What are the 14 domains of ISO 27001

 

ISO/IEC 27001:2013 defines 14 domains, which are also referred to as "security control categories," that are part of an information security management system (ISMS) 27001 ISO. These domains are as follows:

 

Security Policy: Defines the organization's information security policies and procedures, and establishes a framework for managing information security risks.

 

Organization of Information Security: Describes the management structure, roles, responsibilities, and accountability for information security within the organization.

 

Asset Management: Identifies the organization's information assets, assigns ownership and classification, and establishes procedures for their handling and protection.

 

Human Resources Security: Addresses the security aspects of the employment cycle, including recruitment, training, awareness, and termination.

 

Physical and Environmental Security: Ensures the security of the organization's physical assets, such as buildings, equipment, and facilities.

 

Communications and Operations Management: Covers the security of the organization's communications and operational procedures, including networks, operations, and system development.

 

Access Control: Ensures that access to information and information processing facilities is restricted to authorized users and entities.

 

Information Systems Acquisition, Development and Maintenance: Covers the security aspects of the information systems life cycle, from planning and development to disposal.

 

Information Security Incident Management: Establishes procedures for detecting, reporting, and responding to information security incidents.

 

Business Continuity Management: Covers the development and implementation of a business continuity plan, including measures for protecting critical business functions and information.

 

Compliance: Ensures that the organization complies with relevant laws, regulations, and contractual obligations related to information security.

 

Risk Management: Identifies and assesses information security risks, and establishes controls to manage and mitigate these risks.

 

Supplier Relationships: Covers the security aspects of the organization's relationships with third-party suppliers and vendors.

 

Information Security Governance: Establishes a framework for the overall management of information security within the organization, including policies, procedures, and metrics for measuring and improving information security performance.