The ISO 27000 series
Businesses of any kind can manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties by using the ISO/IEC 27000 family of standards. They cover a wide range of businesses, large and small, in every industry.
In response to changing information security requirements in many industries and contexts, new standards are being developed to keep pace with the rapid advancement of technology.
There are a number of standards in the ISMS family that do the following:
- Outline the standards for an ISMS and for those who certify such systems (for example, ISO/IEC 27001, ISO/IEC 27006, and so on)
- Assist in the whole process of establishing, implementing, maintaining, and improving an ISMS (for example, ISO/IEC 27002, ISO/IEC 27003, ISO/IEC 27004, and so on)
- Address industry-specific rules for the ISMS (for example, ISO/IEC 27010, ISO/IEC 27011, and so on)
- Deal with ISMS conformance assessment (for example, ISO/IEC 17021)
ISO 27001, and other management system standards published by ISO, undergo periodic reviews and updates to ensure their continued relevance and effectiveness in addressing emerging risks and evolving industry practices. These revisions reflect the commitment of the standard-setting bodies to incorporate advancements in technology, address emerging threats, and align with changing regulatory requirements to maintain the highest standards of information security management.
Let's look at a few of the ISO 27000 series of standards that have been published.
ISO/IEC 27001
This standard is known as Information security, Cybersecurity, and Privacy protection – Information security management systems – Requirements (https://www.iso.org/).
This standard talks about the requirements for implementing an effective information security management system. Using ISO/IEC 27001, an organization can build and operate an ISMS that includes a set of controls for controlling and mitigating risks connected with its information assets. Organizational conformance can be audited and certified.
One further set of criteria and guidelines for a Privacy Information Management System (PIMS) is specified in ISO/IEC 27701, which is an extension of ISO/IEC 27001 (ISMS).
All businesses of any kind and size may benefit from the standard since it helps them fulfill legal obligations while also managing privacy concerns associated with Personally Identifiable Information (PII).
ISO/IEC 27006
This standard is known as Information technology – Security techniques –Requirements for bodies providing audit and certification of information security management systems (https://www.iso.org/home.html).
This standard lays out the requirements and offers guidance to organizations that do ISMS audits and certifications. Its primary purpose is to facilitate the accreditation of certifying organizations that issue ISMS certifications. Organizations that provide ISO/IEC 27001 audits and ISMS certification should follow this standard’s criteria and recommendations.
ISO/IEC 27006 is a supplement to ISO/IEC 17021 that establishes the accreditation requirements for certification firms for them to provide compliance certifications that meet the ISO/IEC 27001 requirements.
ISO/IEC 27002
This standard is known as Information security, Cybersecurity and Privacy protection – Information security controls (https://www.iso.org/).
This standard establishes guidelines and management techniques for corporate information security. Using the standard’s controls and best practice recommendations, implementers can make well-informed decisions about which controls to use and how to put them in place to fulfill their information security goals.
The ISO/IEC 27002 guideline is a code of practice for information security controls that outlines the procedures for implementing the security controls established in the ISO 27001 standard.
ISO/IEC 27003
This standard is known as Information technology – Security techniques – Information security management systems – Guidance (https://www.iso.org/).
ISO/IEC 27003 is intended to assist organizations in designing and implementing an ISMS. It gives straightforward instructions on how to plan an ISMS project in organizations of all sizes and sectors.
ISO 27001:2013 specifies the what, whereas ISO 27003 specifies the how. It provides direction for the actions required to implement and launch an ISMS.
ISO/IEC 27004
This standard is known as Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation (https://www.iso.org/).
ISO/IEC 27004 specifies methods to evaluate ISO 27001’s performance. The standard is designed to assist companies in assessing the efficacy and efficiency of their ISMS by providing the information essential for managing and improving the framework in a methodical manner.
Additionally, it defines how to develop and implement measurement processes, as well as how to evaluate and report on the results of connected measurement constructs, which enables the effectiveness of an ISMS to be evaluated in accordance with ISO/IEC 27001.
ISO/IEC 27005
This standard is known as Information security, cybersecurity, and privacy protection – Guidance on managing information security risks (https://www.iso.org/).
This standard contains risk management recommendations for information security and is intended to aid in the successful implementation of information security using a risk management strategy. An efficient ISMS must identify organizational needs in relation to information security requirements and follow the guidelines in ISO/IEC 27005, which explains how to carry out a risk assessment in compliance with ISO/IEC 27001 criteria.
For an organization, risk assessments are critical to the ISO/IEC 27001 compliance process.
ISO/IEC 27007
This standard is known as Information security, cybersecurity, and privacy protection – Guidelines for information security management systems auditing (https://www.iso.org/).
This standard gives advice on performing ISMS audits and on the competence of auditors. In order to administer an ISMS audit program in accordance with the requirements defined in ISO/IEC 27001, businesses must follow ISO/IEC 27007.
ISMS audit program management, auditing, and the competency of ISMS auditors are all addressed in these guidelines. They may be used by anybody who needs to understand or perform an ISMS audit, whether it’s internal or external, or who needs to manage an ISMS auditing program.
ISO/IEC TS 27008
This standard is known as Information technology – Security techniques – Guidelines for the assessment of information security controls (https://www.iso.org/).
This standard contains instructions for conducting a review and assessment of information security controls. These controls are evaluated in accordance with an organization’s established ISMS framework. This document offers guidance on how to review and assess how well the controls have been implemented, how they are working, and how well they have been technically evaluated.
Information security assessments and technical compliance checks are relevant to all kinds and sizes of organizations, including public and private businesses, government agencies, and not-for-profit ones.
ISO/IEC 27013
This standard is known as Information security, cybersecurity, and privacy protection – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (https://www.iso.org/).
This standard provides guidance to users on how to establish a dual management system that includes procedures and documentation. This will guide the deployment of ISO/IEC 27001 and ISO/IEC 20000-1 simultaneously or sequentially and match the current ISO/IEC 27001 and ISO/IEC 20000-1 management system specifications.
As a result, businesses are better able to design an integrated management system that complies with both ISO/IEC 27001 and ISO/IEC 20000-1 standards and comprehend the features, similarities, and differences between the two.
ISO/IEC 27014
This standard is known as Information security, cybersecurity, and privacy protection – Governance of information security (https://www.iso.org/).
An organization’s information security actions can be evaluated, directed, monitored, and communicated using ISO/IEC 27014. According to the guidelines laid forth in this standard, information security governance should be based on principles and processes. Information security management may be assessed, directed, and monitored with the use of this. If an organization’s information security measures are breached, it may have a negative effect on the organization’s public image. A requirement of this standard is that an organization’s governing bodies be given oversight of information security to guarantee that its objectives are fulfilled.
ISO/IEC TR 27016
This standard is known as Information technology – Security techniques – Information security management – Organizational economics (https://www.iso.org/).
This standard lays forth the principles by which an organization should make decisions regarding the security of its data by considering the financial impact of such decisions. The technical report equips the organization with the knowledge necessary to more accurately assess the risks associated with its identified information assets, comprehend the value that information security measures add to those assets, and determine the appropriate level of resources to apply to secure those assets.
It outlines how an organization may make information-protection choices and assess the economic implications of such decisions in the setting of conflicting resource demands.
ISO/IEC 27010
This standard is known as Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications (https://www.iso.org/).
This standard establishes guidelines for information security collaboration and coordination between organizations within the same domain, between domains, and with authorities. When it comes to inter-organizational and inter-sector communications, this standard provides guidelines for the implementation of information security management. It also provides controls and guidance related to the inception, implementation, maintenance, and improvement of information security in those communications.
The guidelines apply to all types of sensitive information transmission and sharing (public and private, national and international, within the same sectors or across industry sectors).
ISO/IEC 27011
This standard is known as Information technology – Security techniques – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations (https://www.iso.org/).
This standard offers information security management recommendations for telecommunications businesses. The ISO/IEC 27002 rules have been adapted to fit the needs of the industrial sector.
ISO/IEC TR 27015
This standard is known as Information technology – Security techniques – Information security management guidelines for financial services (https://www.iso.org/).
In addition to the recommendations provided in the ISO/IEC 27000 family of standards, ISO/IEC TR 27015 offers guidance for establishing, implementing, maintaining, and enhancing information security in financial services companies.
ISO 27017
This standard is known as Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services (https://www.iso.org/).
ISO 27017 is a collection of principles for securing cloud-based infrastructures and reducing the risk of security incidents. Customers may be confident that a business is committed to providing secure cloud services and that it has procedures in place to deal with any difficulties that may arise as a result of that commitment.
ISO 27018
This standard is known as Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (https://www.iso.org/).
The ISO/IEC 27018 standard is a set of rules or a code of conduct for the selection of PII protection measures as part of the implementation of an ISO/IEC 27001-based cloud computing information security management system.
ISO 27799
This standard is known as Health informatics – Information security management in health using ISO/IEC 27002 (https://www.iso.org/).
This standard includes guidelines for establishing an ISMS to help healthcare organizations in adopting an ISMS that has industry-specific adaptations of ISO/IEC 27002 standards.
Following the ISO 27000 series of standards helps organizations protect their critical and confidential data. In this section, we saw the various standards available in the ISO 27000 family. Although there are numerous standards in the family, only a few are relevant as such from an implementation perspective, which were explained.