# ISO/IEC 27001 ISMS One-sentence definition: International standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). ## Key Facts - Requires risk-based ISMS scope, context, leadership, planning, support. - Annex A references control themes (aligned with 27002 guidance). - Certification via accredited audit; surveillance audits annually. - Emphasizes **PDCA** (Plan-Do-Check-Act) continual improvement. - Mandatory documented information (policies, SoA, risk treatment plan). - Integrates with 27005 (risk) and 27701 (privacy ISMS). - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Distinguish ISMS governance vs control catalog. **Mnemonic:** “ISMS = **P**lan, **D**o, **C**heck, **A**ct.” ## Mini Scenario Q: Auditor asks how you mapped risks to controls—what document? A: Statement of Applicability (SoA). ## Revision Checklist - Name two mandatory ISMS artifacts. - Explain PDCA in one line. - Differentiate 27001 vs 27002. ## Related [[ISO IEC 27002 Security Controls]] · [[ISO IEC 27005 Risk Management]] · [[ISO 31000 Risk Management Principles]] · [[Compliance and Regulatory Concepts]] · [[Security Governance]] · [[Domain 1 - Index]]