This Recommendation | International Standard provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization.
The intended audience for this document is:
governing body and top management;
those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001;
those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance.
This Recommendation | International Standard is applicable to all types and sizes of organizations.
All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001.
This Recommendation | International Standard focuses on the three types of ISMS organizations given in Annex B. However, it can also be used by other types of organizations.
ISO/IEC 27014:2020