ISO/IEC 27001 is the best choice because it provides a model for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). This standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. ISO/IEC 27002 provides guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls, but does not outline a management system framework itself.