The standard specifies requirements for establishing, implementing, maintaining and continually improving an organization's information security management system. It includes requirements for assessing and managing the risks that arise from a lack of information security according to the organization's needs.