requirements
2015ISO/IEC 27001:2013/Cor 2:2015 Information technology. Security technology. Information security management. Requirements technical corrigendum 2
2014ISO/IEC 27001:2013/Cor 1:2014 Information technology. Security technology. Information security management. Requirements technical corrigendum 1
2013ISO/IEC 27001:2013 Information technology.Security techniques.Information security management systems.Requirements
2005ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems - Requirements