Organisations that use the ISO27k standards gain worthwhile business benefits such as:

• Protecting valuable information: more specifically, information security enhances the confidentiality, integrity and/or availability of the information content, plus the associated processes, IT systems, networks, services etc., without imposing excessive security that would prevent it being exploited for legitimate business purposes.

• Reducing losses: cost-effective security controls minimise the probability and severity of incidents caused deliberately (e.g. hacks, frauds, disinformation) or accidentally (e.g. floods, equipment failures, misconfigurations, inadvertent disclosures).

• Increasing assurance and trust: ISO27k conformiuty demonstrates the organisation’s commitment towards good practices for information security, privacy, compliance, ethics etc. to interested parties such as its customers, employees, partners, investors and the authorities.  

• Achieving and maintaining compliance: various laws, regulations and contractual terms impose requirements relating to information security, privacy, accuracy, completeness, timeliness etc.

• Enhancing resilience: adequately protecting the information, IT systems and processes that are vital to important operational activities and business objectives reduces the possibility of costly disruptive incidents, adverse publicity, customer defections etc.

• Bolstering brands: aside from merely claiming to protect information, certified conformity with ISO/IEC 27001 and ISO/IEC 27701 enhances the organisation’s reputation.  It is increasingly being expected or demanded by discerning customers, partners, investors and regulators - in other words, it confers competitive advantage.

To be clear, there are costs associated with sound governance, risk management, security, privacy, assurance, incident management and so on ... but the business benefits outlined above substantially exceed the costs. The risks and costs involved in not taking security and privacy seriously can be existential, as is clear from the news headlines: serious hacking, ransomware and fraud incidents have devastated companies such as Sony Pictures Entertainment, Travelex and Barings Bank.  Government institutions, defence, charities and healthcare organisations are far from immune. With such limited resources, Small to Medium-sized Enterprises stand little chance if targeted, or if mistakes are made in their accounting and tax processes, IT systems and networks. Protecting and exploiting computer data and other forms of information is critically important for business and vital for human safety. 

There's no need to design a completely bespoke approach for your particular organisation.  ISO27k constitutes a suite of internationally-recognised good security practices to suit any organisation, a stable platform on which to build.    

Yes, largely, but they are not limited to IT.  The ISO27k standards are about protecting and exploiting valuable information in all forms, not just computer systems, services, networks and data.  

Aside from computer data, 'information' includes:

• Printed or written information such as completed forms, signed contracts and rough notes;

• Information expressed verbally and visually at meetings, videoconferences, phone calls, briefings, seminars, even casual water-cooler or corridor conversations;  

• Policies, procedures and work instructions;

• Shared corporate culture expressed through attitudes, priorities and ethics, plus personal angles such as body language, prejudices and bias;

• Knowledge and expertise in workers' heads, plus concepts, ideas, strategies, thoughts ...;

• Proprietary, business, personal, shared and public information;

• Intellectual property such as trade secrets, patents, trademarks and copyright information.   

Various business units, departments and teams generate or acquire, use and benefit from valuable information. IT Department is a custodian for much but not all of it.  People throughout the business are accountable for both protecting and (legitimately) exploiting information in support of the organisation’s strategic objectives, with the guidance and assistance of IT, risk, security and other specialists.  Suppliers of telecommunications and cloud services, plus utilities such as power and water,  all have parts to play in maximising the value of information, while information is an integral and important part of the organisation's products supplied to customers, partners and the authorities (e.g. company accounts and tax reports).

Published ISO27k standards may be purchased directly from the ISO store or from the various national standards bodies and commercial organisations (agents). A few popular ISO27k standards are available through Amazon.com and other retailers.

It is worth checking for localised/national versions of the standards. Several national standards bodies release translated versions of the standards in their own languages. They go to great lengths to ensure that the translations remain true to the originals, although naturally this takes time.

ISO27k standards can be purchased as electronic documents or printed hardcopies. In addition to single-user PDFs, standards bodies may license electronic versions of the standards for multi-user internal corporate use, making the definitive standards readily available on the intranet.

Not exactly, but there are certifications or designations. 

Unlike some IT certifications, ISO27k certifications lack a universally-recognized governing body. 

Common designations include ISO/IEC 27001 Lead Auditor (LA), with various paths from formal training and audits to experience-based qualification, and ISO/IEC 27001/27002 Lead Implementer (LI), which focuses on implementing the ISO27k standards. 

However, the value of such course-completion certificates is questionable.  Demonstrable experience and competence are worth far more. Refer to ISO/IEC 27021 for guidance on “Competence requirements for information security management systems professionals”.

Besides the ISO27k standards themselves, consider joining professional groups such as:

• (ISC)²

• ACM SIG SAC

• CSA

• InfraGard

• ISACA ENGAGE

• ISO27k forum

• ISSA

• LinkeDin

• OWASP

ISO is the name of the Swiss-based standards body known in English as the International Organization for Standardization. 

IEC is an abbreviation for the International Electrotechnical Commission, another international standards body working closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC” although in casual terms, we often shorten it to plain “ISO”.

ISO/IEC also collaborate with other international organisations (both governmental and private sector) such as the ITU, the International Telecommunication Union. The ITU is primarily a trade body coordinating telecoms organisations and practices to enable worldwide communications. It allocates radio frequencies, for example, to minimise co-channel interference and encourage the manufacture of radio equipment that can be sold and used internationally.

The following abbreviations are used by the committee developing ISO27k standards:

• AG - Advisory Group

• AMD - Amendment

• ARO - Approved RS Originator

• BRM - Ballot Resolution Meeting

• CB - [IEC] Council Board

• CD - Committee Draft (1st CD, 2ndCD etc., a quality-control phase, addressing editorial matters and typoos *)

• CDV - [IEC] Committee Draft for Vote

• COR - Technical Corrigendum

• CS - [ISO] Central Secretariat

• DAM - Draft Amendment

• DCOR - Draft Technical Corrigendum

• DIS - Draft International Standard (nearly there, down to proofreading, hold your breath *}

• DoC - Disposition of Comments

• DR - Defect Report

• DTR - Draft Technical Report

• DTS - Draft Technical Specification

• FCD - Final Committee Draft (ready for final approval (voting), but rarely used *)

• FDAM - Final Draft Amendment

• FDIS - Final Draft/Distribution International Standard (just about ready to publish, final tweaks, pinch your nose and count to 100 *)

• HoD - Head of Delegation

• ICT - Information and Communications Technology

• IEC - International Electrotechnical Commission

• IPR - Intellectual Property Rights

• IS - International Standard (published! Yay!)

• ISO - International Organization for Standardization

• ITTF - Information Technology Task Force

• ITU - International Telecommunication Union

• ITU-R – ITU - Radiocommunications Sector

• ITU-T – ITU - Telecommunication Standardization Sector

• JCG - Joint Coordination Group

• JTAB - Joint Technical Advisory Board

• JTC 1 – [ISO + IEC] Joint Technical Committee 1

• JWG - Joint Working Group

• MB - (ISO) Member Body

• NB - National Body

• NC - (IEC) National Committee

• NP - New Project (the formal scoping phase, clarifying the proposal and formally seeking approval to proceed with the standards development project *)

• NWI - New Work Item

• OWG - Other Working Group

• PAS - Publicly Available Specification

• PC - Project Committee

• PDAM - Proposed Draft Amendment

• PDTR - Proposed Draft Technical Report

• PDTS - Proposed Draft Technical Specification

• PT - Project Team

• PWI - Preliminary Work Item - initial feasibility and outline scoping activities

• PWI - Preliminary Work Item

• RER - Referencing Explanatory Report

• RG - Rapporteur Group

• RS - Referenced Specification

• SC - SubCommittee

• SD - Standing Document - now known as Committee Document

• SG - Study Group

• SMB - (IEC) Standardization Management Board

• SP - Study Period (preparing the NWIP …)

• SWG - Special Working Group

• TAG - (ISO) Technical Advisory Group

• TC - Technical Committee

• TMB - Technical Management Board

• TR - Technical Report (published! See next Q&A)

• TS - Technical Specification (published! See next Q&A)

• WD - Working Draft (1st WD, 2ndWD etc. - content development “preparatory” drafting phase

• WG - Working Group

ISO/IEC publishes a range of different types of standards, as well as covering a number of different subjects:

• An International Standard (IS) is the most common form of ISO/IEC standard, including product/technical standards, test methods, ‘codes of practice’ (good practices) and management standards. An IS “provides rules, guidelines or characteristics for activities or for their results, aimed at the achievement of the optimum degree of order in a given context”. Most aim to describe the final objective without prescribing the method of getting there (although they don’t all meet that aim!). The review cycle is 5 years (maximum).

• A Technical Specification (TS) is a standard on an immature subject that is still being developed, and is not quite ready to become a full IS. Feedback is encouraged in order to drive further development leading, eventually, to the release of an IS. Internally within the committee, final drafts are called PDTS Proposed Draft Technical Specifications.

• A Technical Report (TR) is informative rather than providing firm guidance. It may draw on surveys and reports, and may attempt to describe the state of the ar’. Final drafts of these are called PDTR Proposed Draft Technical Reports.

• A Publicly Available Specification (PAS) responds to an urgent need to drive consensus on some emerging topic. Alternative and perhaps incompatible views may be expressed by parallel PASs from different expert streams. A PAS is supposed to be replaced by a TS or IS, or withdrawn, within 6 years.

• An International Workshop Agreement (IWA) is a PAS produced outside of the ISO/IEC world - for example by some technical or industry body. It too has a maximum life of 6 years.

ISO/IEC JTC 1/SC 27 is the Joint Technical Committee 1/SubCommittee 27 responsible for numerous information security, privacy and technological standards, including ISO27k series.

SC 27 is spread across five Working Groups focused in particular areas:

· WG1 for Information Security Management Systems;

· WG2 for cryptography;

· WG3 for security evaluation;

· WG4 for security controls and services;

· WG5 for identity management and privacy technologies.

An easy way to keep in touch with developments is to bookmark this  very website and call back every so often to see what's new.

Another option is to Google ISO 27001 news or related terms.

Professional information security-related organisations such as ISSA and ISACA often carry content on ISO27k. 

There are a few ISO27k groups on LinkeDin and other social media, of variable quality. Unfortunately most of them (other than the ISO27k Forum) are infested with spammers and well-meaning but inept commentators.