MENU
TH EN
Home / Knowledge : Administration & Management

ISO/IEC 27001 ISMS Handbook 1

Title Thumbnail & Hero Image: ISO 27001:2022 Banner, source: unichrone.com, access date: Nov.17, 2025
ISO/IEC 27001 ISMS Handbook 1
First revision: Nov.17, 2025
Last change: Dec.4, 2025
Searched, gathered, rearranged, translated, and compiled by Apirak Kanchanakongkha.
1.
Page 1
1. ISO/IEC 27001 Standard.
  • Standard "to apply to all organizations, regardless of type, size, or nature. "
  • The Ninety-Three Broadly formulated controls.
  • Compatibility with other Management System Standards: such as ISO/IEC9001 (quality), ISO/IEC 14001 (environment), ISO/IEC 22301 (business continuity).
  • The concept of information security can be broken down into the following three dimensions (CIA):
    • The preservation of the confidentiality of information.
    • The preservation of the integrity of information.
    • The preservation of the availability of information.
1.
2. Information Security.
  • The preservation of the confidentiality of information.
    • Confidentiality is the property that information is not made available or disclosed to unauthorized persons, entities, or processes. Confidential information may include personal data, as well as other types of information, such as trade secrets or competitively sensitive data.
 
  • The preservation of the integrity of information.
    • The integrity of information refers to the accuracy and completeness of information. The word integrity sometimes leads to confusion because it also exists outside the context of information security, namely in the form of personal property (honest, sincere). You could say that "honest" information is accurate and complete.
    • A loss of integrity of information can occur due to incorrect input, processing, or presentation of data (manually or automated). People with malicious intent can deliberately compromise the accuracy and completeness of information to benefit or to cause harm. After restoring information from a backup, certain information may no longer be correct and complete.
 
  • Preserving the Availability of Information.
    • When it comes to information security, the availability aspect is often mentioned last. Not because the availability of information is considered unimportant, but because it is not always immediately linked to information security. Preserving availability means making information accessible and usable upon demand by an authorized entity (the organization or person who wants and may have access to the information).
    • A loss of availability of information can be temporary or permanent. It can be caused by unintended causes such as incorrect actions, technical malfunctions, or natural disasters. People with bad intentions can destroy information, make it inaccessible, or make it unreadable. Information systems can become overloaded. Someone can set up a DDoS attack to intentionally disrupt information systems. Information carriers such as paper, tapes, hard writing, and USB sticks can lose their information due to aging. Sometimes, information is no longer available because a deceased person was the only person who knew specific passwords.   

The concept of information security was developed on November 28, 2025.
1.
Page 2
Other Aspects
Other properties can also be involved in information security, such as:
  • Non-repudiation: This refers to the ability to prove that a claimed event or action has occurred. For example, getting a signature on a receipt when delivering a postal package.
  • Authenticity: This is the property that an entity is what it claims to be. For example, the use of a digital certificate ensures that someone knows that messages come from a particular sender (source authenticity).
  • Reliability: This refers to the property of consistent intended behavior and consistent results. For example, information that sometimes appears quickly and sometimes slowly on a screen, or information whose content is continually changing, when this is unintended.  
1.
3. Management System
System
The standard starts with chapter zero. In section 0.1, you can read that the Standard contains requirements for establishing, implementing, maintaining, and continually improving an information security management system.
       As you will see step-by-step in this block, an information security management system is a powerful tool in getting and maintaining your information security at the right level.
       To start slowly with setting up your information security management system, this chapter includes some general information.

ISMS
"ISMS" is a frequently used abbreviation for an information security management system. The abbreviation ISMS is also used in the title of this handbook or this block.

PDCA
Although the Standard itself does not refer to the Deming quality circle, which is a globally known and widely used improvement method, the chapters of the Standard can easily be linked to the Plan-Do-Check-Act phases of this model.
       In the image on the next page, the Standard has been translated into the Deming quality circle. The image shows a model with two PDCA circles: an inner circle (the soft orange one) and an outer circle (the soft green one). The numbers and titles refer to the chapters and sections of the standard, and to the chapters and sections of this block.
1.
2.
Page 3
1.
1.
Page 4
The Inner PDCA circle of the model directly relates to the management of information security risks. This circle is already present in most organizations; there are plans for dealing with information security risks (plan), measures have been implemented to control those risks (do), checks are made to determine whether the measures are effective (check), and action is taken if this is not the case (act).       
       Unfortunately, the inner circle does not always work well enough. As a result of a lack of discipline and in the absence of a systematic approach, invisible dangers can creep into the organization, which suddenly strike and cause significant damage. The consequences of this can be seen daily in the form of a loss of confidentiality, integrity, and availability of information at numerous organizations.
       That is why the Standard uses a second PDCA circle. This outer circle provides support to the inner circle in the form of leadership and support (plan), planning and control (do), a systematic evaluation of performance (check), and continuous improvement of the system as a whole (act). The two PDCA circles can rotate at different speeds, but the outer circle makes regular contact with the inner circle, feeds it, and monitors it.
       In this way, the implementation of an information security management system offers an improvement on two fronts: the introduction of a formal process for managing information security risks (the inner circle), and the introduction of a supporting process around it (the outer circle). The whole forms a robust system that is used throughout the world, and that is still growing in popularity.
       Regarding the use of the inner circle, you may need to tighten the strings a bit more: the necessary processes must be defined and executed according to a schedule. The outer circle is usually still insufficiently present or insufficiently demonstrable.
1.
THE IMPORTANCE OF THE MANAGEMENT SYSTEM 
How important is the management system within the ISO/IEC 27001 standard? Answer: The entire Standard revolves around the management system.
By way of illustration: An official ISO/IEC 27001 certificate never makes a statement about an organization's information security
1.
4. Context
Chapter four of the Standard deals with the following questions:
       1) Which internal and external issues are relevant to your information security management system?
       2) What stakeholder requirements are relevant to your information security management system?
       3) What stakeholder requirements will you address in your management system?
       4) What is a suitable scope for your information security management system?
       5) How are you going to establish, implement, maintain, and continuously improve 
1.
2.
Page 5
The Context of ISO 27001

1.
Page 6
4.1 Understanding the organization and its context
1.
INTRODUCTION
Clause 4.1 requires you to identify all external and internal issues:
  • Those are relevant to your purpose.
  • That affects your organization's ability to achieve the intended outcome(s) of your information security management system.
The external and internal issues must be addressed later in the implementation of your information security management system. You are expected to do this when:
  • Determining the scope of your management system (see 4.3).
  • Determine and handle risks that prevent the information security management system from achieving its intended outcome (s) (see 6.1.1).
  • Establishing information security objectives [4] (see 6.2).
EXTERNAL AND INTERNAL ISSUES: BUSINESS OBJECTIVE
The word purpose mentioned in clause 4.1 refers to your business objectives(s) concerning information security. The question that this clause is about it, which positive and negative issues are relevant to achieving your business objective (s)?
Example
An organization's objective is "providing safe and reliable services and offering our customers confidence that we manage information security risks adequately." During a brainstorming session, the following internal issues emerged that are relevant to this objective:
1.
   Strengths    Weaknesses
   Favorable financial position.    Few formal processes and rules
   Motivated staff    No internal audits
   Never had serious incidents.    Little insight into risks
   A good level of IT knowledge    Low awareness among some employees.
   Good tools    
1.
2.
Page 7
To get a better picture of the context, the organization includes the issues in a broader analysis by using a so-called SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats).
1.
     Issues for achieving business objectives
  POSITIVE NEGATIVE
  INTERNAL  Strengths
  • Favorable financial position
  • Motivated staff
  • Never had serious incidents
  • A lot of IT knowledge
  • Good tools
  Weaknesses
  • Few formal processes and rules.
  • No internal audits on the effectiveness of measures.
  • Little insight into risks.
  • Low awareness of information security among some employees.
  EXTERNAL  Opportunities
  • An ISO/IEC 27001 certificate is an opportunity to build customers' confidence.
  Threats
  • Our problem with supplier X.
  • Shortage in the labor market.
  • Changing legislation.
  • Increasingly new forms of cybercrime.
1.
  • The Standard does not require you to perform a SWOT analysis. To comply with Clause 4.1, you only have to identify internal and external issues.
INTERNAL AND EXTERNAL ISSUES: ACHIEVING THE INTENDED OUTCOME
Once the strategic decision has been made to implement an information security management system, the following question arises: Which positive and negative factors affect your organization's ability to achieve the intended outcome(s) of the management system?
Example
The same organization as in the previous example also organizes a brainstorming session on the internal issues that affect its ability to achieve the intended outcome of the management system. The results are used in a SWOT analysis.   
1.
2.
Page 8
INTERNAL ISSUES FOR THE MANAGEMENT SYSTEM
POSITIVE NEGATIVE
 Strengths
  • Commitment of top management.
  • A small organization, quick decisions.
  • Motivated staff.
  • A lot of IT knowledge.
  • Good tools.
  Weaknesses
  • Limited workforce.
  • Little understanding of ISO/IEC 27001.
  • Little knowledge of the law.
  • Low awareness of information security among some employees.
  • Documentation is messy.
 Opportunities
  • Reduction in the number of incidents.
  • Improvement of existing processes.
  • Better cooperation with customers and suppliers.
  • Better compliance with legal and contractual requirements.
  Threats
  • Project X is going to require a lot of workforce this year at the expense of the management system.
  • Three experienced employees will retire this year.
1.
It is logical that when determining internal and external issues, there is sometimes an overlap between the business objectives and the intended outcomes of the management system., After all, the outcomes of the management system contribute to achieving your business objectives.




References:
01. from. ISO 27001: ISMS Handbook - Implementing and auditing an Information Security Management System in small and medium-sized business: explanation, examples, pitfalls, roadmap., Cees van der Wens, ISBN 9798852486288, Deseo Publishing, 2023.

1.
2.
3.
 
back
humanexcellence.thailand@gmail.com
© HUEXONLINE.COM. All Rights Reserved.
Visit : 6150721