ISO27001 and ISO17799 identify 10 key areas and controls.

• Security Policy - to provide Management Direction and support for information security.
• Organisation of Assets and Resources - to help you manage information security.
• Asset classification and control – to help you identify and protect your assets.
• Personnel security – to reduce the risks of human error, theft, fraud or misuse of facilities.
• Physical and environmental security – to prevent unauthorized access, damage, and interference with business premises and information.
• Communications and operations management - to ensure the correct and secure operation of information processing facilities.
• Systems development and maintenance – to ensure that security is built into information systems. Access control – to control access to information.