What is ISO 27000 and ISO 27001 – A Definitive Guide
The ISO/IEC 27000-series, also known as the ‘ISMS Family of Standards’ or ‘ISO27k’ for short, comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The series provides the IT sector with best practice recommendations on information security management, risks, and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality, and IT/technical/cybersecurity issues. It is applicable to organizations and companies of all shapes and sizes. It is now common for all Australian businesses to be audited and held accountable for their data security and privacy. All businesses are encouraged to assess their information risks, treat them (typically using information security controls) according to their needs, using the guidance and suggestions where relevant and then document them for future policies and governance.
Here’s a brief overview of some of the standards in the series:
ISO/IEC 27000: provides an overview of information security management systems, which forms the subject of the ISO/IEC 27000 family, and defines related terms and definitions.
ISO/IEC 27001: is the best-known standard in the family providing requirements for an information security management system (ISMS).
ISO/IEC 27002: contains best practices of control objectives and controls in the context of an ISMS.
ISO/IEC 27003: focuses on the guidelines for the implementation of an ISMS.
ISO/IEC 27004: provides guidelines for measuring the effectiveness of an ISMS.
ISO/IEC 27005: deals with information security risk management.
ISO/IEC 27006: provides guidelines for the accreditation of organizations offering ISMS certification.
ISO/IEC 27007: provides guidelines for ISMS auditing (comparable to ISO 19011).
ISO/IEC 27017: gives guidelines on information security controls for cloud services.
ISO/IEC 27018: is a code of practice that focuses on the protection of personal data in the cloud.
ISO/IEC 27031: provides guidance on the concepts and principles of information and communication technology readiness for business continuity.
ISO/IEC 27032: pertains to cybersecurity or the cyberspace security, which is defined as the preservation of confidentiality, integrity, and availability of information in the Cyberspace.
ISO/IEC 27033: provides guidance on the protection of network security.
ISO/IEC 27034: provides guidance on application security.
ISO/IEC 27035: provides guidance on information security incident management.
ISO/IEC 27036: provides guidance on security for supplier relationships.
ISO/IEC 27037: provides guidelines for identification, collection, acquisition, and preservation of digital evidence.
ISO 27001
ISO 27001 is an international standard that outlines the requirements for an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive company information, ensuring it remains secure. It includes people, processes, and IT systems by applying a risk management process. It can help small, medium, and large businesses in any sector keep information assets secure.
An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization’s information risk management processes. According to the definition provided by ISO, an ISMS is “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s information security to achieve business objectives.” It is based on a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. An ISMS is dynamic, which means organizations can adapt to changes both in the environment and inside the organization itself.
ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.
The standard includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard also includes a set of security controls, which provides a reference set of controls that should be considered in the implementation of an ISMS.
The benefits of ISO 27001 are broad and can include:
- Compliance with legal, regulatory, and contractual requirements.
- Gaining new business opportunities with security as a selling point.
- Increasing customer and business partner confidence.
- A systematic approach to securing sensitive company information.
- Providing customers and stakeholders with confidence in how you manage risk.]
- Allowing for secure exchange of information.
- Helping you to comply with other regulations (e.g., SOX).
- Providing you with a competitive advantage.
- Enhanced customer satisfaction that improves client retention.
- Consistency in the delivery of your service or product.
- Managing and minimizing risk exposure.
- Building a culture of security.
- Protecting the company, assets, shareholders, and directors.
Implementing ISO 27001 can also provide operational benefits, such as optimal allocation of resources within the organization and setting up of priorities for information security. It also includes a set of controls that help to ensure the security of information in the organization and can be used to check if the organization is compliant with the standard