Topic-specific policies
ISO/IEC 27003

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27003:2017 < Click to purchase via Amazon — Information technology — Security techniques — Information security management systems — Guidance (second edition)



“ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.”
[Source: ISO/IEC 27003:2017]


ISO/IEC 27003 provides guidance for those implementing the ISO27k standards, covering the management system aspects in particular.

Its scope is simply to “provide explanation and guidance on ISO/IEC 27001:2013.”

The standard supplements and builds upon other standards, particularly ISO/IEC 27000 and ISO/IEC 27001 plus ISO/IEC 27004, ISO/IEC 27005, ISO 31000 and ISO/IEC 27014.


Purpose of the standard

As a result of ISO’s intent to make all the Management Systems Standards consistent in structure and form, and in order for it to be usable for ISMS certification purposes, the language of ISO/IEC 27001:2013 is inevitably rather formal, curt and stilted. In contrast, ISO/IEC 27003 offers pragmatic explanation with plain-speaking advice and guidance for implementers of ‘27001.


Structure and content of the standard

For convenience, ‘27003 follows virtually the same structure as ‘27001, expanding clause-by-clause on ‘27001, hence the main sections are:

  • 4 Context of the organisation
  • 5 Leadership
  • 6 Planning
  • 7 Support
  • 8 Operation
  • 9 Performance evaluation
  • 10 Improvement
  • Annex - Policy framework [NOTE: this is not guidance on ‘27001 Annex A]

For each ‘27001 clause, this standard:

  • Re-states the requirement/s;
  • Explains the implications; and
  • Offers practical guidance and supporting information including examples, to help implementers implement.

For example, this is what ‘27001 says in section 4.1, ‘Understanding the organisation and its context’:

    “The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

    NOTE Determining these issues refers to establishing the external and internal context of the organisation considered in Clause 5.3 of ISO 31000:2009[5].”

Section 4.1 of ‘27003 first succinctly re-states the ‘required activity’:

    “The organisation determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) of the information security management system (ISMS).”

Then it expands on the reasons why it is appropriate to ‘determine external and internal issues’, providing a page of explanation to supplement the succinct and somewhat hard to understand text from ‘27001. It explains, for instance, that the ‘internal issues’ include the organisation’s culture; its policies, objectives, and the strategies to achieve them; its governance, organisational structure, roles and responsibilities; and list a further seven ‘internal issues’ to consider. It also identifies other clauses that use this information.

That alone would be a valuable expansion on ‘27001 section 4.1 but ‘27003 doesn’t stop there: it goes on to provide a further page of explanation, practical guidance and real-world examples in this area.

The end result is that the reader gains a much better understanding of the requirements from ‘27001 and a clearer idea of how to go about satisfying them.


Status of the standard

The first edition was published in 2010.

The standard was substantially revised (rewritten) and the second edition was issued in 2017.

Work is under way on a third edition, a project with three phases:

  1. Update references and realign to the 2022 versions of ISO/IEC 27001 and ’27002; consolidate guidance into the Guidance sections; clarify the wording to avoid even hinting at additional ISMS requirements beyond those in ’27001, following rumoured CASCO concerns about implied conformance or conformity aspects.
  2. Adopt ISO’s version of plain English meaning substantial wording changes throughout, and expand the standard to cover all of ISO/IEC 27001 (but not the implementation of controls since that is well covered by ’27002);
  3. Expand the implementation guidance, including brief introductions and references to related standards such as ’27004 and ’27005.

The revision project is due to produce a first Working Draft soon. It will undoubtedly take years for ISO/IEC JTC 1/SC 27/ WG1 to revise the current, out-of-date, non-plain-English standard.


Hot free resource Meanwhile, in the free ISO27k Toolkit you will find the ISO27k ISMS implementation guideline, a plain-English explanation of the requirements in ISO/IEC 27001:2022 with pragmatic guidance for implementers. It’s unofficial - not an ISO/IEC standard - but it’s free and available today!


Personal comments

This is an excellent guide. On the ISO27k Forum, we are frequently asked how to interpret and implement ISO/IEC 27001. Along with our FAQ, ISO/IEC 27003 goes a long way towards answering questions.

The scope and purpose of ’27003 might perhaps, at some point, extend beyond the ISMS design, implementation and certification phase to offer pragmatic advice on the operation, management, monitoring and gradual improvement of the ISMS. Certification of an ISMS is merely a milestone on the never-ending journey towards maturity. As information security becomes an integral and valuable part of the organisation’s routine business/operational activities and management, changes are bound to occur. Potentially ’27003 could - in a future edition perhaps - encourage and support beneficial changes while discouraging counterproductive or detrimental ones.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights