ISO/IEC 27001. Information security management

ISO 27001 is one of the best-known standards in the world that defines information security requirements. It can be implemented and certified by organizations of any size and from any industry.


RIGCERT provides ISO 27001 certification services to help you understand better the security risks your organization may face. The certification to ISO 27001 helps to demonstrate you have controls in place to safeguard the confidentiality, integrity and availability of the information you process.

Information security concept

Information security is commonly defined using the C-I-A triad: confidentiality (ensuring that information is available only to authorized users); integrity (protecting the accuracy and completeness of information) and availability (authorized users have access to information when needed).

At international level there are also other frameworks for information security, some popular examples include ISACA and NIST.

According to the International Standards Organization (ISO) ISO 27000 family of standards helps organizations keep information assets secure. Information may include intellectual property, financial data, information generated from research and development, employee data or information provided by third parties.

ISO/IEC 27001 Standard

ISO/IEC 27001:2013 defines the requirements for an information security management system. Main elements of the standard address the identification, assessment and treatment of information security risks.

The standard includes a series of information security controls  (114 controls) that address aspects like: human resources security, asset management, access control, physical security, cryptography, operation and communication security, acquisition, development and maintenance of information systems, relations with suppliers, incident management, legal compliance or integration of information security in business continuity.

First edition of ISO/IEC 27001 was published in 2005 and the current version of the standard is the one published in 2013.
Information published on the ISO website show that the popularity of ISO/IEC 27001 increases constantly every year, in both the number of certifications as well as the number of countries where the standard is being used.

ISO/IEC 27001 Certification

ISO/IEC 27001 can be implemented successfully in large corporations as well as in small businesses that wish to demonstrate they have controls in place to protect the information they process and store.

Of course ISO/IEC 27001 can be integrated with other management system standards like ISO 9001 or ISO 22301, for example.


For certification purposes please contact us by e-mail at

If you’re looking for a training course that details all the requirements of ISO/IEC 27001 as well as the 114 information security controls check out our course hosted on the Udemy platform below.


We have prepared a small quiz from the requirements of ISO/IEC 27001:2013 that you can try.

Get in touch with us!

Test your knowledge with the ISO/IEC 27001:2013 quiz!

Take the quiz

Which are the components of the P-D-C-A cycle?
What represents a requirement determined as not applicable to the QMS as per ISO 9001:2015?
Which of the following can be considered post-delivery activities according to ISO 9001:2015?
What is the frequency for internal audits required by ISO 9001:2015?
Which of the following statements is true?

1. What is the relation between environmental aspects and impacts?
2. Which statement is true according to ISO 14001:2015?
3. The corrective action is?
4. As per ISO 14001:2015 compliance obligations refer to:
5. For determining environmental aspects purposes, the life cycle of a product may include stages like:

1. The occupational health and safety policy
2. What represents a “near-miss”?
2. OHSAS 18001 requires:
4. Which of the following statements is false?
5. As per OHSAS 18001 the health and safety of visitors to the workplace represents the responsibility of the organization?

1. What represents the Statement of Applicability?
2. In case the same person is responsible for both initiating and approving specific transactions, what information security control is not respected?
3. In case the organization decides to outsource software development does it have any responsibility to monitor the activity of its subcontractor(s) in terms of information security?
4. The decision to accept a security risk represents an option for treatment?
5. What is the principle of independence related to internal audits referring to?