ISO 27000 Series

The ISO (International Organization for Standards) publishes international standards for the private sector. It is made up of a network of standards institutes in 163 countries that are integrated with government structures in those countries. Standards are developed by specialist expert groups made up of members from business, industry, government, academia, consumer and other relevant groups.

The ISO standards work to facilitate trade; provide a basis for development, production and assessment of products; and to safeguard consumers who use products and services. The ISO produces standards for a wide range of industrial and commercial subjects. This article explores two ISO standards that are especially relevant to privacy professionals.

ISO 27000 Series & ISMS

The ISO 27000 standards series refers to information security matters. Since October 2005, the ISO has published six of these standards:

  • ISO 27001: this is a model for creating information security management systems (ISMS).
  • ISO 27002: this is a code of practices governing information security.
  • ISO 27003: this focuses on the PDCA (plan-do-check-act) problem solving method for ISMS. It has been proposed, but not yet published.
  • ISO 27004: this standard guides the development and assessment of ISMS, in alignment with the ISO 27002.
  • ISO 27005: this soon to be published standard discusses information security risk management.
  • ISO 27006: this regulates the accreditation of organizations that certify and register ISMS.

The ISO 27000 series is closely linked to other standards, including:

  • ISO 17021: this standard discusses the requirements for auditing and certifying management systems of various types. It is closely related to the ISO 27006.
  • ISO 13335: this discusses the management of information and communications technology security.  It is closely linked to the ISO 27005.
  • ISO 24760: when it is published, this standard will offer a framework for identity management. It is most related to the ISO 27002.

Together, the ISO 27000 series of standards are used to plan, implement, certify and operate an ISMS. An ISMS, or information security management system, is a term unique to the ISO 27000 series. The term refers to a systematic approach for managing an organization’s sensitive information. An ISMS includes people, processes and information systems. Developing an ISMS ensures the following:

  • The organization’s information assets are listed and secured.
  • Information security risks are managed and mitigated.
  • The organization’s security policies are implemented.
  • The organization is regularly assessed to ensure adherence to security measures.

Information security involves three main components: confidentiality, integrity and availability. Confidentiality refers to the level to which information is accessible to authorized individuals only. Integrity refers to the level of accuracy and completion of information. Integrity of information also ensures that it is not modified without knowledge and authorization. Availability or accessibility of information to authorized individuals is also necessary for information security.

ISO 27001

The ISO 27001, formally referred to as “Information Technology – Security Techniques – Information Security Management Systems – Requirements,” was published in October 2005. It replaces the former BS7799-2 standard. The previous standard was created in 1995 by the BSI (British Standards Institute), which helped to ensure that information security measures were effective. The BS7799-2 standard was developed as a technology-neutral and vendor-neutral system. This standard was taken as a Code of Practice, rather than as specific standards.

The standard outlines the specific requirements involved in establishing, implementing, monitoring, reviewing and improving a management system. It does not discuss information security-specific requirements, but offers a framework for management systems in various types of organizations, from commercial enterprises, to public service agencies and non-profit groups. The ISO 27001 uses the OECD principles which govern security of information and other network systems.

The ISO 27001 standard demands that an organization’s management carry out the following:

  1. Examine information security risks, paying attention especially to threats, vulnerabilities and impacts.
  2. Develop and implement a complete set of information security controls and other protocols for dealing with risk.
  3. Commit to an overarching management process to ensure that the information security controls adapt and grow with the organization.

The ISO 27001 involves a number of PDCA cycles. The PDCA cycle is a statistical process for problem solving. It is applied within improvement programs to ensure that action is effective. The cycle involves:

  1. PLAN: identify the problems that are being faced. Brainstorm solutions to these problems.
  2. DO: test problem-solving actions on a limited, experimental scale first. This will ensure that disruptions to regular operations are kept at a minimum.
  3. CHECK: determine if the experimental actions are achieving a desired result. Monitor the quality of output continually to ensure that new problems are identified immediately.
  4. ACT: once experimental actions are deemed effective, the changes should be implemented on a larger scale. This may mean that the new actions are integrated into daily routines and/or expanded to involve other individuals or departments in the organization.

In order for an organization to be certified compliant with the ISO 27001, it must go through the following process. Initially, the organization must decide to start the certification process. During this stage, management must commit to the project and delegate responsibilities. Management would then develop and publish an organizational policy regarding the standards certification.

The organization then undertakes a scoping process, in which specific parts of the organization are covered by the ISMS. This determines which locations, assets or technologies will be included in the certification.

After the scoping process, the organization must carry out a risk assessment to identify strengths and means of addressing weaknesses, in terms of risk exposure. As a result, the organization produces a document outlining the method for managing risks. The procedures and policies are then implemented throughout the organization. Auditors from certification or registration bodies then carry out the verification of compliance.

ISO 27002

The ISO 27002, formally referred to as “Information Technology – Security Techniques – Code of Practice for Information Security Management,” was published in 2005. The standard is based on the UK standard, BS7799. The ISO 27002 and ISO 27001 are meant to be used together.

The objective of the ISO 27002 standard is to establish requirements and basic principles for implementing or changing an ISMS within an organization. The contents of this standard address the requirements of a risk assessment. It represents more of an advisory document, rather than a standard or formal specification. As such, any organization that adopts the ISO 27002 must identify their own information security risks and create appropriate controls, using the document as a framework.

The standard outlines thirty-nine control objectives that specify functional requirements. These control objectives form a basis for an organization to create principles for its own information security policies. The main sections or categories under which the control objectives fall are as follows:

  1. Risk management
  2. Policy
  3. Organization
  4. Asset management
  5. Human resources security
  6. Physical and environmental security
  7. Communications and operations management
  8. Access control
  9. Software development
  10. Incident management
  11. Business continuity
  12. Compliance

While the ISO 27003 offers some guidance for implementation, a number of critiques regarding the ISO 27002 standard have surfaced since its publication. A few potential areas for revision include:

  • The standard does not adequately address risk assessment. It ought to suggest more risk assessment activities.
  • The standard does not clearly define what an organization’s security policy should be.
  • The standard should assist organizations in ensuring business continuity, for instance facilitating recovery or planning to cope with incidents that may arise.
  • The standard should be more in depth in terms of its section on IT auditing. It may want to cover the value of auditing and improvement.

Increasing Certification

There are a number of reasons for increasing certification to ISO 27000 series standards. Two important causes are the increase of threats to information and the increase of regulatory and statutory requirements for information protection. Over the past decade, formal ISMS are seen as necessities for organizational best practices.

According to international reports, ISO 27001 certifications have steadily been increasing by approximately one thousand organizations per year. Concurrently, global information security threats are becoming more and more visible. These threats target any organization or individual who relies on the use of electronic information. At the same time, personal data may also be at risk of natural disasters, external attack, internal corruption or theft. This has led to increasing demand for compliance from suppliers, business partners and consumers.


This article introduces the ISO 27001 and the ISO 27002 standards. It discusses the ISO 27000 series of standards, which regulate information systems management from a privacy perspective. The ISO 27001 aims to help organizations to improve their ISMS (information security management system) by providing a model for design and implementation. The ISO 27002 lists some guidelines for managing the life cycle of information security within an organization. It is comprised of a number of control objectives. The article finally discusses the important role of ISO standards in an organizational ISMS context.

Foundations Exam Preparation

In preparation for the Certification Foundation exam, a privacy professional should be comfortable with topics related to this post, including:

  • Business risk management (I.C.a.)
  • Information security standards (II.A.d.)
  • Information security management (II.C.a.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>