The purpose of ISO/IEC 27001:2013 is to help organisations to establish and maintain an Information Security Management System; which is a set of interrelated elements that organisations use to manage and control information security risks. These elements include all of the policies, procedures, processes, plans, practices, roles, responsibilities, resources, and structures that are used to manage security risks and to protect information.
The adoption of an Information Security Management System is a strategic decision for an organisation to help consider the influences of its needs and objectives, security requirements, the organisational processes used and the size and structure of the organisation. All of these influencing factors are expected to change over time.
The Information Security Management System focusses on preserving the confidentiality, integrity and availability of information by applying a risk management process and it gives confidence to interested parties that risks are adequately managed. This helps support the organisations strategic direction and performance.