ISO 27001
An international standard for information security management systems (ISMS) that specifies requirements for establishing, implementing, maintaining, and continually improving an organization's security management program. ISO 27001 follows a Plan-Do-Check-Act (PDCA) cycle and requires organizations to assess risks, implement appropriate controls (from the Annex A control set), and undergo regular audits. Certification is granted by accredited third-party auditors and is valid for three years with annual surveillance audits. ISO 27001 is globally recognized and often required by enterprise customers and partners. It is a key framework in CISM, CISA, and CISSP GRC domains.
Why It Matters
In practice, ISO 27001 is critical because it provides an internationally recognized certification that demonstrates an organization's commitment to information security, often serving as a prerequisite for enterprise sales and partnerships. Organizations that fail to implement a formal ISMS face ad hoc security practices, inconsistent controls across departments, and inability to win contracts that require demonstrable security maturity. The 2022 revision streamlined Annex A controls from 114 to 93 and introduced new controls for cloud security and threat intelligence. Achieving and maintaining certification requires significant investment in documentation, training, and continuous improvement processes. On certification exams such as CISM, CISA, and CISSP, expect questions about the PDCA cycle in the context of ISMS, the structure of Annex A controls, the certification audit process including Stage 1 and Stage 2 audits, and comparing ISO 27001 with other frameworks like NIST CSF and SOC 2.
Practice this topic
Test your knowledge of ISO 27001 concepts with exam-style practice questions.
Related GRC terms
Risk Assessment
The process of identifying, analyzing, and evaluating potential risks to an organization's information assets to determine the likelihood and impact of threats exploiting vulnerabilities. Risk assessment methodologies include qualitative (rating risks as High/Medium/Low), quantitative (calculating Annual Loss Expectancy using SLE x ARO = ALE), and hybrid approaches. Frameworks like NIST SP 800-30, ISO 27005, and FAIR provide structured risk assessment processes. The output drives risk treatment decisions: accept, mitigate, transfer (insurance), or avoid. Risk assessment is the cornerstone of CISSP Domain 1, CISM, and CISA certifications.
Vulnerability Assessment
A systematic process to identify, quantify, and prioritize security vulnerabilities in systems, applications, and networks using automated scanning tools and manual review. Common tools include Nessus, Qualys, OpenVAS, and Rapid7 InsightVM. Vulnerability assessments differ from penetration testing — they identify weaknesses without actively exploiting them. Results are typically scored using CVSS (Common Vulnerability Scoring System) and prioritized by severity, asset criticality, and exploitability. Regular vulnerability assessments are required by PCI DSS, HIPAA, and other compliance frameworks and are a key topic in Security+, CySA+, and CISSP certifications.
Penetration Testing
An authorized simulated cyberattack on a computer system, network, or application performed to evaluate its security posture and identify exploitable vulnerabilities. Pentest types include black box (no prior knowledge), white box (full system knowledge), and gray box (partial knowledge). The methodology follows phases: planning and scoping, reconnaissance, scanning, exploitation, post-exploitation, and reporting. Industry standards include the PTES, OWASP Testing Guide, and NIST SP 800-115. Penetration testing is the focus of OSCP, PenTest+, CEH, and GPEN certifications and a key assessment method in CISSP Domain 6.
Compliance
The act of conforming to established guidelines, specifications, regulations, or legislation related to information security and data protection. Key compliance frameworks include PCI DSS (payment card data), HIPAA (healthcare data), SOX (financial reporting), GDPR (EU personal data), and FedRAMP (US government cloud). Non-compliance can result in significant fines, legal liability, and reputational damage. Organizations use controls frameworks (NIST CSF, ISO 27001, CIS Controls) to demonstrate compliance. Compliance management is a central topic in CISA, CISM, and CISSP Domain 1 (Security and Risk Management).
NIST Framework
A set of guidelines and best practices published by the National Institute of Standards and Technology to manage cybersecurity risk, most commonly referring to the NIST Cybersecurity Framework (CSF) with its five core functions: Identify, Protect, Detect, Respond, and Recover. NIST also publishes the SP 800 series (including 800-53 for security controls, 800-171 for CUI, and 800-63 for digital identity). The framework is voluntary but widely adopted across industries and required for U.S. federal agencies. NIST provides the foundation for many organizational security programs and is heavily referenced in CISSP, CISM, and Security+ certifications.
GDPR
The General Data Protection Regulation — an EU regulation enacted in 2018 that governs data protection and privacy for all individuals within the European Economic Area. GDPR grants individuals rights including access, rectification, erasure ('right to be forgotten'), data portability, and the right to object to processing. Organizations must have a lawful basis for processing personal data, implement data protection by design, report breaches within 72 hours, and appoint a Data Protection Officer (DPO) in certain cases. Fines can reach up to 4% of annual global revenue or 20 million EUR. GDPR is tested in CISSP, CIPP/E, and security governance certifications.