The ISO/IEC 27001 standard is the only international standard subject to verification and certifiable that defines the requirements for an SGSI (Information Security Management System) and is designed to ensure the selection of adequate and proportionate security controls.
In this way it is possible to protect information and to give confidence to stakeholders, in particular their customers.
• Risk assessment consistent with the baseline;
• the concept of information (or information resource) with its exploitation;
• the economic and financial aspects of Information Security;
• the organizational (and not only technological) aspect of Information Security;
• the effectiveness of the SGSI and the countermeasures taken to deal with risks.
Of fundamental importance is the Annex A that contains the “controls” (or countermeasures) to which, the organization that intends to apply the norm, must comply.
– Gain a competitive advantage by meeting the contractual requirements of its customers with particular attention to the security of their information;
– Perform impartially the identification, assessment and management of the risks of the organisation, while formalising the processes, procedures and documentation related to information security;
– Impartially demonstrate compliance with applicable laws and regulations;
– demonstrate the commitment of business leaders to ensuring the security of information;
– Ensure continuous monitoring of company performance and implement the necessary improvement actions.