Title/definition ISO/IEC 27000: Information security
ISO / IEC 27000 is a series of information security standards developed and published by ISO and IEC; these standards provide a globally recognized framework for best practice in information security management.
Summary: ISO/IEC 27000 is owned by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 is a specification that sets out specific requirements, all of which must be followed, and against which an organization's Information Security Management System (ISMS) can be audited and certified. All the other Standards in the ISO27000 family are Codes of Practice; these provide non-mandatory best practice guidelines which organisations may follow, in whole or in part, at their own discretion.
Key concepts that govern the standards are:
- Organisations are encouraged to assess their own information security risks
- Organisations should implement appropriate information security controls according to their needs
- Guidance should be taken from the relevant standards
- Implement continuous feedback and use of the Plan, Do, Check, Act model
- Continually assess changes in threat and risk to information security issues.
The standards family
·ISO/IEC 27000:2009 provides an overview of information security management systems,
which form the subject of the information security management system (ISMS) family of
standards, and defines related terms.
·ISO 27001 is the specification for an an Information Security Management System (ISMS).
·ISO 270002 is a code of practice for information security.
·ISO 270003 is a proposed development to provide help and guidance in implementing an
·ISO270004 provides guidance on the development and use of measures and
measurement for the assessment of the effectiveness of an implemented information
security management system and controls, as specified in ISO 27001.
·ISO 270005 covers information security risk management.
·ISO 270006 offers guidelines for the accreditation of organizations which offer certification
and registration for an ISMS.
Target group(s): All roles responsible for IT security management in an organization; IT security management professionals; auditors
Scope: The family of ISO/IEC 27000 standards is broad in scope: they are applicable to any organization, in any sector, of any size.
Relevant links: Official ISO website: www.iso.org/iso/specific-applications_it-security