ISO/IEC 27000-series

The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).

The series is a deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.

At present, four of the standards in the series are publicly available while several more are under development.

Published standards

* ISO/IEC 27001 - the certification standard against which organizations' ISMS may be certified (published in 2005)
* ISO/IEC 27002 - the code of practice with good practice advice on ISMS (previously known as ISO 17799 and before that BS 7799 Part 1 (last revised in 2005, and renumbered ISO/IEC 27002:2005 in July 2007).
* ISO/IEC 27005 - designed to assist the satisfactory implementation of information security based on a risk management approach (published in 2008).
* ISO/IEC 27006 - a guide to the certification/registration process (published in 2007).

In preparation

* ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a glossary of common terms
* ISO/IEC 27003 - an ISMS implementation guide
* ISO/IEC 27004 - a standard for information security management measurements
* ISO/IEC 27007 - a guideline for ISMS auditing (focusing on the management system)
* ISO/IEC 27008 - a guideline for Information Security Management auditing (focusing on the security controls)
* ISO/IEC 27011 - an ISMS implementation guideline for the telecommunications industry (also known as X.1051)
* ISO/IEC 27031 - a specification for ICT readiness for business continuity
* ISO/IEC 27032 - a guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)
* ISO/IEC 27033 - IT network security, a multi-part standard currently known as ISO/IEC 18028:2006
* ISO/IEC 27034 - a guideline for application security

External links

* [http://www.standardsdirect.org/iso17799.htm ISO 17799 Source from BSI]
* [http://iso-17799.safemode.org ISO 17799 Wiki]
* [http://17799-news.the-hamster.com The ISO 17799 Newsletter]

See also

*BS 7799, the original British Standard from which ISO/IEC 17799 and then ISO/IEC 27002 was derived
*Standard of Good Practice published by the Information Security Forum