ISO 27001:2013 – Information Security Management Systems


The main purpose of ISO 27001 is to promote information security within organisations wishing to implement a management system aimed at the correct management of information owned or entrusted by third parties. Since 2016 with the issuance of Reg. Eu 2016/679 (GDPR) it is widely used in all organizations engaged in the digital revolution or that manage particular information as the main object of their activity.

The defense of corporate assets therefore becomes central and the regulation provides useful tools to limit exposure to data breaches depending on both external and internal factors of the organization.

Where to Start

As already seen with other standards developed according to the Hight Level Structure (HLS), ISO 27001 lays its foundations in the risk assessment document, which must be drawn up consistently with the analysis of the business environment and the information processed. The organisation must understand the concept of information (or Information Asset), distinguishing its forms and the way in which it is presented. Pro

The economic and financial aspects of information security must be determined, including organisational, as well as technological, impacting aspects.

Fundamental in the design of a management system according to ISO 27001 is Annex A which contains the “controls” (or countermeasures) with which the organisation must comply.

Annex A and the “Controls” foreseen by the standard

The controls cover the following topics:

information security policy and organisation
human resources security
asset management
logical access control
physical and environmental safety
the safety of operational activities
communications security
application security management
the relationship with suppliers involved in information security management
the handling of incidents (relating to information security)
Business Continuity management
regulatory compliance