ISO 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system - an overall management and control framework - for managing an organization's information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief. Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement. An ISO 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles. The ISO 27001 standards provide guidance on designing, implementing and auditing Information Security Management Systems that protect the confidentiality, integrity and availability of the information content, systems and processes on which we all depend.