ISO/IEC 27000 –Information Security Risk Management Standards for Companies of All Sizes
The International Organization for Standardization (ISO) joined forces with the International Electrotechnical Commission (IEC) to create a set of information security standards by the name of ISO/IEC 27000 series. This set of best practices as a whole works on ensuring more than privacy and technical security issues, which is why all the organizations of the world work to ensure their compliance with them.
Whereas many believed that the ISO/IEC 27000 is similar to the ISO 9000 series for quality assurance and the ISO 14000 series for environmental protection, the series aims at doing more than ensure the privacy and technical security of IT systems. The series of best practices encourages companies implementing it to:
- Assess IT security risks
- Implement the right IT security controls based on their needs
- Use the guidance and suggestions marked by the series when appropriate
- Incorporate feedback and improvement activities to tend to threats and vulnerabilities
Major Published Standards
The ISO/IEC 27000 series consists of 10 published standards –
- ISO/IEC 27000 – This standard offers an overview on the standards and provides a list of the vocabulary used.
- ISO/IEC 27001 – This standard goes over the requirements needed to ensure the security of IT systems.
- ISO/IEC 27002 – This best practice offers a code of practice for IT security management.
- ISO/IEC 27003 – The ISO/IEC 27003 provides guidance for implementing IT security management systems.
- ISO/IEC 27004 – Since metrics are necessary in risk management, this standard offers assistance in the measurement of IT security management.
- ISO/IEC 27005 – For a broader look at IT security risk management, this standard is ideal.
- ISO/IEC 27006 – Individuals or companies which provide audit and certification of IT security management systems should be aware of the requirements mentioned in this standard.
- ISO/IEC 27011 – Telecommunication organizations which implemented the ISO/IEC 27002 standard may consider adding the guidelines of this standard to their companies.
- ISO/IEC 27033-1 – As the network is usually the source of many risks, this standard offers an overview of Network security and its concepts.
- ISO 27799 – For organizations in the health field, especially those which use ISO/IEC 27002 should be acquainted with the IT security management information mentioned in this best practice.
Standards to be Published
To ensure that the best practices of ISO/IEC 27000 are up to date and able to accommodate today’s IT risks, more standards are under development. Some of those standards companies should expect are:
- ISO/IEC 27007 – This standard offers guidance for auditing IT security management systems.
- ISO/IEC 27008 – This standard provides auditors on ISMS controls with guidance.
- ISO/IEC 27013 – For companies which seek to implement ISO/IEC 2000-1 and ISO/IEC 27001, this standard offers a set of guidelines to be followed.
- ISO/IEC 27036 – This standard offers guidelines which help companies and individuals ensure the security of outsourcing.
There are similar standards across the world, for example the BS 7799, thus companies should consider which set of best practices they need to implement.