ISO27001:2013 is an information security management standard (ISMS). It is a systematic approach that allows organizations to keep their data, including people, processes, and ICT systems, secure. It brings about these improvements to the security of assets through the continuous application of a risk management process and can help any type of organization to keep their assets secure.
Like other management standards, it is a document that lists a number of ideas that help organisations to improve. It has a number of main clauses like other standards, however an additional and key part of ISO27001 is a Statement of Applicability (SoA) that requires organizations to demonstrate conformance with requirements in an additional 114 areas. [Organizations find this very useful as it often allows more risk-based structure to be brought to their ICT].
It is a tool to help organisations adopt the best practice contained, and to demonstrate to their clients that they have followed the recommendations.
Where organisations demonstrate to a Certification Body (CB), like BSI, that they have implemented these ideas, or clauses of the ISO27001:2013, the CB may certify them to the standard.
Some organisations have ISO27001:2013 order to fulfil a customer requirement, or to be able to tender for a contract, and by implication therefore use it as a way to try to improve their sales.
However, more and more organisations recognise the benefits of improving their security performance, particularly in the world of GDPR compliance, and make a stand-alone investment in the achievement of the standard as their goal.
Best Practice organisations will go further and base their asset security on the use of the standard, from the leadership of the organization throughout to become more effective at what they do, making it a significant and strategic asset management tool. In fact, this is where the real benefits in ISO27001 are found, and these organizations tend to see ISO27001 as a baseline in asset security.