ISO/IEC 27000-series

The ISO/IEC 27000-series is a set of standards related to information security and publish by ISO and IEC. It provides recommendations on information security, in the context of a Information Security Management System (ISMS).

Standards included on ISO/IEC 27000-series

As of 2022, there are 63 different standards belonging to ISO/IEC 27000-series. All of them start with number 27. The standards featured in this post are:

• ISO/IEC 27001
• ISO/IEC 27002
• ISO/IEC 27003
• ISO/IEC 27004
• ISO/IEC 27005
• ISO/IEC 27006
• ISO/IEC 27017
• ISO/IEC 27032
• ISO/IEC 27701

ISO/IEC 27001

It details requirements for establishing, implementing, maintaining and continually improving an ISMS.

In its annex A, it includes a list of controls that can be implemented. There are no details about these controls, there is only the name.

An organization can be certified on ISO/IEC 27001.

ISO/IEC 27002

It details the controls in annex A of ISO/IEC 27001.

Each control has a series of attributes that classifies it.

Control attributes:

• Control type: possible values based on control types (preventive, detective, corrective)
• Information Security Type: values based in information security triad (confidentiality, availability, integrity)
• Cybersecurity Concepts: values based on NIST Security Framework core functions (Identify, Protect, Detect, Respond, and Recover)
• Operative Capacities: 15 possible values
• Security Domains (Govern_and_ecosystem, Protection, Defense, Resilience)

ISO/IEC 27003

Guidance on ISMS implementation.

ISO/IEC 27004

ISMS monitoring and measurement.

ISO/IEC 27005

Information security (IS) risk management.

ISO/IEC 27006

Requirements for audits.

ISO/IEC 27007 includes guidelines on auditing these requirements.

ISO/IEC 27017

Guidelines about cloud security. It can be considered as an extension of 27002, with specific controls about cloud security.

It is NOT certifiable. If you are looking for a cloud security certification, check for CSA’s STAR or similar.

ISO/IEC 27032

It is a guideline about cybersecurity.

ISO/IEC 27701

It is a guideline about privacy.

ISO/IEC 27701 is certifiable as an extension of ISO/IEC 27001.

Which ISO 27000-series standards are certifiable?

ISO/IEC 27001 is certifiable.

ISO/IEC 27701 is considered a certifiable extension of ISO/IEC 27001, focused on privacy.

You might be also interested in…

• How to implement ISO/IEC 27001 in an organzation

External references

• Wikipedia; “ISO/IEC 27000-series“; Wikipedia
• Javier Roberto Amaya Madrid; “Novedades en la actualización del Estándar ISO/IEC 27002:2022“; ISecAuditors