ISO/IEC 27000: get to
know the family
details the latest developments of the ISO/IEC 27000 group of standards
The family of ISO/IEC 27000 information security management system (ISMS) standards continues to develop and be successfully adopted by business around the world. The flagship of the family is, of course, the requirements standard ISO/IEC 27001, which has been globally successful as a certification standard as well as for contractual and regulatory purposes. Its importance to business was confirmed with the latest ISO survey that showed that global certification against ISO/IEC 27001 had increased by more than 20% in 2008.
Complementing ISO/IEC 27001 are the other members of the ISO/IEC 27000 family, which provide guidance and support for the development, implementation and improvement of information security management systems in compliance with ISO/IEC 27001. The family includes the founding standard ISO/IEC 27002, which was published in 1995. ISO/IEC 27002 is the well-known code of practice for information security management. Both ISO/IEC 27001 and ISO/IEC 27002 are currently undergoing the normal five-year process of revision and continual improvement of management system standards.
Another guidance standard is ISO/IEC 27005, which provides guidance on risk management. Information security risk management process is a key component of the ISO/IEC 27001 plan-do-check-act (PDCA) process model.
New guidelines
The most recent additions to the ISO/IEC 27000 family are ISO/IEC 27003 and 27004. ISO/IEC 27004 addresses the important topic of measuring the effectiveness of the implemented information systems management systems. This enables management to keep track on the security performance of their information security management system. ISO/IEC 27004 deals with what, when and how measurements should be taken during the ‘check’ phase of the PDCA process model – that is during the monitoring and review phase of the continual improvement process. ISO/IEC 27003 provides implementation guidance to support ISO/IEC 27001 regarding processes such as planning and implementing the ISMS processes.
Auditing standards
There are also standards for accreditation and auditor guidance related to the auditing of information security management systems. This includes the accreditation standard ISO/IEC 27006 which is a version of ISO 17021-1. ISO/IEC 27006 provides guidance on how certification bodies should interpret ISO 17021-1 in terms of auditing an ISMS in compliance with the requirements of ISO/IEC 27001.
Two auditing guidance standards ISO/IEC 27007 and ISO/IEC 27008 are also currently being developed. Work on these standards is being carried out in collaboration with those involved in the revision of ISO 19011 and ISO 17021-2. ISO/IEC 27007 specifically addresses the auditing of ISO/IEC 27001 covering topics such as the ISMS scope and complexity, risk management, selection of controls and ISMS auditor competence. ISO/IEC 27008, on the other hand, addresses the technical aspects of the security controls defined in Annex A of ISO/IEC 27001. Both standards are expected to be published in 2011.
Sector-specific standards
A new range of standards are being developed that look at the specific requirements of sectors and applications that are adopting ISO/IEC 27001. These standards, of course, will not replace ISO/IEC 27001, but they supply definitions of additional sector-specific requirement. The current programme of work includes:
ISO/IEC 27010 – for inter-sector communications
This standard considers various security requirements regarding those sectors and organizations involved in national infrastructure. This includes the security of command and control applications such as supervisory control and data acquisition.
ISO/IEC 27011 – for telecommunication organizations
Based on ISO/IEC 27002, this standard was published in 2008 and has been jointly published with the Telecommunication Standardization Sector as X.1051.
ISO/IEC 27013 - integrating ISO/IEC 20000-1 and ISO/IEC 27001
This standard provides guidance to those organizations that wish to integrate their service management and information security management systems to take advantage of the common elements of these to standards. For example, they can combine documentation systems, incident handling systems and secure service delivery, monitoring and review processes.
ISO/IEC 27014 - information security governance framework
This standard supports the information security aspect of a corporate governance framework. ISO/IEC 27001 is an ideal information security framework as it includes the three key elements of governance: risk management, system of controls and an auditing function.
ISO/IEC 27015 - for financial and insurance services sector
This standard addresses the specific requirements of those organizations in the financial and insurance sectors that are adopting ISO/IEC 27001.
Figure 1: The current status of the ISO/IEC 27000 family of standards
About the author
Professor Edward Humphreys is convenor of the working group responsible for the development and maintenance of ISO/IEC 27000 standards
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
