# ISO/IEC 27001

**What is ISO 27001?**

ISO/IEC 27001 is the international standard for an information security management system. It describes how an organisation records, treats and continuously reviews its security risks.

The standard does not prescribe any particular technical product. It requires a traceable process: define the scope, assess the risks, select measures, measure whether they work and improve them.

Certification is carried out by an accredited certification body and is a sizeable project for most mid sized companies. A gap analysis shows in advance how far away certification is and which gaps to close first.

## Related terms
- [NIS2](https://vetosec.at/en/it-security/nis2/)
- [Gap analysis](https://vetosec.at/en/it-security/gap-analyse/)
- [Technical and organisational measures (TOMs)](https://vetosec.at/en/it-security/tom-dsgvo/)

## Source
https://vetosec.at/en/it-security/iso-27001/ (vetosec, recht)
