This section of the ISO27k FAQ addresses the following general/basic questions relating to the ISO/IEC standards:
FAQ: “The titles of the ISO27k standards mention ‘Information Technology -- Security Techniques’. Does this mean they are IT-specific?”
A: No, certainly not! The formal titles simply reflect the name of the joint ISO + IEC committee that oversees their production, namely SC 27 “Information Technology -- Security Techniques”, itself a subcommittee of JTC1 “Information Technology”.
The scope of the ISO27k standards naturally includes many aspects of IT but does not stop there. The introduction to ISO/IEC 27002 states explicitly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”
Generally speaking, an organization’s most valuable information assets belong to business units other than IT Department. IT typically owns, manages and is accountable for protecting the shared IT infrastructure (i.e. the main corporate IT systems and networks providing shared IT services to the business) which is a substantial information asset in its own right. However, in information security terms IT typically acts as a custodian (but not owner) for most business data on the systems and networks, including content belonging to other business units and departments plus customers and business partners.
This distinction has important implications. Information asset owners are accountable for ensuring that their information assets are adequately protected, just like other corporate assets. While information asset owners generally delegate key responsibilities for information security to Information Security and/or IT, they remain accountable and must ensure that information security is adequately funded, directed and supported to achieve the necessary level of protection. Likewise, Information Security and IT generally act as advisors and custodians with a duty to protect the information/data placed in their care, but they are not ultimately accountable for most information security incidents, breaches and impacts that occur as a result of unwise risk management decisions (such as under-funding security or accepting risks) made by the actual information asset owners.
Implementation tip: When assessing and treating information security risks, focus primarily on critical business processes and valuable business information rather than the supporting IT systems and data. The modern approach to corporate governance means that naive or duplicitous business managers can no longer blame and cower behind IT if they make inappropriate decisions or fail to act in order to identify and protect vital information assets. However, they often need help to appreciate and fulfil their security obligations.
FAQ: “Where can I obtain [insert name of ISO27k standard here]?”
A: ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27006 and other published standards may be purchased directly from ISO or from the various national standards bodies and commercial organizations. Shop around for the best deals, for example using this Google search, much as you might search the market for the best web hosting providers.
If money is tight, it is worth checking the prices for localized/national versions of the standards. ISO sells the standards directly. Several national standards bodies release translated versions of the standards in their local languages but all of them go to great lengths to ensure that the translations remain true to the original.
By the way, it is normally worth searching on the full formal names of the standards including the “/IEC” bit, but perhaps not the date since country-specific translations of the standards are often issued later than the original versions (avoid superseded versions though!).
Most if not all of the issued ISO27k standards can be purchased in electronic softcopy and printed hardcopy formats. Hardcopies are easier to read on the train or discuss in meetings. Softcopies are ideal for online searching for specific controls and for cutting and pasting into your own policy documents etc. (subject to the copyright restrictions). In addition to the usual PDF downloads, standards bodies may license online (intranet) access to the standards, limited by the number of concurrent users - this may be suitable for organizations who implement the standards and want to give their employees instant access to the standards for reference.
Implementation tip: Google!
FAQ: “I want to become an ISO27k consultant. I’m looking for books or courses that teach ISO27k. Is there an exam? ... ”
A: The best books on the ISO27k standards are the standards themselves - in other words, you should buy and read the standards (see above). Being standards, they are quite formal in style but readable and useful. If you are going to implement them, write policies based upon them, consult around them etc. you will inevitably have to become very familiar with them so buy your copies and start reading!
The following ISO27k standards well worth studying:
introduces and gives an overview of the whole set of ISO27k standards, and provides a glossary defining various information security terms specifically as they are used in the context of the standards.
formally specifies the system for managing information security. Along with ISO/IEC 27006
, it is essential if you intend to become an ISMS certification auditor by taking a “ISO/IEC 27001 Lead Auditor” training course offered by various training, consultancy and certification companies, and completing the requisite number of compliance audits under the wing of a fully-qualified ISMS certification auditor. If you are looking to implement rather than certify compliance with the standard, you should also study ISO/IEC 27002 (see below) and perhaps ISO/IEC 27003
is the ‘Code of Practice’, a practical standard offering oodles of advice for those choosing/designing and implementing information security controls. The best way to learn ISO/IEC 27002 inside-out is to use it for real, which means going all the way through one or more ISMS implementations from planning to operations, auditing and maintenance. If you have no prior experience in information security, you should try to find an experienced mentor or guide, or take an “ISO/IEC 27001 Lead Implementer” course. Professional organizations such as ISSA
can help, along with the ISO27k Forum
concerns the analysis and treatment of information security risks and as such underpins all the ISO27k standards.
You should also be aware of the remaining ISO27k standards and have some familiarity with other similar/related standards, methods, laws etc. (such as PCI DSS, COBIT and various privacy laws).
As to becoming a consultant, you are well advised to start by building a solid technical understanding of governance, risk and control concepts, and establishing your own expertise, experience, competence and hence credibility. Advice for those who want to become IT auditors in the IT Audit FAQ is also relevant to becoming an information security management specialist since the two fields are very closely related. Another highly recommended resource is www.CCcure.org, especially if you are considering becoming CISSP, SSCP or CISM qualified in information security management.
Implementation tip: see the resources page and don’t forget to join the ISO27k Forum. If you are struggling with particular ISMS-related issues, The archive of Forum messages well worth browsing or searching (it’s a Google group so the search function works well), and members can always seek fresh answers to current issues.
FAQ: “Are there any qualifications for ISO27k professionals?”
A: Kind of. Other than the ISO and national standards bodies’ processes for checking and accrediting organizations who wish to offer ‘official’ compliance certification services, there is currently no equivalent of, say, ISACA or (ISC)2 overseeing the ISO27k courses and qualifications in order to set and maintain professional standards, insist on continuous professional development and so forth. At present there is nothing to stop anyone offering “ISO27k Lead Implementer”-type training courses and issuing certificates like confetti. This unfortunate situation casts doubt on the validity of Lead Implementer certificates in particular, and potentially discredits both the organizations currently offering them and the candidates who obtain them, even though they may be truly excellent. It’s a question of assurance not quality.
There are a number of ISMS-related training courses that hand out certificates of completion but I would not necessarily call them ‘qualifications’ on that basis alone. ‘Designations’ may be a better term. This is still a relatively new field so it will inevitably take time for the training and qualification practices to settle down and for the most worthwhile and meaningful certification schemes to become universally accepted. Meanwhile, read on.
The two most common types of ISMS-related designations are as follows.
ISO/IEC 27001 Lead Auditor (LA)
The term “Lead Auditor” was coined by training schemes that were initially designed and run internally by accredited ISO/IEC 27001 certification bodies in order to train up their own staff to perform certification audits. Subsequently, various public/commercial LA training courses have emerged. There are at least four possible routes to someone calling themselves an ISO/IEC 27001 LA:
spend 5 straight days on a suitable officially-recognised training course run by an officially-recognised training body, pass the end of course exam, then undertake a further 35 days of third party certification audits under the guidance of a registered ISO/IEC 27001 LA. This route is preferred by the International Register of Certification Auditors
and, in Japan, JRCA
. The highway naturally suits students who are employed by the accredited certification bodies, since they can get both the classroom training and on-site experience from their employers.
The country route: complete some other form of ISMS/audit related training (for example modular courses comprising a day or two’s training on ISMS plus 3 days on auditing), then undertake further ISMS assignments such as internal ISMS audits, ISMS-related consultancy gigs or third party certification audits, and finally pass some form of “on-site skills examination”. The country route may be the best option for students not working for accredited certification bodies, but may not deliver as much assurance.
The cross-country 4x4 route: become a qualified and experienced information security professional and a qualified and experienced IT audit professional and gain lots of real-world experience of designing, building, implementing, managing, maintaining and advising on ISO27k ISMSs. Most professionals with more than, say, a decade or two’s work experience crossing these three areas have amassed valuable expertise, knowledge and battle scars, having faced many situations in the field. Some of them go on to take the highway or the country route, while others are too busy working for their clients or sharing their expertise with their employers to worry about certificates per se.
The back alleys: a few students and consultants allegedly don’t bother with the hardship of actual training, exams and/or on-the-job experience, simply adding “ISO/IEC 27001 LA” (or similar) to their CVs and email signatures and carrying on regardless ...
ISO/IEC 27001 or ISO/IEC 27002 Lead Implementer (LI)
In response to market demand for help with implementing the ISO27k standards rather than just auditing ISMSs against ’27001, a number of IT training companies are now offering commercial ISO27k LI courses. These aim to give students some familiarity with the ISO27k standards, and then presumably provide pragmatic guidance on how to apply them to the design and implementation of an ISMS.
As with ISO27k LAs, do not rely on a candidate’s claimed ISO27k LI qualification alone if information security is important to you - and why else would you be employing them? Skills (both technical and social), expertise, competencies and experience all vary from person to person, as does trustworthiness.
Caveat emptor! If you are employing information security professionals on the basis of their competence and integrity, it pays to check carefully into their backgrounds. Verify their claims. See ISO/IEC 27002 section 7.1.1 for sage advice on this very point.
Implementation tip: In our considered opinion, demonstrable hands-on ISO27k ISMS implementation and audit experience, ideally with more than one organization, is by far the best “qualification” in the field today. Next best would be demonstrable consultancy experience, helping a number of clients design, install and run their ISMSs, preferably again with a considerable amount of hands-on work and not merely advising at a distance. The LA and particularly the LI certifications vary in credibility but nevertheless the courses are a valuable introduction for beginners, although students who already have a reasonable understanding of information security management concepts are more likely to benefit from ISO27k-specific training, general information security and IT audit qualifications such as CISSP, CISM and CISA, and general business management qualifications such as MBAs.
Advice for people who want to become IT auditors in our IT audit FAQ is useful for those planning to become LAs or LIs and is also pretty relevant to becoming an information security management specialist since the two fields are very closely related. Another excellent resource is www.cccure.org, especially if you are considering becoming CISSP, SSCP or CISM qualified in information security management - these are not specific to ISO27k but give you a sound basis for ISO27k work, particularly the management and implementation of appropriate/good practice information security controls.
FAQ: “Where else can I find answers on ISO27k and information security?”
A: Besides this FAQ and the ISO27k standards themselves, there are several professional/special interest groups and forums (fora?) worth considering, most of which are free or cheap to join:
(Association for Computing Machinery - Special Interest Group - Security, Audit and Control
). Mission: “to develop the information security profession by sponsoring high-quality research conferences and workshops. SIGSAC conferences address all aspects of information and system security, encompassing security technologies, secure systems, security applications, and security policies. Security technologies include access control, assurance, authentication, cryptography, intrusion detection, penetration techniques, risk analysis, and secure protocols. Security systems include security in operating systems, database systems, networks and distributed systems, and middleware. Representative security applications areas are information systems, workflow systems, electronic commerce, electronic cash, copyright and intellectual property protection, telecommunications systems, and healthcare. Security polices encompass confidentiality, integrity, availability, privacy, and survivability policies, including tradeoff and conflicts amongst these.”
is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters.”
(originally the Information Systems Audit and Control Association
). “As a nonprofit, global membership association for IT and information systems professionals, ISACA is committed to providing its diverse constituency of more than 95,000 worldwide with the tools they need to achieve individual and organizational success. The benefits offered through our globally accepted research, certifications and community collaboration result in greater trust in, and value from, information systems. Through the more than 190 chapters established in over 75 countries worldwide, ISACA provides its members with education, resource sharing, advocacy, professional networking, and a host of other benefits on a local level.”
(International Information Systems Security Certification Consortium
). “... the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. We are recognized for Gold Standard certifications (CISSP, SSCP, etc
.) and world class education programs. We provide vendor-neutral education products, career services, and Gold Standard credentials to professionals in more than 135 countries. We take pride in our reputation built on trust, integrity, and professionalism. And we’re proud of our membership – an elite network of nearly 75,000 certified industry professionals worldwide. Mission: we make society safer by improving productivity, efficiency and resilience of information-dependent economies through information security education and certification.” [The CISSP Forum
is particularly recommended.]
(ISO/IEC 27000-series standards discussion forum
). “This is a practitioner’s group with a pragmatic rather than theoretical focus, where every contribution is treasured and every member valued. We mostly discuss practical matters of interest to those interpreting and applying the standards in real world situations. Forum members are encouraged both to ask questions and to offer answers, tips, suggestions, case studies, example materials and so forth. This is a self-help user community that thrives on proactive involvement in a supportive atmosphere.”
(Information Security Systems Association
). “... a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government.”
(Open Information Systems Security Group
). “OISSG is an independent and non-profit organization with vision to spread information security awareness by hosting an environment where security enthusiasts from all over globe share and build knowledge. OISSG has identified followings to achieve its vision: writing assurance/testing standards; organizing conferences; finding software bugs; organizing challenges; building computer security incident response teams; developing multiple channels of communications; setting up research labs.”
(Open Web Application Security Project
). “OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.”
Implementation tip: Questions are good. I learn a lot from questions. I also learn a lot from answering questions and from considering other people’s answers, further responses, corrections, clarifications, retrenchments and counterpoints. Despite the popular mantra, there are dumb questions ... but there are also deceptively simple questions that turn out to be extremely eloquent and deep once we peel back the layers and try to respond. Whatever your initial state of knowledge, expertise and experience, actively engaging in the debate puts you on the fast track to further personal and professional development. Do join in. Remember: life is not a spectator sport.
FAQ: “What does ‘ISO’ mean? And what about ‘ISO/IEC’?”
A: ISO is the short or common name of the global standards body known in English as the International Organization for Standardization. “ISO” is not strictly an abbreviation since the long name varies in different languages - it is in fact derived from the Greek word isos meaning equal. At least, that’s what we’re told.
IEC is the International Electrotechnical Commission, another international standards body that cooperates closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC” although in practice most users [incorrectly] shorten it to “ISO”.
ISO/IEC also collaborate on some standards with other international organisations (both governmental and private sector) such as the ITU, the International Telecommunication Union. The ITU is primarily a trade body coordinating telecomms organizations and practices to enable worldwide communications. It allocates radio frequencies, for example, to minimize co-channel interference and encourage the manufacture of radio equipment that can be sold and used internationally.
Implementation tip: we have tried to use “ISO/IEC” consistently throughout this site when referring to applicable standards, but we know it’s a mouthful. In casual conversation, management reports, security awareness materials etc. “ISO” is perfectly good enough for most purposes. Don’t sweat the small stuff.
FAQ: “What do ‘WD’, ‘CD’, ‘FDIS’ and those other acronyms prepended to draft ISO standards really mean?”
A: The acronyms indicate the stages reached by International Standards as they progress sequentially through the various committees and approvals:
PWI = Preliminary Work Item - initial feasibility and scoping activities
NP = New Proposal (or study period) - formal scoping phase *
WD = Working Draft (1st WD, 2nd WD etc.) - development phase
CD = Committee Draft (1st CD, 2nd CD etc.)- quality control phase *
FCD = Final Committee Draft - ready for final approval *
DIS = Draft International Standard - nearly there *
FDIS = Final Draft or Distribution International Standard - just about ready to publish *
IS = International Standard - published!
* At several stages during the standards development process, national standards bodies that belong fully to ISO/IEC JTC1/SC 27 are invited to vote formally on the standards and submit comments, particularly if they disapprove of anything.
A similar sequence applies to Technical Reports.
The process from PWI to IS normally takes between 2 and 4 years (average 2.8 years), given the attention to detail at every stage and the need for collaboration and consensus on a global scale e.g. when a WD is issued for comments, representatives of the national standards bodies that belong to ISO or IEC (known as “Member Bodies” MBs within ISO but “National Committees” NCs in IEC) typically have ~3 months to review the document, discuss it amongst themselves and submit formal votes and comments. If the comments are unfavourable or complex, an updated WD is normally released for a further round of comments. When documents have stabilised, they are circulated for voting. Any of you with experience of getting formal documents such as security policies prepared, reviewed and approved by your management will surely appreciate the ‘fun’ involved in doing this in an international arena!
A fast-track process is sometimes used to adopt an existing national standard as an ISO standard. Some 6 months is allowed for comments and no more than a quarter of the votes may be negative if the standard is to be approved. “Fast” is of course a relative term.
Published standards are reviewed every five years, or earlier if defect reports are submitted.
FAQ: “What is meant by ‘JTC/1 SC 27’ and what are ‘WG’s’?”
A: As you might expect, an international body developing and coordinating a vast range of technical standards on a global basis has evolved a correspondingly vast bureaucracy to manage and share the work. Member Bodies (that is, members of ISO, in other words national standards bodies) normally participate in the development of standards through Technical Committees established by the respective organisation to deal with particular fields of technical activity. The ISO and IEC Technical Committees often collaborate in fields of mutual interest. IT standardisation presents unique requirements and challenges given the pace of innovation therefore, in 1987, ISO and IEC established a Joint Technical Committee ISO/IEC JTC 1 with responsibility for IT standards.
JTC1’s purpose is “Standardization in the field of Information Technology” which “includes the specification, design and development of systems and tools dealing with the capture, representation, processing, security, transfer, interchange, presentation, management, organization, storage and retrieval of information.” While there is general agreement that information security is a superset of IT security, the unfortunate fact that the ISO/IEC committee is IT specific means that the ISO27k information security standards are in fact labelled IT standards.
In ISO-speak, “SC” is a “Sub-Committee”. SC 27 is the main (but not the only!) ISO Sub-Committee responsible for numerous IT security standards. SC 27 is a Sub-Committee of ISO/JTC1. SC 27’s “Standing Document 1” lays out its key processes in 50 pages of excruciating detail.
SC 27 runs around 90 projects of which around half are actively progressing. SC 27, in turn, has carved-up its workload across five WGs (Working Groups):
SC 27/WG1 - Information Security Management Systems: responsible for developing and maintaining ISMS standards and guidelines, identifying requirements for future ISMS standards and guidelines, maintaining the WG1 roadmap and liaising/collaborating with other organizations and committees in relation to ISMS. Convenor: Professor Ted Humphreys;
SC 27/WG2 - Cryptography and Security Mechanisms: cryptography, cryptographic algorithms, encryption, authentication, key management, digital signatures and all that. Convenor: Mr K Naemura;
SC 27/WG3 - Security Evaluation, Testing and Specification: Common Criteria, evaluation methods, protection profiles, security capability maturity models etc. Convenor: Mr M Ohlin;
SC 27/WG4 - Security Controls and Services: responsible for a variety of standards covering intrusion detection, IT network security, incident management, ICT disaster recovery, use of trusted third parties, business continuity, application security, cybersecurity and outsourcing. Some of these also fall into ISO27k. Convenor: Dr Meng-Chow Kang;
SC 27/WG5 - Identity Management and Privacy Technologies: does pretty much exactly ‘what it says on the tin’ (the title is self-explanatory). Includes biometrics. Convenor: Professor Kai Rannenberg.
As if that wasn’t complicated enough, there are also “Other Working Groups” (OWGs), “Special Working Groups” (SWGs), “Rapporteur Groups” (RGs, advisors), “Joint Working Groups” (JWGs), Workshops and the IT Task Force (ITTF). [There is presumably also a secret CFA (Committee For Acronyms) somewhere in ISO/IEC land!].
Aside from SC 27, various other subcommittees are working on security-related matters, such as:
SC 6 - Telecommunications and information exchange between systems
SC 7 - Software and systems engineering
SC 17 - Cards and personal identification
SC 25 - Interconnection of information technology equipment
SC 29 - Coding of audio, picture, multimedia and hypermedia information
SC 31 - Automatic identification and data capture techniques
SC 32 - Data management and interchange
SC 36 - Information technology for learning, education and training
SC 37 - Biometrics
Implementation tip: Once you have gained ISMS implementation experience, consider helping the continued development of the ISO27k standards by contacting your national standards body and volunteering your assistance (more advice follows ...).
Please note: this website is independent of and does not belong to, nor is it endorsed by or affiliated with, ISO/IEC. Please read the disclaimer for more.
FAQ: “How can I keep up with developments in ISO27k?”
A: An easy way to keep in touch with developments is to join the ISO27k Forum. Don’t forget to bookmark this website and call back every so often to check what’s new.
You might like to check out the ISMS newsletters out there and sign-up to any that provide useful and reliable information about the standards as opposed to merely promoting specific products. Good luck in your quest!
Another option is to Google ISO/IEC 27000 or related terms. Google knows about helpful resources such as this article from the UK’s National Computing Centre.
Professional information security-related organizations such as ISSA and ISACA, and journals such as EDPACS, are increasingly publishing articles on ISO/IEC 27001/2 etc. The CISSPs over at CISSPforum discuss ISO27k related matters quite often.
Finally, if you discover some ISO27k news before it is published here, please tell us so we can share it with the user community via this website and/or via the ISO27k Forum.
FAQ: “How can I get involved in the development of security standards?”
A: Contact your local national standards body (e.g. BSI, NIST, SNZ) to find out about any special interest groups and committees working in the information security arena. If you can spare the time to get involved with standards specification, development and/or review, contact your local ISO/IEC JTC1/SC 27 representative/s to volunteer your services.
There is a genuine chance for experienced professionals to influence the future directions of ISO27k if they are prepared to put in the effort and collaborate with colleagues around the world. Don’t wait for the published standard to raise your criticisms and improvement suggestions: get involved in the drafting and review process!
Implementation tip: The ISO/IEC security Sub-Committees and Working Groups are extremely busy and produce lots of paperwork. Committee work drafting and reviewing standards plus responding to queries from other interested parties has to be slotted-in with other duties including the day-job. If you get involved, be prepared to lose a substantial chunk of your free time reading, reviewing and contributing to draft standards. It’s fun though, a privilege to be able to collaborate with professional peers who are equally committed to ISO27k.