ISO 27001 is the only auditable International Standard for Information Security Management Systems (ISMS). This standard requires organizations to assess the risks to their information assets and select appropriate security controls to mitigate those risks. This standard also provides a list of security controls to be used by the organizations. ISO 27002 provides guidelines on how to implement the security controls listed in ISO 27001. It allows organizations to integrate requirements from multiple regulations (e.g. SOX, HIPAA) into a single Information Security Management System (ISMS) and manage it as a single system, as opposed to, managing multiple systems in isolation.
ISO 27001 is applicable to all types of businesses regardless of size, complexity and geographic location. This is especially important for the businesses dealing with confidential information including banking and financial firms, healthcare organizations and IT services companies.