ISO 27001 is the most widely used international standard for information security and describes how to establish, implement, maintain and continuously improve an Information Security Management System (ISMS). Its purpose is to protect the confidentiality, integrity and availability of company information through clear policies, procedures and appropriate technical/organizational controls - all rooted in the company's risk profile.
The standard is robust and flexible at the same time: It sets a clear destination (proven security and compliance), but lets you choose the route (the action plan). ISO 27001 is built on risk management and continuous improvement, including the three-year recertification cycle and ongoing internal audits/management reviews.
Core elements of ISO 27001 (brief): risk assessment and risk management, policies and procedures, implementation of controls, monitoring/audit/management review and continuous improvement.
ISO 27002 is a companion standard to ISO 27001. Where ISO 27001 describes the requirements for an ISMS, ISO 27002 provides guidelines and examples on how to select and implement specific controls in practice (e.g. access management, network security, encryption, supplier management, incident management and emergency response). Think of ISO 27001 as the framework andISO 27002 as the toolbox.
We translate requirements into a realistic plan and documentation that can pass both customer and certification body requirements. Typically, we start with a gap analysis against ISO 27001, establish a prioritized roadmap, update policies and procedures, help select the relevant controls with reference to ISO 27002, and ensure operation, monitoring and reporting - soyou're ready for audit and certification.