ISO/IEC 27001 is constantly talked about by information security professionals, but most don’t realise is that there is a whole host of other standards in the ISO/IEC 27000 family that give guidance on the implementation of an information security management system (ISMS).
For instance, there is:
- ISO/IEC 27003 that gives guidance on the implementation of an ISMS
- ISO/IEC 27014 that outlines how to employ effective information security governance
- ISO/IEC 27019 that makes implementing an ISMS in the utility industry easier.
In short, don’t just stick to the core ISMS standards such asISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27005. Take a look at the other standards which could be more applicable to your ISMS certification project.
Below details all of the available ISMS standards and summarises what their content covers:
- ISO/IEC 27000:2012 (ISO 27000) ISMS – Overview & Vocabulary
- ISO/IEC 27001:2005 (ISO 27001) ISMS – Requirements (revised BS 7799 Part 2:2005).
Read about the draft version of the proposed updated ISO27001:2013 standard
- ISO/IEC 27002:2005 (ISO 27002) Code of practice for information security management as from May 2007 – formerly ISO/IEC 17799
Read about the draft version of the proposed updated ISO27002:2013 standard
- ISO/IEC 27003:2010 (ISO 27003) ISMS implementation guidance
- ISO/IEC 27004:2009 (ISO 27004) Information security metrics and measurements.
- ISO/IEC 27005:2011 (ISO 27005) Information security risk management (based on and incorporating ISO/IEC 13335 MICTS Part 2).
- ISO/IEC 27006:2007 (ISO 27007) Requirements for bodies providing audit and certification of information security management systems.
- ISO/IEC 27007:2011 (ISO 27007) Guidelines for information security management systems auditing against ISO/IEC 27001, and guidance on the evaluation of ISMS auditors.
- ISO/IEC 27008:2011 (ISO 27008) Guidelines for Auditors on Information Security Controls.
- ISO/IEC 27010:2012 (ISO 27010) Infosec Communications.
- ISO/IEC 27011:2008 (ISO 27011) Guidelines supporting the implementation of information security management (ISM) in telecommunications organisations.
- ISO/IEC 27013:2013 (ISO 27013) Integrated Implementation of ISO27001 and ISO20000.
- ISO/IEC 27014:2013 (ISO 27014) Governance of Information Security.
- ISO/IEC 27015:2012 (ISO 27015) InfoSec Management Guidelines for Financial Services.
- ISO/IEC 27031:2011 (ISO 27031) Describes the concepts and principles of information and communication technology (ICT) readiness for business continuity.
- ISO/IEC 27010:2013 (ISO 27013) Integrated Implementation of ISO27001 and ISO20000
- ISO/IEC 27019:2013 ISO27019 (ISO 27019) Information Security for the Energy Utility Industry
- ISO/IEC 27032:2012 (ISO 27032) Guidelines for Cybersecurity, preserving the confidentiality, integrity and availability of information in Cyberspace
- ISO/IEC 27033-1:2009 (ISO 27033-1) Defines the concepts and provides management guidance on network security.
- ISO/IEC 27033-2:2012 (ISO 27033-2) Provides guidance on the design of implementation of network security.
- ISO/IEC 27033-3:2010 (ISO27033-3) Reference networking scenarios – Defines the specific risks, design, techniques and control issues.
- ISO/IEC 27034-1:2011 (ISO27034-1) Information Technology – Security techniques, application security overview and concepts.
- ISO/IEC 27035:2011 Information technology – Security incident management.
- ISO 27799:2008 (ISO 27799) Guidelines for managing information security in the health sector.
Look beyond ISO/IEC 27001 to the rest of ISO/IEC 27000 family!