Lesson 1 of0
In Progress

ISO 27000 Overview, Origin, Components

The ISO 27000 family has evolved from the British Standard 7799. This defined an information security management system (ISMS) with a special focus on a guideline for its use. In 2005 this standard was internationally standardized and became the ISO 27000 family.

Note: Testing and certification is carried out according to ISO/IEC 27001.

The standard is divided into the following three main individual standards:

  • ISO/IEC 27000 – Information Security Management Systems . Overview and vocabulary
  • ISO/IEC 27001 – Information Security Management System – Requirements
  • ISO/IEC 27002 – Guidance for information security management

The standards listed are only a partial selection, as the complete list would go beyond the scope of this document.

ISO 27001 is structured as follows:

  • Chap. 0 – Introduction
  • Chap. 1 – Scope of application
  • Chap. 2 – Normative references
  • Chap. 3 – Terms and definitions
  • Chap. 4 – Context of the organisation
  • Chap. 5 – Guidance
  • Chap. 6 – Planning
  • Chap. 7 – Support
  • Chap. 8 – Operation
  • Chap. 9 – Evaluation of performance
  • Chap. 10 – Improvement

The 27001 consists of a main part (Chapter 0 to Chapter 10) and an Annex A. Beginning with chapter 4, requirements are set for information security management. These are general in nature. In other words, the requirements for an ISMS are written down there. The following points fall under the typical tasks:

  • Defining the scope of application (Scope)
  • Assetinventory (company values)
  • Creation of guidelines to achieve set goals
  • Introduce into the company procedures or methods that are necessary to achieve the objectives
  • Analyze and evaluate risk and treat risk for these objectives
  • Implementing processes, procedures and measures that promote information security
  • Determine responsibilities and assign roles to achieve defined goals
  • Formulation of security objectives
  • Continuous improvement process

Note: If a standardized management system such as ISO 9001 already exists, you can use the existing structure to achieve an easier implementation of ISO 27001.

The ISO/IEC 27000 family has other standards in addition to the most relevant ones mentioned above, namely:

  • ISO/IEC 27003 – Information Security Management System – Implementation Guide
  • ISO/IEC 27004 – Information security management measures
  • ISO/IEC 27005 – Information security risk management
  • ISO/IEC 27007 – Guidelines for the audit of information security management systems
  • ISO/IEC 27008 – Guidelines for auditors on information security controls
  • ISO/IEC 27013 – Guidance for the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

There are other ISO 27000 series of standards specific to the industry, namely:

  • ISO/IEC 27010 – Information exchange in critical infrastructures
  • ISO/IEC 27011 – Information Security Telecommunication Providers
  • ISO/IEC 27015 – Information security in the financial sector
  • ISO/IEC 27799 – Safety in the health sector