We’re back!! And this time we’re jumping from NIST to ISO, to be precise, it will be the ISO 27000 family, welcome to the family!!!
The ISO 27000 family of standards is a set of international standards for information security management (ISMS). It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The family includes standards for all aspects of ISMS, from risk assessment to compliance.
The ISO 27000 family of standards is designed to be flexible and adaptable to the needs of different organizations. It can be used by organizations of all sizes and in all sectors. The standards are also regularly updated to reflect changes in the security landscape.
The Categories Within the Family
There are four categories within the ISO 27000 family of standards as shown in the picture above. The first category of standards describes overview and terminology. The only standard in this category is ISO 27000 standard.
There are standards that define requirements, ISO 27001 which defines requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Other standards within this category are ISO 27006, ISO 27009 and ISO 27701.
The third category of standards provide general guidelines for implementation of different standards, policies, procedures and topics. An example is ISO 27002, the standard provides a set of guidelines for implementing the controls listed in ISO 27001. It covers a wide range of security topics, including access control, cryptography and incident management.
The fourth and final category of standards provide sector-specific guidelines. For example, ISO 27010 provides guidance for information security management for inter-sector and inter-organizational communications. There are four other industry-specific standards in this category, ISO 27011, ISO 27017, ISO 27018 and ISO 27019.
Normative Standards
You might have seen the two boxes labelled “normative” and “informative”. Each with a different color convention, an obviously intentional one. So, what is this “normative standard”?
A normative standard is one that can be audited for compliance purposes. In the context of information security, normative standards define mandatory requirements, or guidelines that must be followed. For example, the ISO 27001 standard specifies a set of requirements for an ISMS.
These requirements are considered essential and binding within a specific industry. Organizations are expected to adhere to the standard to ensure compliance.
Organizations can get certified for normative standards by external certification bodies in order to demonstrate compliance, there are four normative standards, namely:
ISO 27001 (we’ll cover this standard in depth in future publications)
ISO 27006: This standard specifies the requirements for organizations that provide certification and auditing services for ISO 27001. It’s relevant for organizations seeking ISO 27001 certification.
ISO 27009: This standard specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001 and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). Thie standard explains how to:
- refine or interpret any of the ISO/IEC 27001 requirements,
- include controls in addition to those of ISO/IEC 27001:2013, Annex and ISO/IEC 27002,
- modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
- add guidance to or modify the guidance of ISO/IEC 27002.
ISO 27701: This standard is for privacy information management that extends ISO 27001 and ISO 27002 for privacy management within the context of the organization1. It specifies requirements for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). It is applicable to all types and sizes of organizations that are PII controllers and/or PII processors processing PII within an ISMS.
Informative Standards
An informative standard is a type of standard that provides guidance, recommendations, or informative content without imposing mandatory requirements. It is not prescriptive, meaning that it does not specify how something should be done.
In the context of information security, informative standards can be used to:
- Explain the concepts and principles of information security.
- Provide examples of good security practices
- Help organizations to develop their own security policies and procedures.
Introduction to the ISO 27000 Standard
The standard is part of the ISO/IEC 27000-series, which comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
The ISO 27000 Standard provides an overview of information security management systems (ISMS). It also describes the overview, vocabulary, terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g., commercial enterprises, government agencies, not-for-profit organizations). The terms and definitions provided in this standard;
- cover commonly used terms and definitions in the ISMS family of standards.
- do not cover all terms and definitions applied within the ISMS family of standards.
- do not limit the ISMS family of standards in defining new terms for use.
The documentation of the ISO 27000 standard can be downloaded for free at the ISO website or from the link provided at the end of this article.
Conclusion
The ISO 27000 family of standards has proven to be a valuable resource for organizations of all sizes and in all sectors. By implementing these standards, organizations can improve their information security posture, reduce their risk of a data breach or cyberattack, and increase their compliance with regulations.
I hope you have found value in today’s article, consider subscribing and following me on my socials. If you need any of the documents used in this demo, I am a DM away.
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
- GitHub: https://github.com/UFarouk10/NIST-RMF-Implementation-Lab-Series
- Gmail: [email protected]
- Link to ISO 27000 Publicly Available Standards (iso.org)
The ISO 27000 Family of Standards was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
