ISO/IEC 27001-2013 pdf free.Information technology – Security techniques – Information security management systems – Requirements.
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 1 is not acceptable when an organization claims conformity to this International Standard.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in lSO/IEC 27000 apply.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 310O0:20O9Iil.
4.2 Understanding the needs and expectations of interested parties The organization shall determine:
a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security.
NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
4.3 Determining the scope of the information security management system
The organization shall determine the boundaries and applicability of the information security management system to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 42; and
c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.
The scope shall be available as documented information.
4.4 Information security management system
The organization shall establish, implement, maintain and continually improve an information security
management system, in accordance with the requirements of this International Standard.
5 Leadership
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the information security management system by:
a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
b) ensuring the integration of the information security management system requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system arc available;
d) communicating the importance of effective information security management and of conforming to the information security management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information security management system;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.ISO/IEC 27001 pdf free download.