ISO 27001:2013 provides an overview of information security management systems and the controls to monitor, evaluate and improve the efficiency and effectiveness of information security safeguards. The selection and implementation of controls should be documented within a statement of applicability. The statement assists with defining the protection of all forms of information, from data storage to computer servers, PC’s, company noticeboards, mobile devices and even post-it notes, balancing the investment versus controls against losing sensitive and client related information.
The ISO 27001:2017 update of the standard represents very little change from the ISO 27001:2013 version and the revised standard does not introduce new requirements to the existing standard, other than additional Corrigendum controls for the Statement of Applicability (SoA). The SoA may also be extended to include security controls for ISO 27701 – Privacy information management requirements, ISO 27017 – Code of practice for cloud services, or ISO 27018 – Code of practice for personal identifiable information (PII) in public clouds.