Overview of the ISO 27000 sections
The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS). This document will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS. An overview of what the series deals with can be found in the table below.
ISO 27000 Series
|ISO27003||ISMS implementation guidelines|
|ISO27006||Guidelines for ISO 27000 accreditation bodies|
As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard. ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001. ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design. ISO 27004 outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics. ISO 27005 defines the high level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.
The ISO 27000 series provides recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”. The standard can be broken down into the following sections:
- Risk assessment – a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
- Security policy – formal statements defining the organization’s security expectations.
- Asset management – inventory and classification of information assets.
- Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
- Physical and environmental security – physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
- Communications and operations management – management of technical security controls in systems and networks.
- Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
- Information systems acquisition, development and maintenance – building security into applications when they are designed or purchased.
- Information security incident management – planning and responding appropriately to information security breaches.
- Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.
Benefit to business
Compliance with the ISO standards provides companies with a credential which demonstrates that the company is in compliance with the requirements of this well-recognized standard. It also gives employees and clients more assurance that their data is safe with the company. In some cases, companies may require ISO certification in order to do business. The ISO 27000 standard contains many useful recommendations and companies are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified. The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.
ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security. Similar to the ISO 9000 quality standard, ISO 27000 is optional but it may soon be a business requirement.