ISO/IEC 27000-series

The ISO/IEC 27000-series is a set of standards related to information security and publish by ISO and IEC. It provides recommendations on information security, in the context of a Information Security Management System (ISMS).

Standards included on ISO/IEC 27000-series

As of 2022, there are 63 different standards belonging to ISO/IEC 27000-series. All of them start with number 27. The standards featured in this post are:

  • ISO/IEC 27001
  • ISO/IEC 27002
  • ISO/IEC 27003
  • ISO/IEC 27004
  • ISO/IEC 27005
  • ISO/IEC 27006
  • ISO/IEC 27017
  • ISO/IEC 27032
  • ISO/IEC 27701

ISO/IEC 27001

It details requirements for establishing, implementing, maintaining and continually improving an ISMS.

In its annex A, it includes a list of controls that can be implemented. There are no details about these controls, there is only the name.

An organization can be certified on ISO/IEC 27001.

ISO/IEC 27002

It details the controls in annex A of ISO/IEC 27001.

Each control has a series of attributes that classifies it.

Control attributes:

  • Control type: possible values based on control types (preventive, detective, corrective)
  • Information Security Type: values based in information security triad (confidentiality, availability, integrity)
  • Cybersecurity Concepts: values based on NIST Security Framework core functions (Identify, Protect, Detect, Respond, and Recover)
  • Operative Capacities: 15 possible values
  • Security Domains (Govern_and_ecosystem, Protection, Defense, Resilience)

ISO/IEC 27003

Guidance on ISMS implementation.

ISO/IEC 27004

ISMS monitoring and measurement.

ISO/IEC 27005

Information security (IS) risk management.

ISO/IEC 27006

Requirements for audits.

ISO/IEC 27007 includes guidelines on auditing these requirements.

ISO/IEC 27017

Guidelines about cloud security. It can be considered as an extension of 27002, with specific controls about cloud security.

It is NOT certifiable. If you are looking for a cloud security certification, check for CSA’s STAR or similar.

ISO/IEC 27032

It is a guideline about cybersecurity.

ISO/IEC 27701

It is a guideline about privacy.

ISO/IEC 27701 is certifiable as an extension of ISO/IEC 27001.

Which ISO 27000-series standards are certifiable?

ISO/IEC 27001 is certifiable.

ISO/IEC 27701 is considered a certifiable extension of ISO/IEC 27001, focused on privacy.

You might be also interested in…

External references

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *