Information security policies
About the ISO27k standards


Search this site
 
Security awareness content

Introduction to the ISO27k standards

ISO27k is a set of ISO/IEC standards - international good practice guidelines - for managing the risks affecting business/commercial and personal information.

Their primary objective is to advise on how to go about protecting valuable information against harm whilst permitting its use for legitimate purposes.

The standards lay out generic guidance under the umbrella of an overall ‘management system’ for information risk and security, one that can be adapted for any organisation's unique situation. The management system is a structured framework, a systematic approach to identify information risks, put suitable countermeasures in place to address them, and make sure the controls are working properly in practice.

In short, ISO27k is about systematically protecting and legitimately exploiting valuable information for sound business reasons.

 

Business benefits

Adopting/using the ISO27k standards generates worthwhile business benefits such as:

  • Protecting valuable information: more specifically, information security enhances the confidentiality, integrity and/or availability of the information content, plus the associated processes, IT systems, networks, services etc., while avoiding excessive security and facilitating appropriate exploitation.
  • Reducing losses: cost-effective security controls minimise the probability and severity of incidents caused deliberately (e.g. hacks, frauds, disinformation) or accidentally (e.g. floods, equipment failures, misconfigurations, inadvertent disclosures).
  • Increasing assurance and trust: demonstrates the organisation’s commitment towards good practices for information security, privacy, compliance, ethics etc. to interested parties such as its customers, employees, partners, investors and the authorities.
  • Achieving and maintaining compliance: various laws, regulations and contractual terms impose requirements on information security, privacy, accuracy, completeness, timeliness etc.
  • Enhancing resilience: adequately protecting the information, IT systems and processes that are vital to important operational activities and business objectives reduces the possibility of costly disruptive incidents, adverse publicity, customer defections etc.
  • Bolstering brands: aside from merely claiming to protect information, certified conformity with ISO/IEC 27001 and 27701 enhances the organisation’s reputation and is increasingly being demanded by discerning customers, partners, investors and regulators.

For more on this, see the business case template in the free ISO27k Toolkit.

 

The ISO27k standards

The ISO27k suite consists of about one hundred standards in the ISO/IEC 27000-numbered series, around three quarters of which have been published so far:

  1. Status update July ISO/IEC 27000:2018 - an overview and introduction to the ISO27k standards plus a glossary for the specialist vocabulary. The single-user PDF is FREE!
  2. Hot stuffSME guide published in May ISO/IEC 27001:2022 is the Information Security Management System requirements standard, formally specifying a certifiable ISMS.
  3. Hot stuff ISO/IEC 27002:2022 catalogues ~100 commonplace information security controls with design and implementation guidance.
  4. ISO/IEC 27003:2017 provides guidance on how to implement ISO/IEC 27001:2013.
  5. ISO/IEC 27004:2016 covers information security management measurement (metrics).
  6. Hot stuff ISO/IEC 27005:2022 covers information [security] risk management.
  7. ISO/IEC 27006-1:2024 is a guide to ISO/IEC 27001 ISMS certification.
  8. ISO/IEC TS 27006-2:2021 is a guide to ISO/IEC 27701 PIMS certification. It is set to become ISO/IEC 27706.
  9. ISO/IEC 27007:2020 is a guide to auditing the management system elements of an ISMS.
  10. ISO/IEC TS 27008:2019 concerns the assessment of technical (cyber) security controls.
  11. ISO/IEC 27009:2020 advises those producing sector- or industry-specific ISO27k standards.
  12. ISO/IEC 27010:2015 provides guidance on information security management for inter-sector and inter-organisational communications.
  13. ISO/IEC 27011:2024 is an information security management guideline for telecomms organisations (= ITU-T X.1051).
  14. ISO/IEC 27013:2021 provides guidance on the joint implementation of both ISO/IEC 27001 (ISMS) and ISO/IEC 20000-1 (IT service management system/ITIL).
  15. ISO/IEC 27014:2020 offers guidance on the governance of information security (= ITU-T X.1054 - a free PDF download!).
  16. ISO/IEC TR 27016:2014 concerns the economics of information security management.
  17. ISO/IEC 27017:2015 concerns information security for cloud computing (= ITU-T X.1631).
  18. July status update ISO/IEC 27018:2019 concerns Personally Identifiable Information in public clouds.
  19. ISO/IEC 27019:2017 concerns information security for process control (Operational Technology) in the (non-nuclear) energy industry.
  20. ISO/IEC 27021:2017 explains the competencies, skills and knowledge required by information security management professonals.
  21. ISO/IEC TS 27022:2021 maps out ISMS processes.
  22. ISO/IEC TR 27024 will list some laws and regulations relevant to information security.
  23. July update ISO/IEC TS 27028 will offer guidance on information security control attributes.
  24. ISO/IEC TR 27029 is now destined to become an SC 27 Standing Document.
  25. ISO/IEC 27031:2011 concerns ICT resilience and recovery for business continuity.
  26. ISO/IEC 27032:2023 concerns Internet security.
  27. ISO/IEC 27033:2010-2023 concerns IT network security (in 7 parts).
  28. ISO/IEC 27034:2011-2018 provides guidance for application security (in 6½ parts).
  29. ISO/IEC 27035:2020-2023+ concerns information security incident management (in 3 parts published, 1 in draft).
  30. ISO/IEC 27036:2016-2023 is an information security guideline for ICT supply chains including cloud computing (in 4 parts).
  31. ISO/IEC 27037:2012 concerns identifying, gathering and preserving digital evidence.
  32. May - AI/ML/NLP risk added ISO/IEC 27038:2014 is a specification for redaction of digital documents.
  33. ISO/IEC 27039:2015 concerns Intrusion Detection and Prevention Systems (IDS/IPS).
  34. ISO/IEC 27040:2024 concerns data storage security. Second edition published!
  35. ISO/IEC 27041:2015 concerns assurance in eForensics.
  36. ISO/IEC 27042:2015 concerns analysis and interpretation of digital evidence.
  37. ISO/IEC 27043:2015 concerns incident investigation (and eForensics).
  38. June status update ISO/IEC 27045 will cover big data security and privacy.
  39. ISO/IEC 27046 will offer guidance on implementing big data security and privacy processes.
  40. ISO/IEC 27050:2018-2021 concerns eDiscovery/digital forensics (in 4 parts).
  41. ISO/IEC 27070:2021 specifies security requirements for establishing virtualised roots of trust in the cloud.
  42. ISO/IEC 27071:2023 concerns trusted connections between devices and services.
  43. July status update ISO/IEC 27090 will concern attacks on Artificial Intelligence systems.
  44. ISO/IEC 27091 will concern privacy in Artificial Intelligence systems.
  45. ISO/IEC 27099:2022 specifies the policy framework and associated practices for PKI.
  46. May status update ISO/IEC TS 27100:2020 gives a brief overview of cybersecurity concepts.
  47. ISO/IEC 27102:2019 covers cyber-insurance.
  48. July status update ISO/IEC TR 27103:2018 explains that ISO27k and other ISO and IEC standards are relevant to ‘cybersecurity’ (undefined term).
  49. ISO/IEC TR 27109 will concern cybersecurity education and training.
  50. ISO/IEC TS 27110:2021 is a guideline on developing cybersecurity frameworks.
  51. ISO/IEC 27115 may concern evaluating the cybersecurity of complex systems.
  52. ISO/IEC 27400:2022 concerns security and privacy for Internet of Things.
  53. Hot stuff! ISO/IEC 27402:2023 specifies a cybersecurity and privacy baseline for IoT things.
  54. Hot stuff!Published end of June ISO/IEC 27403 covers security/privacy for suppliers of IoT domotics (smart homes).
  55. Status update July ISO/IEC 27404 will cover cybersecurity labelling for consumer IoT devices.
  56. ISO/IEC TR 27550:2019 covers privacy engineering in ICT systems.
  57. ISO/IEC 27551 will specify requirements for Attribute-Based Unlinkable Entity Authentication.
  58. May status update ISO/IEC 27553:2022+ concerns information risks and privacy concerns for biometric authentication on mobile devices (in 2 parts, part 2 in draft).
  59. Published in July ISO/IEC 27554:2024 concerns using ISO 31000 to assess identity-related risks.
  60. ISO/IEC 27555:2021 offers guidance on deleting personal data (PII).
  61. ISO/IEC 27556:2022 defines a framework for managing and sharing users’ privacy preferences.
  62. ISO/IEC 27557:2022 advises on using ISO 31000 to manage privacy risks.
  63. ISO/IEC 27559:2022 is a framework for de-identification (anonymising) personal data.
  64. ISO/IEC TS 27560:2023 specifies the structure for recoding and exchanging privacy consent info.
  65. ISO/IEC 27561:2024 describes a privacy engineering approach (dubbed ‘POMME’) to determine and satisfy privacy-related functional requirements.
  66. Status update May ISO/IEC 27562 will offer privacy guidance for fintech (IT in the finance industry).
  67. ISO/IEC TR 27563:2023 analyses the security and privacy implications of numerous Artificial Intelligence/Machine Learning use cases from ISO/IEC TR 24030.
  68. Status update June ISO/IEC TS 27564 will advise on model-based privacy engineering.
  69. ISO/IEC 27565 will offer guidelines on zero knowledge proofs.
  70. May progress update ISO/IEC 27566-1 will standardise age-verification processes/systems/approaches.
  71. ISO/IEC TS 27570:2021 offers privacy guidance for smart cities.
  72. ISO/IEC 27701:2019 specifies requirements and offers guidance on extending an ISO/IEC 27001 ISMS to manage privacy as well as information security.
  73. July new number for 27006-2 ISO/IEC 27706 will be an update to ISO/IEC 27006-2 on PIMS certification.
  74. ISO 27799:2016 provides health sector specific ISMS implementation guidance based on ISO/IEC 27002:2013.

The ISO27k standards are being actively developed, hence the information on this website is somewhat vague in respect of draft standards and those that are changing rapidly*. The content, scope and titles of standards often change during the slow drafting and approvals process. Once published, however, the standards generally remain static for several years, giving us time to catch up!

The “ISO/IEC 27000 family of standards” is (according to the Working Group 1 convenor) a subset of these standards, specifically those managed by ISO/IEC JTC 1/SC 27 WG1 (27001 to 27011, 27013, 27014, 27016, 27017, 27019, 27021 to 27024, 27028 and 27029). We take a simpler, more pragmatic line: on this site, “ISO27k” refers to all the ISO/IEC standards whose numbers start with 27, regardless of who manages them. All bar two of them belong to ISO/IEC JTC 1 SC 27, hence the 27000-series numbering.

 

Please do not place undue reliance
upon the website content:
the published standards are definitive!
 

The ISO website formally lists all SC 27’s standards.

 

Most of the information on this website has been gathered from ISO/IEC and other official sources. It includes a number of personal comments and asides by Gary Hinson, the author/owner of this domain and website, that are totally informal and often distinctly biased, cynical, verging on jaundiced in fact. ISO27001security.com is NOT an official ISO/IEC organ. I have no formal relationship with ISO/IEC, other than as a longstanding member of the committee ISO/IEC JTC 1/SC 27. I do my best to understand and describe what is going on with the ISO27k standards but cannot totally guarantee the integrity (as in completeness and accuracy) of the information provided here. For anything important, please contact ISO, IEC or your own national standards body (e.g. ANSI, NIST, BSI, SNZ) for “official” information, ideally liaising with your national body’s members of SC 27 or working through affiliated organisations such as ITU-T, ISACA and CSA.

 

Browse ISO/IEC JTC 1/SC 27’s official website
for more about the committee, its standards and programme of work,
and supplementary guidance such as the Audit Practice Notes.

 

Search** or browse the ISO website
for definitive information on any ISO standards.

 

* “Rapidly” is decidedly tongue-in-cheek. International standards develop and mature at a similar rate to vintage cheese and fine wine. The pace of progress is, at times, glacial, even tectonic. Wisdom inevitably takes time to distill and express.

** To search for information on any ISO standard, click the magnifying glass at www.ISO.org then enter either just the standard’s number (e.g. 27001 - omitting ISO/IEC) or a likely title or subject word or phrase (e.g. cyber) into the search box. The most relevant search results are shown at the top of the list. Beware withdrawn standards, superceded editions and as-yet-unpublished drafts.

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights