MENU
TH EN
Home / Knowledge : Administration & Management

ISO/IEC 27001 ISMS Handbook 1

Title Thumbnail & Hero Image: ISO 27001:2022 Banner, source: unichrone.com, access date: Nov.17, 2025
ISO/IEC 27001 ISMS Handbook 1
First revision: Nov.17, 2025
Last change: Feb.13, 2026
Searched, gathered, rearranged, translated, and compiled by Apirak Kanchanakongkha.
1.
Page 1
1. ISO/IEC 27001 Standard.
  • Standard "to apply to all organizations, regardless of type, size, or nature. "
  • The Ninety-Three Broadly formulated controls.
  • Compatibility with other Management System Standards: such as ISO/IEC9001 (quality), ISO/IEC 14001 (environment), ISO/IEC 22301 (business continuity).
  • The concept of information security can be broken down into the following three dimensions (CIA):
    • The preservation of the confidentiality of information.
    • The preservation of the integrity of information.
    • The preservation of the availability of information.
1.
2. Information Security.
  • The preservation of the confidentiality of information.
    • Confidentiality is the property that information is not made available or disclosed to unauthorized persons, entities, or processes. Confidential information may include personal data, as well as other types of information, such as trade secrets or competitively sensitive data.
 
  • The preservation of the integrity of information.
    • The integrity of information refers to the accuracy and completeness of information. The word integrity sometimes leads to confusion because it also exists outside the context of information security, namely in the form of personal property (honest, sincere). You could say that "honest" information is accurate and complete.
    • A loss of integrity of information can occur due to incorrect input, processing, or presentation of data (manually or automated). People with malicious intent can deliberately compromise the accuracy and completeness of information to benefit or to cause harm. After restoring information from a backup, certain information may no longer be correct and complete.
 
  • Preserving the Availability of Information.
    • When it comes to information security, the availability aspect is often mentioned last. Not because the availability of information is considered unimportant, but because it is not always immediately linked to information security. Preserving availability means making information accessible and usable upon demand by an authorized entity (the organization or person who wants and may have access to the information).
    • A loss of availability of information can be temporary or permanent. It can be caused by unintended causes such as incorrect actions, technical malfunctions, or natural disasters. People with bad intentions can destroy information, make it inaccessible, or make it unreadable. Information systems can become overloaded. Someone can set up a DDoS attack to intentionally disrupt information systems. Information carriers such as paper, tapes, hard writing, and USB sticks can lose their information due to aging. Sometimes, information is no longer available because a deceased person was the only person who knew specific passwords.   

The concept of information security was developed on November 28, 2025.
1.
Page 2
Other Aspects
Other properties can also be involved in information security, such as:
  • Non-repudiation: This refers to the ability to prove that a claimed event or action has occurred. For example, getting a signature on a receipt when delivering a postal package.
  • Authenticity: This is the property that an entity is what it claims to be. For example, the use of a digital certificate ensures that someone knows that messages come from a particular sender (source authenticity).
  • Reliability: This refers to the property of consistent intended behavior and consistent results. For example, information that sometimes appears quickly and sometimes slowly on a screen, or information whose content is continually changing, when this is unintended.  
1.
3. Management System
System
The standard starts with chapter zero. In section 0.1, you can read that the Standard contains requirements for establishing, implementing, maintaining, and continually improving an information security management system.
       As you will see step-by-step in this block, an information security management system is a powerful tool in getting and maintaining your information security at the right level.
       To start slowly with setting up your information security management system, this chapter includes some general information.

ISMS
"ISMS" is a frequently used abbreviation for an information security management system. The abbreviation ISMS is also used in the title of this handbook or this block.

PDCA
Although the Standard itself does not refer to the Deming quality circle, which is a globally known and widely used improvement method, the chapters of the Standard can easily be linked to the Plan-Do-Check-Act phases of this model.
       In the image on the next page, the Standard has been translated into the Deming quality circle. The image shows a model with two PDCA circles: an inner circle (the soft orange one) and an outer circle (the soft green one). The numbers and titles refer to the chapters and sections of the standard, and to the chapters and sections of this block.
1.
2.
Page 3
1.
1.
Page 4
The Inner PDCA circle of the model directly relates to the management of information security risks. This circle is already present in most organizations; there are plans for dealing with information security risks (plan), measures have been implemented to control those risks (do), checks are made to determine whether the measures are effective (check), and action is taken if this is not the case (act).       
       Unfortunately, the inner circle does not always work well enough. As a result of a lack of discipline and in the absence of a systematic approach, invisible dangers can creep into the organization, which suddenly strike and cause significant damage. The consequences of this can be seen daily in the form of a loss of confidentiality, integrity, and availability of information at numerous organizations.
       That is why the Standard uses a second PDCA circle. This outer circle provides support to the inner circle in the form of leadership and support (plan), planning and control (do), a systematic evaluation of performance (check), and continuous improvement of the system as a whole (act). The two PDCA circles can rotate at different speeds, but the outer circle makes regular contact with the inner circle, feeds it, and monitors it.
       In this way, the implementation of an information security management system offers an improvement on two fronts: the introduction of a formal process for managing information security risks (the inner circle), and the introduction of a supporting process around it (the outer circle). The whole forms a robust system that is used throughout the world, and that is still growing in popularity.
       Regarding the use of the inner circle, you may need to tighten the strings a bit more: the necessary processes must be defined and executed according to a schedule. The outer circle is usually still insufficiently present or insufficiently demonstrable.
1.
THE IMPORTANCE OF THE MANAGEMENT SYSTEM 
How important is the management system within the ISO/IEC 27001 standard? Answer: The entire Standard revolves around the management system.
By way of illustration: An official ISO/IEC 27001 certificate never makes a statement about an organization's information security
1.
4. Context
Chapter four of the Standard deals with the following questions:
       1) Which internal and external issues are relevant to your information security management system?
       2) What stakeholder requirements are relevant to your information security management system?
       3) What stakeholder requirements will you address in your management system?
       4) What is a suitable scope for your information security management system?
       5) How are you going to establish, implement, maintain, and continuously improve 
1.
2.
Page 5
The Context of ISO 27001

1.
Page 6
4.1 Understanding the organization and its context
1.
INTRODUCTION
Clause 4.1 requires you to identify all external and internal issues:
  • Those are relevant to your purpose.
  • That affects your organization's ability to achieve the intended outcome(s) of your information security management system.
The external and internal issues must be addressed later in the implementation of your information security management system. You are expected to do this when:
  • Determining the scope of your management system (see 4.3).
  • Determine and handle risks that prevent the information security management system from achieving its intended outcome (s) (see 6.1.1).
  • Establishing information security objectives [4] (see 6.2).
EXTERNAL AND INTERNAL ISSUES: BUSINESS OBJECTIVE
The word purpose mentioned in clause 4.1 refers to your business objectives(s) concerning information security. The question that this clause is about it, which positive and negative issues are relevant to achieving your business objective (s)?
Example
An organization's objective is "providing safe and reliable services and offering our customers confidence that we manage information security risks adequately." During a brainstorming session, the following internal issues emerged that are relevant to this objective:
1.
   Strengths    Weaknesses
   Favorable financial position.    Few formal processes and rules
   Motivated staff    No internal audits
   Never had serious incidents.    Little insight into risks
   A good level of IT knowledge    Low awareness among some employees.
   Good tools    
1.
2.
Page 7
To get a better picture of the context, the organization includes the issues in a broader analysis by using a so-called SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats).
1.
     Issues for achieving business objectives
  POSITIVE NEGATIVE
  INTERNAL  Strengths
  • Favorable financial position
  • Motivated staff
  • Never had serious incidents
  • A lot of IT knowledge
  • Good tools
  Weaknesses
  • Few formal processes and rules.
  • No internal audits on the effectiveness of measures.
  • Little insight into risks.
  • Low awareness of information security among some employees.
  EXTERNAL  Opportunities
  • An ISO/IEC 27001 certificate is an opportunity to build customers' confidence.
  Threats
  • Our problem with supplier X.
  • Shortage in the labor market.
  • Changing legislation.
  • Increasingly new forms of cybercrime.
1.
  • The Standard does not require you to perform a SWOT analysis. To comply with Clause 4.1, you only have to identify internal and external issues.
INTERNAL AND EXTERNAL ISSUES: ACHIEVING THE INTENDED OUTCOME
Once the strategic decision has been made to implement an information security management system, the following question arises: Which positive and negative factors affect your organization's ability to achieve the intended outcome(s) of the management system?
Example
The same organization as in the previous example also organizes a brainstorming session on the internal issues that affect its ability to achieve the intended outcome of the management system. The results are used in a SWOT analysis.   
1.
2.
Page 8
INTERNAL ISSUES FOR THE MANAGEMENT SYSTEM
POSITIVE NEGATIVE
 Strengths
  • Commitment of top management.
  • A small organization, quick decisions.
  • Motivated staff.
  • A lot of IT knowledge.
  • Good tools.
  Weaknesses
  • Limited workforce.
  • Little understanding of ISO/IEC 27001.
  • Little knowledge of the law.
  • Low awareness of information security among some employees.
  • Documentation is messy.
 Opportunities
  • Reduction in the number of incidents.
  • Improvement of existing processes.
  • Better cooperation with customers and suppliers.
  • Better compliance with legal and contractual requirements.
  Threats
  • Project X is going to require a lot of workforce this year at the expense of the management system.
  • Three experienced employees will retire this year.
1.
It is logical that when determining internal and external issues, there is sometimes an overlap between the business objectives and the intended outcomes of the management system., After all, the outcomes of the management system contribute to achieving your business objectives.

DETERMINING INTERNAL ISSUES
When determining internal issues, consider the size of your organization. Think of your corporate culture. Think of the maturity of leadership, policy, processes, and procedures. Think of your obligations, objectives and plans. Think of your available resources such as capital, workforce and time.
With larger organizations, other internal issues can play a role than with smaller ones. Below is an example of internal issues can play a role than with smaller ones. Below is an example of internal issues that could play a role in a larger organization:
Example
 An organization with 150 employees and three sites sees the following internal issues that are relevant to its objectives, and that can influence its ability to achieve the intended outcome of its management system:
  • Top management has so far been little involved in the subject of information security.
  • The three sites think differently about information security and on how to manage it.
  • Decision making can be very slow.
  • Activities and culture at the locations are very different.
  • Seventeen employees speak a foreign language.
DETERMINING EXTERNAL ISSUES
When determining external issues, think of the influence of economic and political developments. Think of regulatory requirements in the field of information security. Think of technological developments at play outside your organizaton. Think of your suppliers.
The characteristic of external issues is that you usually have little or no influence on them. You must find a way to deal with them.
Pitfall 4 Issues determined for the intended scope
When determining internal and external problems, ignore the intended scope of your management system (see 4.3). The intention is that you determine this scope later, considering, your internal and external issues.
MANDATORY DOCUMENTATION
Clause 4.1 does not require you to define or document something (words that you will find in some other clauses).
To be able to demonstrate that the requirements of the Standard are met, you can make a documented overview of your external and internal issues.
1.
INSTRUCTIONS FOR CONDUCTING AUDITS
Regarding clause 4.1, an auditor could investigate the following:
  • Has the organization identified internal and external issues relevant to its information security objectives?
  • Has the organization identified internal and external issues that affect its ability to achieve the inteneded outcomes of its information security management system?
  • Does the organization regularly review whether there sre new internal and external issues relevant to its information security objectives and its information security management system?  
1.
2.
Page 7
4.2 Needs and expectations of interested parties
1.
INTRODUCTION
Clause 4.2 requires you to identify which interested parties are relevant to your information security management system, and which requirements of these interested parties are relevant to information security.
The results of this determination must be used at a later stage in the implementation of your information security management system. As with the internal and external issues (see 4.1) you are expected to do this when:
  • determining the scope of your management system (see 4.3).
  • determining and handling risks that prevent the information security management system from achieving its intended outcome(s) (see 6.1.1).
  • establishing information security objectives [4] (see 6.2). 
enlightenedINTERESTED PARTIES (4.2A)
What does the Standard mean by interested parties? An interested party is [1]:
  • a person or organization that can affect a decision or activity of your organization.
  • a person or organization that can be affected by a decision or activity of your organization.
  • a person or organization that can perceive itself to be affected (positive or negative) by a ecision or activity of your organization.
The following types of interested parties can be distinguished:
  • Internal: persons or parties within your organization.
  • External: external persons or organizations such as customers, partners, suppliers, and creditors.
  • Interface: parties that are not involved in the organization but have a specific (legitimate) interest and exert influence. Think of the government, regulators, chamber of commerce, sector organizations, society, etc.
Next page are some examples of interest parties.
1.
2.
Page 8
INTERESTED PARTIES (INTERNAL): TOP MANAGEMENT 
Top management is the first relevant, interested party for the information security management system. Top management has every interest in ensuring security that the business objective is not compromised, and that the management system achieves its intended outcomes. If it is up to the Standard, then top management plays a crucial role in information security (sees 5.1, 5.2, 5.3 and 9.3).

INTERESTED PARTIES (INTERNAL): EMPLOYEES
Your employees are also a very relevant interested party for the information security management system. Employees need guidance, training, and resources to perform tasks correctly and timely. Besides, employees expect their personal data to be stored securely and not to be shared with anyone.

INTERESTED PARTIES (EXTERNAL): CUSTOMERS
What do your customrs expect when it comes to information security? That depends on what you do. Do you develop software? Then your customers expect that the software is well-protected. Do you provide hosting services? 









References:
01. from. ISO 27001: ISMS Handbook - Implementing and auditing an Information Security Management System in small and medium-sized business: explanation, examples, pitfalls, roadmap., Cees van der Wens, ISBN 9798852486288, Deseo Publishing, 2023.

1.
2.
3.
 
back
humanexcellence.thailand@gmail.com
© HUEXONLINE.COM. All Rights Reserved.
Visit : 6407158