ISO/IEC 27001
Information security management systems - Requirements
Overview
Specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Provides a systematic approach to managing sensitive company information.
Applicability
Organizational security management and governance
Relevance to Digital Services Act (DSA)
Key Coverage Areas
Standard Sections & Chapters
Organizational controls
People controls
Physical controls
Technological controls
Policies for information security
Threat intelligence
Information security for use of cloud services
User endpoint devices
Privileged access rights
Information access restriction
Management of technical vulnerabilities
Related Digital Services Act (DSA) Articles
Article 14: Terms and conditions
View Article →Information security policies and ICT readiness
Implementation Guidance:
Establish clear policies for content moderation aligned with ISO 27001 governance
Mapped Obligations:
- Describe content moderation methods (algorithms, human review) and complaint procedures
Article 15: Transparency reporting obligations for providers of intermediary services
View Article →Collection of evidence for compliance
Implementation Guidance:
Maintain audit trails and evidence for transparency reports
Mapped Obligations:
- Detail content moderation actions taken (both manual and automated)
- Report complaint handling metrics including processing times and decisions
- Provide information about automated content moderation tools and their accuracy
Article 16: Notice and action mechanisms
View Article →Information security event management and response
Implementation Guidance:
Establish incident response procedures for content notifications
Article 17: Statement of reasons
View Article →Evidence collection and audit trails
Implementation Guidance:
Maintain records of moderation decisions and reasoning
Article 20: Internal complaint-handling system
View Article →Complaint handling and dispute resolution
Implementation Guidance:
Establish certified dispute resolution mechanisms
Mapped Obligations:
- Provide free electronic complaint system accessible for at least 6 months after decisions
- Allow complaints against content removal, service suspension, account termination, and monetization restrictions
- Ensure complaint system is easy to access, user-friendly, and allows detailed complaints
- Handle complaints in timely, non-discriminatory, diligent and non-arbitrary manner
- Reverse decisions promptly when complaints show decisions were unfounded
- Inform complainants of decisions with reasoning and available dispute resolution options
- Ensure human supervision of complaint decisions (not fully automated)
Article 24: Transparency reporting obligations for providers of online platforms
View Article →Access control and configuration management
Implementation Guidance:
Implement KYC (Know Your Customer) processes with proper access controls
Mapped Obligations:
- Report dispute resolution statistics including resolution times and implementation rates
- Report all account suspensions categorized by reason (illegal content, false notices, false complaints)
- Submit all content moderation decisions to Commission's public database immediately
- Ensure no personal data is included in any submitted information
Article 26: Advertising on online platforms
View Article →Risk assessment and information management
Implementation Guidance:
Include recommender systems in overall risk assessment
Mapped Obligations:
- Prohibit ad targeting based on special categories of personal data
Article 28: Online protection of minors
View Article →Evidence and audit trails
Implementation Guidance:
Maintain records of advertising disclosures and compliance
Mapped Obligations:
- Implement appropriate and proportionate measures for high level of privacy, safety, and security for minors
- Must not use personal data profiling for advertising to known minors
- Comply without processing additional personal data to determine if users are minors
Article 34: Risk assessment
View Article →Risk assessment in ISMS context
Implementation Guidance:
Include systemic risks in information security risk assessment
Mapped Obligations:
- Conduct initial risk assessment by the date specified in Article 33(6)
- Perform risk assessments at least annually thereafter
- Evaluate impacts on fundamental rights (privacy, freedom of expression, non-discrimination, child rights)
- Evaluate content moderation systems and their effectiveness
- Preserve risk assessment documentation for at least 3 years
- Provide risk assessment documents to Commission and Digital Services Coordinator upon request
Article 35: Mitigation of risks
View Article →Risk treatment and organizational controls
Implementation Guidance:
Deploy appropriate controls to mitigate identified systemic risks
Mapped Obligations:
- Adapt content moderation processes for illegal content, especially hate speech and cyber violence
- Cooperate with trusted flaggers and dispute resolution bodies
Article 37: Independent audit
View Article →Internal audit and management review
Implementation Guidance:
Conduct regular internal audits and prepare for external audits
Mapped Obligations:
- Undergo independent audits at least annually at their own expense
- Provide auditors with full cooperation, access to data and premises
- Ensure auditor independence (no conflicts of interest, no non-audit services 12 months before/after)
- Obtain written audit report with specific required elements
- Implement audit recommendations within one month if audit is not positive
- Ensure auditor has proven expertise in risk management and technical competence
- Limit auditor tenure to maximum 10 consecutive years
Article 40: Data access and scrutiny
View Article →Resource allocation and governance
Implementation Guidance:
Budget for supervisory fees as part of compliance program
Mapped Obligations:
- Digital Services Coordinators and the Commission shall use the data accessed pursuant to paragraph 1 only for the purpose of monitoring and assessing compliance with this Regulation and shall take due account of the rights and interests of the providers of very large online platforms or of very large online search engines and the recipients of the service concerned, including the protection of personal data, the protection of confidential information, in particular trade secrets, and maintaining the security of their service
Article 42: Transparency reporting obligations
View Article →Evidence collection and audit trails
Implementation Guidance:
Maintain comprehensive records for transparency reports
Mapped Obligations:
- Include human resources information for content moderation broken down by EU official languages
- Report qualifications, linguistic expertise, and training of content moderation staff
- Submit and publish risk assessment results within 3 months of audit completion
- Publish audit reports and implementation reports
Quick Information
- Organization
- ISO/IEC
- Category
- Information Security Management
- Certification
- ✓ Available