Home > WIKI > ISO 27000

ISO 27000

ISO/IEC 27000

ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security Management Systems (ISMS) standards, the 'ISO/IEC 27000 series'. ISO/IEC 27000 is a new international standard entitled: "Information technology - Security techniques - Information security management systems - Overview and vocabulary". The standard is known informally, if incorrectly, as "ISO 27000".

The standard was developed by sub-committee 27 (SC27) of the first Joint Technical Committee (JTC1) of the International Organization for Standardization and the International Electrotechnical Commission.

ISO/IEC 27000 provides:

  • An overview of and introduction to the entire ISO/IEC 27000 family of Information Security Management Systems (ISMS) standards; and
  • A glossary or vocabulary of fundamental terms and definitions used throughout the ISO/IEC 27000 family. Information security, like many technical subjects, is evolving a complex web of terminology. Relatively few authors take the trouble to define precisely what they mean, an approach which is unacceptable in the standards arena as it potentially leads to confusion and devalues formal assessment and certification. As with ISO 9000 and ISO 14000, the base '000' standard is intended to address this.

Status

Current version: ISO/IEC 27000:2009, published in May and available from ISO/ITTF

Target audience: users of the remaining ISO/IEC 27000-series information security management standards

ISO/IEC 27000-series

The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).

The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.

The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that meets in person twice a year.

At present, six of the standards in the series are publicly available while several more are under development.

Published standards

  • ISO/IEC 27000 - introduction to the family of standards plus a glossary of common terms (published in 2009)
  • ISO/IEC 27001 - standard for the establishment, implementation, control and improvement of the Information Security Management System (based on British Standard BS 7799 Part 2, first published by ISO/IEC in 2005)
  • ISO/IEC 27002 - code of practice providing good practice advice on ISMS (previously known as ISO/IEC 17799 itself based on British Standard BS 7799 Part 1, last revised in 2005 and renumbered ISO/IEC 27002:2005 in July 2007).
  • ISO/IEC 27004 - standard on information security management measurements (security metrics) (published at the end of 2009)
  • ISO/IEC 27005 - designed to assist the satisfactory implementation of information security based on a risk management approach (published in 2008).
  • ISO/IEC 27006 - a guide to the certification/registration process (published in 2007).
  • ISO/IEC 27011 - information security management guidelines for the telecommunications industry (published by ISO/IEC in 2008 and also published by the ITU as X.1051).

In preparation

  • ISO/IEC 27003 - an ISMS implementation guide - publication expected in 2010
  • ISO/IEC 27007 - a guideline for ISMS auditing (focusing on the management system)
  • ISO/IEC 27008 - a guideline for Information Security Management auditing (focusing on the security controls)
  • ISO/IEC 27013 - a guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
  • ISO/IEC 27014 - an information security governance framework
  • ISO/IEC 27015 - information security management guidelines for the finance and insurance sectors
  • ISO/IEC 27031 - a specification for ICT readiness for business continuity
  • ISO/IEC 27032 - a guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)
  • ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006
  • ISO/IEC 27034 - a guideline for application security
Terms | Privacy | News |Contact us
Powered by Branswijck Quality IT