ISO/IEC 27000 series Information technology – Security techniques. ISO / IEC 27000 are a series of information security standards developed and published by ISO and IEC. These standards provide a globally recognized framework for best practice in information security management. ISO/IEC 27000 is owned by the International Standards Organization (ISO) and the International Electro Technical Commission (IEC). ISO 27001 is a specification that sets out specific requirements, all of which must be followed, and against which an organization’s Information Security Management System (ISMS) can be audited and certified. All the other Standards in the ISO 27000 family are Codes of Practice; these provide non-mandatory best practice guidelines which organizations may follow, in whole or in part, at their own discretion.
Key concepts that govern the standards are:
- Organizations are encouraged to assess their own information security risks
- Organizations should implement appropriate information security controls according to their needs
- Guidance should be taken from the relevant standards Copyright protected.
- Implement continuous feedback and use of the Plan, Do, Check, Act model.
- Continually assess changes in threat and risk to information security issues.
The 27000 standards family Information technology – Security techniques – Information security management systems
- ISO/IEC 27000:2009 – Overview and vocabulary
- ISO/IEC 27001:2005 – Requirements
- ISO/IEC 27002:2005 – Code of practice for information security management
- ISO/IEC 27003:2010 – Information security management system implementation guidance
- ISO/IEC 27004:2009 – Measurement
- ISO/IEC 27005:2011 – Information security risk management
- ISO/IEC 27006:2011 – Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27007:2011 – Guidelines for information security management systems auditing
- ISO/IEC TR 27008:2011 – Guidelines for auditors on information security controls
- ISO/IEC 27010:2012 – Information security management for inter-sector and inter-organizational communications
- ISO/IEC 27011:2008 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002