ISO/IEC 27001:2005 Information technology -- Security techniques -- Specification for an Information Security Management System The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations). It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization's overall risk management processes. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. It does not mandate specific information security controls. The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes.