ISO 27001 Standard
What is ISO 27001?
ISO/IEC 27001 is the leading internationally recognized standard for an Information Security Management System (ISMS), enabling organizations to implement and maintain information security in a measured, controlled, and documented way. The current edition is ISO/IEC 27001:2022. It sets out clear criteria and processes to minimize risk, meet regulatory requirements, and improve your response in the event of a cyber security attack.
What is an Information Security Management System?
An ISMS is a set of policies and controls an organization implements in order to:
- Identify your stakeholders and what they expect of you regarding information security
- Identify the information-related risks that exist
- Develop controls (safeguards) and other strategies to meet requirements and manage risk
- Set clear information security objectives
- Implement all the controls and risk-reduction strategies
- Regularly measure whether the controls are performing as planned
- Make continual improvements to the ISMS
Why adopt the ISO 27001 standard?
Adopting ISO 27001 shows stakeholders that your organization takes information security seriously and works to:
- Carry out detailed, practical risk assessments
- Reduce identified risks to a manageable level
- Effectively manage cyber security threats
The benefits of adopting the standard include:
- Reduced threats to your information security and data protection
- Help attracting new customers and retaining existing ones, while saving time and resources
- An enhanced global reputation
The ISO 27000 family of standards
The ISO 27000 family is a set of interconnected information security management standards that together form an internationally recognized framework for best-practice information security. At its core is ISO 27001, which specifies the ISMS requirements. The family now contains more than 40 standards; the most widely used include:
- ISO/IEC 27000 – the terminology and definitions used across the family.
- ISO/IEC 27002 – guidance on implementing the controls in ISO 27001 Annex A (the 2022 edition reorganized these into 93 controls across four themes).
- ISO/IEC 27004 – how to measure information security and judge whether the ISMS has met its objectives.
- ISO/IEC 27005 – guidance on managing information security risk (risk assessment and treatment).
- ISO/IEC 27017 – security in cloud environments.
- ISO/IEC 27018 – protection of personal information in the cloud.
- ISO/IEC 27031 – ICT readiness for business continuity, linking information security and business continuity.
The objectives of ISO 27001: the CIA triad
ISO 27001’s primary purpose is to protect three properties of information:
- Confidentiality: only authorized individuals can access the information.
- Integrity: only authorized individuals can change the information.
- Availability: the information is available to authorized individuals when needed.
Is ISO 27001 enforceable by law?
Compliance with ISO 27001 can be made a contractual requirement between public and private organizations. In addition, some countries enact laws or regulations that make implementing the standard a legal requirement for organizations operating within their borders.
ISO 27001 and information security in Canada
In Canada, organizations have obligations to protect personal information under the federal PIPEDA and provincial laws such as Quebec’s Law 25. ISO 27001 gives Canadian organizations a structured, internationally recognized way to manage information security risk – supporting these obligations and building trust with customers and partners.
How ISO 27001 keeps your security from going stale?
Many initiatives start strong and then fade – a classification policy that worked at first becomes obsolete as technology, the organization, and people change, and no one wants to follow an out-of-date document, which weakens security. ISO 27001 builds in mechanisms to prevent this and to keep improving security over time: monitoring and measurement, internal audits, corrective actions, and management reviews. Adopting the standard is a practical way to resolve a range of security issues, make your job easier, and earn recognition from top management.
Contact IAS today to learn more about the ISO 27001 standard, or visit our frequently asked questions page.
Explore more
- ISO 27001 Certification in Canada – information security certification
- ISO 27001 Requirements – the documents and controls you need
- ISO 27001 Training in Canada – lead and internal auditor training
Frequently Asked Questions
What is ISO 27001?
The leading international standard for an Information Security Management System (ISMS); the current edition is ISO/IEC 27001:2022.
What is the ISO 27000 family?
A set of related information security standards built around ISO 27001, including ISO 27002 (controls), 27005 (risk), 27017/27018 (cloud), and others.
What are the CIA properties?
Confidentiality, Integrity, and Availability - the three properties of information ISO 27001 protects.
Is ISO 27001 a legal requirement?
Not generally, but it can be required by contract, and some jurisdictions make it a legal requirement in specific sectors.
How does it relate to Canadian privacy law?
It supports obligations under PIPEDA and provincial laws such as Quebec's Law 25 to protect personal information.
How does ISO 27001 keep security current?
Through built-in monitoring, internal audits, corrective actions, and management reviews that drive continual improvement.
