Fan of the Adam’s family? Allow us to introduce you to the (rather saintly) family of Information Security Standards – The ISO 27000 family of standards. The protagonist being ISO 27001 which covers all the general characteristics of a hero – Saving your world from the Information Security threats and counter or altogether avert any cyber attacks. The rest are the henchmen, helping with the ISMS implementation, compliance and certification.
The ISO 27000 is a family of standards with a very broad scope and is, ergo, applicable to organizations, big or small, in all sectors. With continuous evolution of technology, new standards are being developed and added to the changing information security function and application in various industries and environments.
In short, The ISO 27000 series, also known as the ISMS (Information Security Management System) family of standards, provides a framework for managing and protecting information security. These standards help organizations of all sizes and industries manage the security of assets such as financial information, intellectual property, employee details, and third-party information.
As mentioned earlier, the main player of the series is ISO 27001, which defines the specifications for an ISMS (information security management system) setup.
The series is developed and published by the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission).
IT security, cybersecurity and privacy protection are very crucial for companies and organizations today. The ISO 27000 family of standards ensure they are safe. ISO 27001 is, till date, the most elaborative and comprehensive standard for information security management systems (ISMS) and the corresponding requirements. Additionally, another more than a dozen standards in the family cater to the best practices in data protection and cybershielding. Together, they enable organizations from various sectors and sizes to manage the safety of their assets like financial information, intellectual property, employee data and third party information management. And this is why organizations around the world rely on the standards set in the ISO 27000 series for information security management best practices.
The series champions best practice guidelines on the management of information risks through information security controls, within the context of an overall Information security management system (ISMS). This, in many ways, is similar in design to management systems for quality assurance (the ISO 9000 series), environmental protection (the ISO 14000 series) and other management systems.
The ISO 27000 series is quite broad in scope, considering the need to cover more than just privacy, confidentiality and IT cybersecurity issues. The organizations implementing the ISMS are required to first assess their information risks, then, work on them taking the information Security controls in reference. In the end, owing to the dynamic nature of information risk and security, the ISMS concept keep getting updated and upgraded in order to respond to changes in the threats, vulnerabilities or impacts of various (critical) incidents.
If we go back to the history of the ISO 27000 family of standards, it actually had got started as ISO/IEC 17799:2000 at first. Primarily considered a fast-track revision of the current British standard BS 7799 part 1:1999. The initial publication of BS 7799 was partly based on an information security management framework developed by the Royal Dutch/Shell Group.
In 1993, the United Kingdom’s Department of Trade and Industry setup a committee to conduct a survey of current information technology practices with the intention of creating a standard guide. The BSI Group released the first edition of BS 7799 in 1995.
The initial portion of BS 7799, comprising of information technology best practices, was integrated into ISO 17799, resulting in the addition to the ISO 27000 list in 2000.
The second section, titled “Information Security Management Systems – Specification and Guidance for Use,” got turned into ISO 27001 which introduced an information security management system.
So, one may say that just like the ISO 9000 series ensures a company is serious about its quality management system, ISO 27000 series affirms a company’s dedication towards the Information Security Management System.
The standards are the outcome of ISO/IEC JTC 1 (Joint Technical Committee 1) SC 27 (Subcommittee 27), an international body that meets twice a year to work on the compilation and up-gradation of the guidelines and standards.
The standards, in general, provide more detailed guidance on various aspects of information security. Some standards are technical, some guide with governance and organizational risk management, some cater to specific industries while others are specifically relevant for auditors. Lets figure out what all of these standards cover:
• ISO 27000 — Provides an overview of information security management systems and the terms and definitions used in the ISO 27000 family of standards – contains the Overview and Vocabulary
• ISO 27001 — This, being the mainstay of the family, Specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS. This is the standard against which organizations can be certified.
• ISO 27002 —Comprises of a code of practice for information security controls. It offers guidelines for organizational information security standards and management practices – essentially a detailed list of information security controls that might be managed through the ISMS
• ISO 27003 — Offers guidance on the implementation of an ISMS, particularly focusing on the critical aspects to consider during the planning and implementation phases.
• ISO 27004 — Contains guidelines on monitoring, measurement, analysis, and evaluation of the ISMS performance and the effectiveness of its information security controls.
• ISO 27005 — Focuses on information security risk management, providing guidelines for a systematic approach to managing information security risks.
• ISO 27006 — Specifies requirements for bodies providing audit and certification of ISMS, ensuring that certification bodies meet the necessary standards to perform their tasks effectively.
• ISO 27007 — Contains guidelines for information security management system auditing, providing detailed guidance on auditing an ISMS.
• ISO 27008 — These are the guidelines for auditors on information security controls, offering detailed instructions for evaluating the implementation and effectiveness of controls.
• ISO 27009 — Guidelines for sector-specific application of ISO 27001, offering a framework for adapting the standard to specific industries.
• ISO 27010 — Comprising of guidelines for sector-specific information security management, focusing on inter-sector and inter-organizational communications.
• ISO 27011 — Has guidelines for information security management in telecommunications organizations, providing specific guidance for the telecom sector.
• ISO 27013 — Information Technology – Security Techinques – Guideline on the integrated implementation of ISO 27001 and ISO 20000-1.
•. ISO 27014 — Guidelines for information security governance, providing a framework for the governance of information security within an organization.
• ISO 27016 — Contains guidelines for information security economics, helping organizations to understand and manage the economic aspects of information security.
• ISO 27017 — Guidelines for information security controls applicable to the provision and use of cloud services (based on ISO 27002 for cloud services, covering both service providers and customers.
• ISO 27018 — Focusing on the protection of personal data in the cloud, provides a code of practice for cloud service providers acting as processors of personally identifiable information (PII).
• ISO 27019 — Provides Information security for process control in the energy industry.
• ISO 27021 — Information technology – Security techniques — Offers competence requirements for information security management systems professionals
• ISO 27023 — This standard provides guidelines for the transition of an ISMS from ISO 27001:2005 to ISO 27001:2013, ensuring a smooth migration to the updated standard.
• ISO 27028 — Contains guidelines specifically tailored for the implementation of information security management in the telecommunications sector, based on ISO/IEC 27002.
• ISO 27031 — Provides guidelines and principles for information and communication technology (ICT) readiness for business continuity.
• ISO 27032 — Guidelines for improving the state of cybersecurity, drawing attention to the interaction between different security domains such as information security, network security, internet security, and critical information infrastructure protection (CIIP).
• ISO 27033 – This series consists of multiple parts providing guidelines for network security. It covers various aspects such as network security architecture, design, implementation, and operations.
Part 1 — Network security –Overview and concepts
Part 2 — Network security – Guidelines for the design and implementation of network security
Part 3 — Network security – Reference networking scenarios — Threats, design techniques and control issues, guidelines for managing network security.
Part 4 — Network security – Securing communications between networks using security gateways
Part 5 — Network security – Securing communications across networks using Virtual Private Networks (VPNs)
Part 6 — Network security – Securing wireless IP network access
Part 7 — Network security – Network security for industrial automation and control systems (IACS).
• ISO 27034– The series provides guidelines for application security, ensuring that applications are developed and maintained securely.
Part 1 — Application security – Guidelines for application security
Part 2 — Application security – Organization normative framework
Part 3 — Application security – Application security management process
Part 4 — Application security – Validation and verification (under development)
Part 5 — Application security – Protocols and application security controls data structure, XML schemas
Part 6 — Application security – Case studies
Part 7 — Application security – Assurance prediction framework
• ISO 27035– Guidelines for incident management, helping organizations to prepare for, detect, and respond to information security incidents.
Part 1 — Information security incident management – Principles of incident management
Part 2 — Information security incident management – Guidelines to plan and prepare for incident response
Part 3 — Information security incident management – Guidelines for ICT incident response operations
Part 4 — Information security incident management – Coordination (under development)
• ISO 27036– Guidelines for supplier relationships, addressing security in the supply chain.
Part 1 — Information security for supplier relationships – Overview and concepts
Part 2 — Information security for supplier relationships – Requirements
Part 3 — Information security for supplier relationships – Guidelines for information and communication technology supply chain security
Part 4 — Information security for supplier relationships – Guidelines for security of cloud services
• ISO 27037 — Guidelines on how to identify, collect, acquire and preserve digital evidence
• ISO 27038 — Guidelines for digital redaction, which involves removing sensitive information from documents and data.
• ISO 27039 — Guidelines for intrusion detection and prevention systems (IDPS).
• ISO 27040 — Guidelines for storage security, addressing the protection of data at rest.
• ISO 27041 — Guidelines for assurance in digital forensics, providing a framework for the consistent, reliable handling of digital evidence.
• ISO 27042 — Guidelines for digital evidence analysis, detailing methods and best practices for examining digital evidence.
• ISO 27043 — Guidelines for incident investigation, focusing on the processes and principles for investigating information security incidents.
• ISO 27050– This series addresses electronic discovery, providing guidelines for the identification, preservation, collection, processing, review, and production of electronically stored information (ESI).
Part 1 — Electronic discovery — Overview and concepts
Part 2 — Electronic discovery — Guidance for governance and management of electronic discovery
Part 3 — Electronic discovery — Code of practice for electronic discovery
Part 4 — Electronic discovery — Technical readiness
• ISO 27103 – Provides guidance on implementing cybersecurity frameworks, helping organizations to enhance their cybersecurity posture by aligning with existing frameworks and standards.
• ISO 27110 — Guidelines for the development of a cybersecurity framework, tailored to help organizations design, implement, maintain, and improve their cybersecurity practices.
• ISO 27550 — This standard focuses on privacy engineering, providing guidelines for engineering principles and processes to support privacy by design.
• ISO 27701 — An extension to ISO 27001 and ISO 27002 for privacy information management, specifying requirements and providing guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
• ISO 27799 — Information security management in health using ISO 27002 – guides health organizations on how to protect personal health information using ISO 27002.
Further, there are many ISO 27000 standards in preparation covering aspects such as digital forensics AI/ML security and IoT security, Privacy guidelines for smart cities, security requirements for virtualized roots of trust, Requirements for attribute-based unlinkable entity authentication, etc. among others while the released ISO 27000 standards are routinely reviewed and, if required, updated every five years or so.
This is the core standard in the ISO 27000 series, elaborating on the requirements of an ISMS implementation. It is, in fact, the only standard in the series that organisations can be audited and certified against. This is possible because it contains an overview of everything that needs to be done to achieve compliance.
This is a supplementary standard that provides a detailed overview of information security controls that organisations choose to implement, i.e. only those controls that they consider relevant. This relevance is judged basis the risk assessment report.
The controls are outlined in Annex A of ISO 27001, but while this is essentially a quick rundown, ISO 27002 contains a more detailed overview, explaining how each control works, what its objective is and how it should be implemented.
These supplementary ISO standards, introduced in 2015, explain how organisations should protect sensitive information in the Cloud.
This has become especially important in today’s time as there’s an unprecedented rate at which organisations are migrating their sensitive information on to online servers.
ISO 27017 offers guidelines for information security practices, specifically focusing on applying Annex A controls to data stored in the Cloud. Under ISO 27001, organizations can opt to treat these controls separately. They can select a set of controls from Annex A for traditional data and another set from ISO 27017 for Cloud data. Similarly, ISO 27018 functions similarly, with additional emphasis on protecting personal data.
This is the latest addition to the ISO 27000 series, focusing on requirements for implementing a Privacy Information Management System (PIMS). It was developed in response to the GDPR (General Data Protection Regulation), which mandates that organizations adopt “appropriate technical and organizational measures” to safeguard personal data without specifying the specific methods.
ISO 27701 addresses this by integrating privacy processing controls into ISO 27001. An Information Security Management System (ISMS) is a structured approach to managing risks, encompassing measures that cover the three pillars of information security: people, processes, and technology.
The series comprises 46 individual standards, including ISO 27000, which provides an introduction to the family and clarifies essential terms and definitions. While not all standards may be pertinent to every organization, understanding key standards is crucial to grasp the framework’s application.
• Understand the ISO 27000 standards: Begin the ISO 27001 certification process by thoroughly familiarizing yourself with the ISO 27000 standards, not limiting to the ISO 27001 alone. This is because each standard serves a purpose, whether it’s to provide guidance, enhance your understanding from an auditor’s viewpoint, or suggest controls tailored to your organization’s specific needs.
For instance, if your infrastructure includes cloud storage, you would require a knowledge of ISO 27017 and ISO 27018. If your customer base resides in the EU, consider studying ISO 27701, so on and so forth.
• Work on your ISO Compliance: Next, you should be able to ensure the ISO 27001 compliance within the organization and for this, we have ISO 27003 to your aid.
• Perform a Gap Analysis: A risk assessment is done next, in order to analyse areas in which your ISMS falls short of compliance, identifying which unmitigated risks carry the greatest consequences. ISO 27005 guidelines can be of great help at this step.
• Planning and implementation: Develop a comprehensive plan to address identified gaps and implement necessary controls. A lot of documentation is done at this stage primarily for the risk management process and decision process regarding each identified risk – whether to avoid, mitigate, absorb or transfer it.
The information security controls and measures are then deployed according to the plan.
• Employee Training: Train employees on the importance of information security and their roles in maintaining it.
• Internal Audit: Conduct internal audits to ensure thorough compliance with the ISO standards.
• Complete Stage 1 & Stage 2 Certification Audits: Now, once you’ve gathered all the necessary documents and digital proof, you’re set for a Stage 1 audit. Selecting an auditor is crucial but often overlooked. It’s recommended to choose an auditor based on their experience with companies similar to yours, the support they offer for ongoing audits, and their pricing.
During the Stage 1 audit, the auditor will review your documentation and ISMS to identify any gaps you might have missed. You’ll receive a preliminary report to correct any errors before the final certification audit.
Next, the Stage 2 audit involves an onsite assessment of your ISMS. The auditor ensures your company adheres to the policies and procedures reviewed in Stage 1.
If your organization complies with the relevant ISO 27000 standards, the auditor will issue an ISO 27001 certificate.
• Continuous Improvement: Maintain and continually improve the ISMS to retain certification and enhance security. ISO 27004 can be your best guide for ISMS adaptation to constantly evolving data security threats.
To sum it up, the ISO 27000 series covers a broad range of standards to help organizations manage their information security risks thoroughly. Each standard addresses specific aspects of information security, from governance and risk management to technical controls and incident response. Implementing these standards helps organizations enhance their security posture, comply with regulations, build customer trust, and achieve continuous improvement in their information security management practices.
Intrigued? Need more information? Or Want to know anything that we might not have been able to cover in this article? Contact Us and let our experts get in touch with you for your ISO related queries.