Sources of the ISO27k standards themselves

ANSI is selling their “INCITS” versions of ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27006 as PDF downloads for just US$30 each. These are official, completely legitimate versions, not bargain basement seconds. The standards can also be purchased rather more expensively from ISO, from the national standards bodies such as the British Standards Institute and from commercial organizations. There are several other sources so shop around for the best deals, for example using this Google search.
Several national standards bodies release translated versions of the ISO/IEC standards in their local languages. They all go to great lengths to ensure that the translations remain true to the original, causing some delay while the English language versions from ISO/IEC are translated, reviewed and released.

Further info on the ISO27k standards & their implementation

The State of California State Information Security Office has released a 43-page Information Security Program Guide for State Agencies - in effect a guideline on implementing ISO/IEC 27002 for US government entities. It includes a template ‘acceptable use’ policy. The State also offers a range of risk analysis checklists, tools and advice for small/simple, medium and large/complex entities, and a guide to the role and responsibilities of information security officer.
@sec has a good ISMS implementation guide along with several other information security white papers.
A comprehensive French language website provides useful information on ISO27k, risk analysis methods such as MEHARI and EBIOS, and general infosec info e.g. a brief outline of ingenierie sociale (social engineering).
The Government Chief Information Office, part of the New South Wales Department of Commerce, published and maintains a useful 111-page manual to guide Australian government agencies implementing ISO27k. The guidelines explain how to structure the ISMS, analyze risks to identify suitable information security controls, and measure and improve the ISMS thereafter. It doesn’t go into detail on implementing specific controls but provides general guidance by reference to the standards.
If you are actively implementing the ISO27k standards, you are welcome to join the ISO27k Forum to discuss the practicalities with others doing the same thing. The community of forum members will be pleased to advise you in relation to implementation, giving you the benefit of their collective experience in this field. Your own thoughts and inputs are most welcome, including contentious points for discussion.
Visit ISO27001certificates.com for details of most although evidently not all ISO/IEC 27001 certificates issued. The site is maintained by Ted Humphreys and colleagues.
The ISO site lists standards under the remit of JTC1/SC27.
ISO/IEC 27001: the future of infosec certification by Taiye Lambo was originally published in ISSA Journal in 2006. It outlines reasons for implementing an ISMS including legal and regulatory compliance as well as reducing the costs arising from information security incidents.
An AC Nielsen survey conducted on behalf of ISO on the ISO management systems standards covered the ISMS standards, giving a breakdown of ISO/IEC 27001 certificates issued per country as at the end of 2006. [The total number is higher than usually reported so it is possible that they double-counted organizations with multiple certificates].
A report by the Government of the Hong Kong Special Administrative Region outlined ISO27k plus related standards, regulations etc. including PCI-DSS, COBIT, ITIL/ISO 20000, FISMA, SOX and HIPAA.
A handy guide to the process approach is available on ISO’s ISO 9000 website.
Ismael Valenzuela in [IN]SECURE eZine explained how information security can and indeed should be integrated with the systems development lifecycle (SDLC), using ISO/IEC 17799 (now ISO/IEC 27002). The piece included a useful table linking specific clauses in the ISO/IEC standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to eventual retirement of the system at the end of its life.
British Standards Institute has published a number of useful little ISMS guidance booklets over the years including BSI/DISC PD 005 (?) which contained a very handy overview diagram showing the typical lifecycle of an organization’s ISMS project. It would be good to see the parts of this older material recycled into the new. A security metrics booklet BIP 0074 is available from BSI: Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. “With increasing International interest in the field of ISMS metrics and measurements, this publication brings together the different methods that are currently in use to measure controls and/or processes. In addition it gives further information and guidance about these various methods to measure the success of security arrangements in place.” Price ~£40 ($75). [Another, cheaper, BSI booklet covers metrics for ISO 20000 (ITIL).]
www.ISO27000.es is “el portal de ISO 27000 en Espagñol”, the Spanish language equivalent to this site, while www.ISO27000.ru is the Russian version.
Comunidade Portuguesa de Segurança da Informação is a Portuguese community for those interested in implementing ISO27k information security management systems (mainly in Portuguese but with some good papers also in English).
Open Directory Project (ODP) maintains a page of ISO27k links.

General information security management sources

Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security has some well thought-through advice on positioning and exploiting information security management for business advantage.
An extensive list/catalog of potential information security metrics includes a section aligning the metrics against ISO/IEC 27002.
A French government website dedicated to information systems security provides, amongst other stuff, the risk assessment methodology EBIOS and associated tool for Windows, Linux ...
IT security guidance from the Canadian Government has some interesting documents on risk assessment etc.
A collection of general information security links is maintained by Gideon Rasmussen at ussecurityawareness.org
Russ McRee, author of the Toolsmith column in ISSA Journal, maintains a page of links to infosec standards.
The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO/IEC 27001 and ISO/IEC 27002, COBIT, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 70, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage. Here are three ways you might use the matrix:

ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements;
ISMS coverage of applicable laws/standards/regulations: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider.
Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of noncompliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.

A lot of work must have gone into compiling the matrix. Make the most of it. The ITCi’s Unified Compliance Project is definitely one to look out for if your organization is subject to the usual mesh of overlapping laws, standards and regs.

Books on ISO27k and related standards.
CCcure.org lists useful books and other resources for the CISSP and related qualifications, all of which are also good reference material for ISO/IEC 27001, ISO/IEC 27002 etc.
There are many more information security management-related links in the NoticeBored links collection.

Miscellany

ISO is not an acronym but the official name of the Swiss organization responsible for coordinating the world’s national standards bodies. Joint Technical Committee 1 (JTC1) is responsible for all ISO’s IT standards and JTC1 Sub Committee 27 (JTC1/SC27) is specifically responsible for the standards covering “IT security techniques”. JTC1/SC27 is busy, judging by the number of security papers currently under consideration, many of which relate to encryption and privacy.
The UK’s BERR (Department for Business, Enterprise and Regulatory Reform), formerly the DTI (Department of Trade and Industry, the originator of BS 7799), offers general information security information and guidelines. The department continues to promote BS 7799-3 and the ISO27k standards. Their 2-part information security healthcheck questionnaire is a simple way to determine how far from compliance with ISO/IEC 27001/2 your organization might be - the first part asks 10 overview questions for a quick estimation while the follow-up detailed questionnaire asks more than 100.
ISSEA (the International Systems Security Engineering Association) is a non-profit professional organization dedicated to the adoption of systems security engineering as a defined and measurable discipline.
IsecT Ltd. owns and manages this website. We have our own corporate website and another promoting NoticeBored, our innovative ISO27k-aligned information security awareness service.