The ISO/IEC 27000-series is a set of standards related to information security and publish by ISO and IEC. It provides recommendations on information security, in the context of a Information Security Management System (ISMS).
Standards included on ISO/IEC 27000-series
As of 2022, there are 63 different standards belonging to ISO/IEC 27000-series. All of them start with number 27. The standards featured in this post are:
- ISO/IEC 27001
- ISO/IEC 27002
- ISO/IEC 27003
- ISO/IEC 27004
- ISO/IEC 27005
- ISO/IEC 27006
- ISO/IEC 27017
- ISO/IEC 27701
It details requirements for establishing, implementing, maintaining and continually improving an ISMS.
In its annex A, it includes a list of controls that can be implemented. There are no details about these controls, there is only the name.
An organization can be certified on ISO/IEC 27001.
It details the controls in annex A of ISO/IEC 27001.
Each control has a series of attributes that classifies it.
- Control type: possible values based on control types (preventive, detective, corrective)
- Information Security Type: values based in information security triad (confidentiality, availability, integrity)
- Cybersecurity Concepts: values based on NIST Security Framework core functions (Identify, Protect, Detect, Respond, and Recover)
- Operative Capacities: 15 possible values
- Security Domains (Govern_and_ecosystem, Protection, Defense, Resilience)
Guidance on ISMS implementation.
ISMS monitoring and measurement.
Information security (IS) risk management.
Requirements for audits.
ISO/IEC 27007 includes guidelines on auditing these requirements.
Guidelines about cloud security. It can be considered as an extension of 27002, with specific controls about cloud security.
It is NOT certifiable. If you are looking for a cloud security certification, check for CSA STAR or similar.
It is a guideline about privacy.
ISO/IEC 27701 is certifiable as an extension of ISO/IEC 27001.
Which ISO 27000-series standards are certifiable?
ISO/IEC 27001 is certifiable.
ISO/IEC 27701 is considered a certifiable extension of ISO/IEC 27001, focused on privacy.
You might be also interested in…
- Wikipedia; “ISO/IEC 27000-series“; Wikipedia
- Javier Roberto Amaya Madrid; “Novedades en la actualización del Estándar ISO/IEC 27002:2022“; ISecAuditors