ISO/IEC 27001

I. Formal Definition

An international standard specifying the requirements for an information-security management system, against which an organisation may be certified by an accredited certification body. The standard is risk-based: it requires the organisation to identify, evaluate, and treat its information-security risks within a managed system, rather than to implement a specific control catalogue. The federation accepts current ISO/IEC 27001 certification as a substitute for SOC 2 in jurisdictions where SOC 2 is unfamiliar to relying parties.

II. Etymology

First published as BS 7799-2 in 1999; adopted as ISO/IEC 27001:2005 and revised in 2013 and 2022.

III. Federation Usage

Federation members holding ISO/IEC 27001 certification must publish the scope statement and the most recent surveillance audit confirmation. Scope statements that omit production systems are reported under MEV-Annex:3.2.

IV. Related Terms

• soc2
• control-evidence
• segregation-of-duties
• governance

V. Authoritative Citations

• UFMS-001:2.4UFMS Article II - Certification Equivalence
• MEV-Annex:3.2MEV Annex III - Scope Disclosure

VI. Citation in BibTeX

@misc{ifo4_glossary_iso_27001,
  title        = {{ISO/IEC 27001}},
  author       = {{IFO4 Federation Editorial Board}},
  howpublished = {{IFO4 Federation Glossary, slug \texttt{iso-27001}}},
  year         = {2026},
  url          = {https://ifo4.org/glossary/iso-27001},
  note         = {Category: SecOps; key: ISOIEC27001}
}

VII. Challenge This Definition

Federation members and accredited practitioners may challenge any entry under TGS-002:1.7. Filed challenges are routed to the editorial board, triaged into the revision register, and resolved in writing on the public docket. The slug remains stable through any revision.