CHAPTER 1: THE ISO/IEC 27000 FAMILY
OF INFORMATION SECURITY
STANDARDS

ISO27001, the international Information Security Management Standard, was published in 2005 and updated in 2013. It is becoming widely known and followed.

It is now part of a much larger family, of which ISO/IEC 27000 is the root for a whole numbered series of international standards for the management of information security.

Developed by a subcommittee of a joint technical committee (ISO/IEC JTC SC27) of the International Standards Organisation (ISO) in Geneva and the International Electrotechnical Commission (IEC), these standards now provide a globally recognised framework for best practice information security management.

The correct designation for most of these standards includes the ISO/IEC prefix and all of them should include a suffix which is their date of publication. Most of these standards, however, tend to be spoken of in shorthand. ISO/IEC 27001:2013, for instance, is often referred to simply as ISO27001.

The first of the ISO27000 series of information security standards has already been published.

ISO/IEC 27001:2013 (ISO27001)

This is the current version of the international standard specification for an Information Security Management System. It is vendor-neutral and technology-independent. It is ‘intended to be applicable to all organisations, regardless of type, size or nature’¹ and in every sector (e.g. commercial enterprises, government agencies, not-for-profit organisations), anywhere in the world. It is a management system, not a technology specification, with the formal title ‘Information technology – Security techniques – Information security management systems – Requirements’.

ISO/IEC 27002:2013 (ISO27002)

This standard is titled ‘Information technology – Security techniques – Code of practice for information security management’. The first edition was published in July 2005, having been initially and originally numbered ISO/IEC 17799. The latest edition was published in October 2013.

ISO/IEC 27003

This standard is titled ‘Information Technology – Security techniques – Information security management system implementation guidance’. It was published in January 2010.

ISO/IEC 27004

ISO/IEC 27004 is titled ‘Information technology – Security techniques – Information security management – Measurement’. This Standard is designed to help organisations more effectively address the requirement, contained in Clauses 9.1 to 9.3 of ISO27001, to measure the effectiveness of controls. It was published in December 2009.

ISO/IEC 27005:2011

Information security risk management (based on and incorporating ISO/IEC 13335 MICTS Part 2) was published in June 2008, with a newer edition published in 2011.

ISO/IEC 27006:2011

This standard sets out the requirements for bodies providing audit and certification of information security management systems.

Definitions

The definitions used in all these standards are intended to be consistent with one another and also to be consistent with those used in ISO/IEC Guide 73:2009. ISO/IEC 27000:2012 is also available; it is titled ‘Information technology – Security techniques – Information security management systems – Overview and vocabulary’.

¹ ISO/IEC 27001:2013, Scope 1.