How the ISO/IEC 27000 standards family helps deliver best-practice information security management

In our increasingly connected always online world, data breaches and cyberattacks have never been more common. Managing information security (IS) risk is vital for protecting commercially sensitive data (not to mention the personal details of your clients), and is essential for guarding against reputational harm and meeting legal requirements.

With this in mind, the ISO/IEC 27000 family provides a broad range of standards and best practice recommendations on information security management, within the overall context of an information security management systems (ISMS).

The family has its origins in standards developed in the UK in the early 90s, went on to become a BS in 1998, and was then adapted by ISO in 2000.

Here, we examine what ISO/IEC 27001, the mainstay of the series, actually does, how organisations can meet the requirements set out in the standard, and explore some of the other most commonly used standards in the ISO/IEC 27000 family.

What does ISO/IEC 27001 do?

ISO/IEC 27001 sets out the requirements for an information security management system (ISMS). An ISMS helps and organization to preserve the confidentiality, integrity and availability of information in the face of an ever-changing threat landscape and no matter the source of risk. Thus, it deals with threats that can be technological, human, physical and environmental in nature.

The framework of an ISMS covers planning, operations, evaluation, and improvement and uses the same Harmonized Structure as other ISO management system standards. This makes it easier for organization to establish a single management system that conforms to several standards. For example, information security, quality, and business continuity. Organizations are required to adopt a risk management framework to determine which security controls are right for them – every organisation will be different

How can organizations meet the requirements of ISO/IEC 27001?

ISO/IEC 27001 sets out requirements, ISO/IEC 27002 describes the risk framework, and ISO/IEC 27005 gives guidance on how to implement controls. ISO/IEC 27001 can be thought of as the WHAT and other standards in the 27000 series help with the HOW. Guidance is particularly useful for smaller organizations with less experience, since misunderstanding can lead to adoption of excessive or onerous IS practices.

What about assessment?

Management system standards do not specify a particular type of conformity assessment. Options include self-assessment or third-party assessment, for example, assessment by an accredited certification body. ISO/IEC 27006 sets out requirements for accreditation bodies to ensure that any third-party assessing conformity with the standard does so correctly.

What is the importance of ISO/IEC 27002 and ISO/IEC 27001?

ISO 27002

ISO/IEC 27002 can be thought of as the second most important standard in the portfolio. ISO/IEC 27001 allows organizations to determine the necessary security controls best suited to their needs and risk appetites.

However, to help organizations ensure that they have not inadvertently omitted any necessary control, it is necessary they compare with the reference set of controls in ISO/IEC 27001, Annex A, which facilitates reliable comparisons to be drawn between organizations. These controls are derived and are aligned with those in ISO/IEC 27002.

ISO/IEC 27002 also gives guidance on how the various technological, people, physical and organizational controls can be implemented, and other useful information. Thus, ISO/IEC 27001 and ISO/IEC 27002 are inextricably linked through ISO/IEC 27001, Annex A.

ISO/IEC 27005

ISO/IEC 27005 can best be thought of as a detailed reference manual for organizations looking to implement the key standard in the family. As we mentioned, ISO/IEC 27001 is a management system standard that only specifies WHAT an organization must do. It is devoid of HOW-TO information. By contrast, ISO/IEC 27005 is a HOW standard and gives advice on how organizations can perform the risk assessment and risk treatment processes.

The standard provides guidance for organizational information security standards and best practices for information security risk management. It takes into account an organizations unique risk profile by focusing on the selection, implementation, and management of controls.

What are the other standards in the ISO 27000 family?

• BS ISO/IEC 27003:2017 gives general advice covering all ISO/IEC 27001 requirements
• BS ISO/IEC 27004:2016 gives detailed advice relating to ISO/IEC 27001, Clause 9.1 (Measurement, monitoring, analysis and evaluation), whilst
• BS EN ISO/IEC 27006:2020 - defines requirements for audit bodies that want to achieve accreditation for their ISMS certification scheme
• Likewise, BS EN ISO/IEC 27007:2022 relates to ISO/IEC 27001 Clause 9.2 (Internal ISMS auditing) but in doing so provides guidance on auditing every ISO/IEC 27001 requirement

If you have any questions about the role of the ISO 27000 family and its constituent parts and how they can support your organisation develop information security management best practice, BSI members can get in touch with the Knowledge Centre’s information experts.