ISO 27001 is an international standard that outlines best practices for an Information Security Management System (ISMS). It requires organizations to take a risk-based approach to information security by identifying security risks and selecting appropriate controls from Annex A to reduce, eliminate or manage those risks. Annex A contains 114 controls across 14 categories that provide options for treating risks, though not all controls will apply to every organization depending on their risks and needs. Organizations must map their selected controls in a Statement of Applicability and provide justification for any exclusions.