ISO IEC 27001 2013 Translated Into Plain English

ISO IEC 27001 2013 Translated into Plain English

http://www.praxiom.com/iso-27001.htm

ISO IEC 270 2 70 01 is an information information security management management standard. It takes takes a very broad approach. In the context of this standard, the term information includes data,, docu data documen ments, ts, messages, messages, co mm mmun un ic at io ns , conversatio conversations, ns, transmiss transmissions, ions, recordings, drawings, drawings, and photographs. It includes al l forms of information. This page presents an overview of ISO IEC 27001 2013. It does not provide detail. We start with section 4 because the standard's security requirements start there.

4. Contextual Requirements 4.1. Understand your organization and its particular context. • Identify and understand understand your organization's organization's context before before you establish its information security management system (ISMS). • Identify the internal issues issues that are relevant to your organization's purpose and consider the influence these issues could have on its ability to achieve the outcomes that its ISMS intends to achieve. • Determine the influence your internal stakeholders could have. • Determine the influence your approach to governance could have. • Determine the influence your organizati organization's on's capabilities could have. • Determine the influence your organizati organization's on's culture could have. • Determine the influence your organizati organization's on's contracts could have. • Identify the external issues issues that are relevant to your organization's purpose and consider the influence these issues could have on its ability to achieve the outcomes that its ISMS intends to achieve. • Determine the influence environmental conditions could have. • Determine the influence key trends and drivers could have.

1 of 10

18/05/14 2:11 pm



• Determine the influence external stakeholders could have. 4.2. Define the needs and expectations of your interested parties. • Identify all of the parties that have an interest in your organization's ISMS. • Identify their requirements including their needs and expectations. 4.3. Figure out what your ISMS should apply to and clarify its scope. • Consider what your organization's ISMS should apply to and what its boundaries should be when you think about what its scope ought to be. • Think about how internal and external issues could influence your information security management system`s ability to achieve intended outcomes. • Think about how your organi zati on`s stak ehol ders could influence your information security management system`s ability to achieve intended outcomes. • Think about how your organization`s activities, interfaces, and interdependencies could influence your information security management system`s ability to achieve intended outcomes. • Clarify the scope of your organization's ISMS. • Make sure that your ISMS statement of scope is documented and available when it is needed. 4.4. Develop an ISMS that complies with this international standard. • Establish an ISMS in accordance with the ISO IEC 27001 2013 standard.

5. Leadership Requirements 5.1. Provide leadership and show that you support your ISMS. • Demonstrate a commitment to your ISMS. • Ensure that ISMS policies are established. • Ensure that ISMS objectives are established. • Ensure that ISMS achieves its intended outcomes. • Ensure that ISMS requirements become an integral part of your organization's processes. • Ensure that necessary ISMS resources

2 of 10

18/05/14 2:11 pm



are available when they are needed. • Communicate a commitment to your ISMS. • Make sure that people understand how important information security actually is. • Encourage managers to demonstrate their leadership and commitment to information security within their own areas. 5.2. Establish an appropriate information security policy. • Establish an information security policy for your organization. • Make sure that your information security policy is appropriate and supports your organization's purpose. • Make sure that your information security policy either includes security objectives or can be used to establish these objectives. • Make sure that your information security policy makes a commitment to comply with all relevant information security requirements. 5.3. Assign responsibility and authority for your ISMS. • Allocate responsibility and authority for carrying out information security roles to the appropriate people within your organization. • Communicate all relevant information security management roles, responsibilities, and authorities.

6. Planning Requirements 6.1. Specify actions to manage risks and address opportunities. 6.1.1. Consider risks and opportunities when your plan your ISMS. • Identify the risks and opportunities that could influence the effectiveness of your organization's ISMS or disrupt its operation. • Consider how your internal and external issues could affect how well your ISMS is able to achieve intended outcomes. • Consider how your legal and regulatory requirements could affect how well your ISMS is able to achieve its intended outcomes. • Figure out what you need to do to address the risks and opportunities that could influence the effectiveness of your organization's ISMS or disrupt its operation. 6.1.2. Establish an information security risk assessment process.

3 of 10

18/05/14 2:11 pm



• Define an information security risk assessment process. • Figure out how you’re going to perform risk assessments. • Figure out how you’re going to identify risk owners. • Figure out how you’re going to ensure that your risk assessments produce consistent and valid results. • Assess your organization’s information security risks. • Identify your organization’s information security risks. • Analyze your organization’s information security risks. • Evaluate your organization’s information security risks. • Prioritize your organization’s information security risks. • Document your information security risk assessment process. 6.1.3. Develop an information security risk treatment process. • Define an information security risk treatment process. • Figure out how you’re going to select appropriate information security risk treatment options. • Figure out how you’re going to select the controls that will be needed to implement your risk treatment options. • Figure out how you’re going to formulate an information security risk treatment plan. • Apply your information security risk treatment process. • Document your information security risk treatment process. 6.2. Set security objectives and develop plans to achieve them. • Establish your organization's information security objectives. • Establish plans to achieve information security objectives. • Specify what must be done to achieve your objectives. • Specify who will be responsible for achieving objectives.

7. Support Requirements 7.1. Support your ISMS by providing the necessary resources.

4 of 10

18/05/14 2:11 pm



• Identify and provide the resources that your ISMS needs. 7.2. Support your ISMS by making sure that people are competent. • Identify the competence requirements of those under your organization's control who have an impact on its information security performance. • Acquire the necessary competence whenever current personnel fail to meet your organization's information security competence requirements. • Evaluate the effectiveness of any actions taken to acquire the information security competence your organization needs to have. 7.3. Support your ISMS by making people aware of their responsibilities. • Make sure that the people who work for your organization understand and are aware of its information security policy. • Make sure that the people who work for your organization understand how they can support and help enhance the effectiveness of your ISMS. 7.4. Support your ISMS by identifying your communication needs. • Identify your organization's internal ISMS communication needs. • Identify your organization's external ISMS communication needs. 7.5. Support your ISMS by managing all relevant information. 7.5.1. Include the information and documents that your ISMS needs. • Figure out how extensive your ISMS documentation needs to be. • Identify all the documents and records that your ISMS needs. 7.5.2. Manage the creation and modification of your ISMS documents. • Manage the creation and modification of your organization's ISMS documents and records (documented information). • Make sure that your ISMS documents and records are properly identified and described. • Make sure that your ISMS documents and records are properly formatted and presented. • Make sure that your ISMS documents and records are properly reviewed and approved. 7.5.3. Control your organization's ISMS information and documents.

5 of 10

18/05/14 2:11 pm



• Control all of the information security documents and records (documented information) that your organization needs. • Control all documents and records that your ISMS needs in order to preserve the confidentiality, integrity, and availability of information. • Control all the documents and records required by this standard. • Control how ISMS documents and records are controlled. • Control how ISMS documents and records are created . • Control how ISMS documents and records are identified . • Control how ISMS documents and records are distributed . • Control how ISMS documents and records are stored . • Control how ISMS documents and records are retrieved . • Control how ISMS documents and records are accessed . • Control how ISMS documents and records are used . • Control how ISMS documents and records are protected . • Control how ISMS documents and records are changed . • Control how ISMS documents and records are preserved .

8. Operational Requirements 8.1. Carry out operational planning and control your processes. • Establish the processes that your organization needs in order to meet its information security requirements and implement the actions needed to address its information security risks and opportunities. • Plan the development of your ISMS processes. • Develop your organization's ISMS processes. • Implement your organization's ISMS processes. • Control internal and outsourced ISMS processes. • Maintain your organization's ISMS processes. • Implement plans to achieve your organization’s information security objectives (these plans were developed in part 6.2). 8.2. Conduct regular information security risk assessments.

6 of 10

18/05/14 2:11 pm



• Perform regular information security risk assessments. • Prioritize your risks whenever risk assessments are done. • Maintain a record of your of risk assessment results. 8.3. Implement your information security risk treatment plan. • Implement your information security risk treatment plan. • Maintain a record of your risk treatment results.

9. Evaluation Requirements 9.1. Monitor, measure, analyze, and evaluate your information security. • Figure out how you’re going to assess the performance of your information security and determine the effectiveness of your ISMS. • Figure out how you’re going to monitor the performance of your organization`s information security and the effectiveness of its ISMS. • Figure out how you’re going to measure the performance of your organization`s information security and the effectiveness of its ISMS. • Figure out how you’re going to analyze the performance of your organization`s information security and the effectiveness of its ISMS. • Figure out how you’re going to evaluate the performance of your organization`s information security and the effectiveness of its ISMS. • Assess the performance of your information security and determine the effectiveness of your ISMS. 9.2. Set up an internal audit program and use it to evaluate your ISMS. • Plan the development of an internal ISMS audit program. • Make sure that your audit program is capable of determining whether or not your ISMS conforms to requirements. • Make sure that your audit program is capable of determining whether or not your ISMS has been implemented effectively. • Establish your internal ISMS audit program. • Establish your internal audit methods. • Establish internal audit responsibilities. • Establish internal audit planning requirements.

7 of 10

18/05/14 2:11 pm



• Establish internal audit schedules and routines. • Establish internal audit reporting requirements. • Implement your internal ISMS audit program. • Maintain your internal ISMS audit program. 9.3. Review performance of your ISMS at planned intervals. • Establish a management review process. • Plan your organization’s ISMS review process. • Review the performance of your ISMS. • Generate management review outputs. • Retain a record of management review results.

10. Improvement Requirements 10.1. Identify nonconformities and take corrective actions. • Identify nonconformities when they occur. • React to your organization's nonconformities. • Evaluate the need to eliminate or control causes. • Implement corrective actions to address causes. • Review the effectiveness of your corrective actions. • Change your organization’s ISMS whenever necessary. 10.2. Enhance the overall performance of your ISMS. • Improve the suitability, adequacy, and effectiveness of your ISMS.

8 of 10

18/05/14 2:11 pm



This web page summariz es the ISO IEC 27001 2013 s tand ard. It highlights the main points. It does not present detail. To get the complete Plain English standard, please consider purchasing Title 35: ISO IEC 27001 2013 Translated into Plain English. Our Plain English ISO IEC 27001 standard is 94 pages long. It includes all information security requirements, definitions, control objectives, and controls. Our Title 35 is detailed, accurate, and complete. It uses language that is clear, precise, and easy to understand. We gu aran te e it !

Title 35 TOC

Sample PDF

Place Order

See Prices

Our License

MORE ISO 27001 PAGES

Introduction to ISO IEC 27001 2013 Plain English Outline of ISO IEC 27001 2013 Plain English Overview of ISO IEC 27001 2013 ISO IEC 27000 2014 Definitions in Plain English ISO IEC 27001 2005 versus ISO IEC 27001 2013 Plain English Information Security Che ck li st Introduction to ISO IEC 27001 2013 Annex A Information Security Gap Analysis Tool

ISO IEC 27002 2013 PAGES

ISO IEC 27002 2013 Introduction Overview of ISO IEC 27002 2013 Standard Information Security Control Objectives How to Use ISO IEC 27002 2013 Standard ISO IEC 27002 2013 versus ISO IEC 27002 2005 ISO IEC 27002 2013 Translated into Plain English ISO IEC 27002 2013 Information Security Audit Tool Plain English ISO IEC 27002 2013 Security Checklist

9 of 10

18/05/14 2:11 pm



RELATED PLAIN ENGLISH STANDARDS ISO 22301 2012 Business Continuity Standard in Plain English ISO 31000 Risk Management Standard Translated into Plain English ISO 28000 Supply Chain Security Standard Translated into Plain English

Updated on May 9, 2014. First published on November 12, 2013. Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited

[email protected]

780-461-4514

Legal Restrictions on the Use of this Page Thank you for vis it in g this page. You are wel co me to view our material as oft en as you wish, free of charge. And as long as you keep intact all copyright notices, you are welcome to print or make one copy of this page for your own personal, noncommercial, home use. But, you are not legally authorized to print or produce additional copies or to copy and paste any of our material onto another web site or to republish it in any way. Copyright © 2013 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

10 of 10

18/05/14 2:11 pm

ISO IEC 27001 2013 Translated Into Plain English

Recommend Documents