ISO / IEC 27001:2013 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system documented in the context of the organization's general business risks. This standard specifies the requirements for implementing security controls personalized to the needs of organizations.

The standard is designed to provide a selection of appropriate security controls that protect information and provide confidence to interested parties.

It is suitable for different types of use, including:
  • formulating the organizations' security objectives and requirements;
  • ensuring that security risks are managed cost-effectively;
  • implementing and managing existing information security management processes;
  • defining new information security management processes as well as identifying and clarifying the existing information security management processes;
  • its use by management of organizations to determine the status of information security management activities;
  • use by internal and external auditors of organizations to determine compliance with policies, directives, and standards adopted by the organization;
  • providing relevant information about information security policies, directives, standards and procedures to commercial partners and other organizations with which the organization interacts for operational or commercial reasons;
  • providing relevant information on information security.