ISO 27001 is the international standard for a company to manage its information security. It sets out how a company should address the requirements of confidentiality, integrity and availability of its information assets and incorporate this into an information management security system (ISMS).
ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organisation’s overall business risks.
A common misconception is that ISO 27001 relates to control of IT systems. Yes of course this is included but there are many other requirements such as site security, access controls, personnel vetting etc.
ISO 27001 requires a risk assessment and consideration of an extensive list of controls (included as an appendix to the standard). A documented Statement of Applicability must then be prepared describing the controls that are relevant and applicable to the organisation.