ISO 27000 Family of Standards
Any business can be impacted by a lack of information security resulting in a breach of confidentiality, data corruption, or the loss of access to company data. The subsequent potential financial, reputational, and service delivery damage are immense.
The majority of data breaches are caused by malicious or criminal attack1, so it’s unsurprising that businesses are turning to the ISO/IEC 27000 Family of Standards for guidance on how to implement best-practice Information Security Standards. The series is aligned with the ISO 9001:2015 (Quality Management), ISO 14001:2015 (Environmental Management), ISO 45001:2018 (Occupational Health and Safety Management) Standards, as well as the other latest ISO Management Standards.
Published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), the 27000 series is made up of over a dozen Standards, as well as Guidelines, Specifications and Codes of Practice. Whilst many of the individual elements of the family may not be relevant to your organisation (and are not designed to be certified against) there are six elements which, with a broad understanding, will help give you a starting point when trying to implement an Information Security Management Systems (ISMS):
ISO 27001:2013
Information security management systems (ISMS) – Requirements
ISO 27001 is the main overarching Information Security Standard that provides the requirements for an organisation’s ISMS.
An ISMS is a framework of processes, technology, and people. It utilises technical, administrative, managerial, and legal controls for effective risk management to protect a business’s information assets. You will need to assess your organisation’s information security risks and then apply controls to mitigate those risks.
Annex A of ISO 27001 provides a list of controls which, if implemented, help to mitigate your organisation’s information security risks. The controls from Annex A which are relevant to your risks will be included in your ‘Statement of Applicability’ which lists the controls that are applicable to your organisation, whether they are implemented, and the justification for excluding any of the controls from Annex A.
This is the Standard an organisation’s ISMS can achieve certification to.
ISO 27002:2013
Code of practice for information security controls
This code of practice provides further information on the information security risk controls found in Annex A of ISO 27001 and can assist when deciding which of the controls are applicable to your organisation.
The code provides the same content as Annex A, but includes an additional section ‘Implementation Guidance’ for each security control.
Your organisation cannot become certified to ISO 27002, as this is a code of practice document.
ISO 27005:2018
Information security risk management (ISRM)
This document covers security risk management guidelines for ISRM, specifically those supporting the requirements of an ISMS defined by ISO 27001. Rather than stipulating specific methodology, the guidelines provide a broad approach for applying risk management to any organisation, regardless of industry.
Being a guideline document, your organisation cannot become certified to ISO 27005.
ISO 27017:2015
Code of practice for information security controls based on ISO/IEC 27002 for cloud services
This code of practice (designed to be used alongside ISO 27001) provides guidance for information security controls applicable to organisations using and/or providing cloud-based services.
The code provides both implementation guidance on relevant controls from ISO 27001/27002 as well as additional cloud-based risk controls. You are likely to end up with a list of controls applicable to your normal (non-cloud-based data) and a separate list of controls applicable only to your cloud-based data.
As a code of practice document, your organisation cannot become certified to ISO 27017.
ISO 27018:2019
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
This code of practice provides guidelines and establishes commonly accepted control objectives related to the protection of personally identifiable information (PII) in public clouds acting as PII processors.
The code asks you to consider the controls in ISO 27001/ISO 27002 taking into account any relevant regulatory requirements applicable to your organisation. This can result in you creating a separate list of controls that are applicable to your organisation’s public cloud PII.
As a code of practice document, your organisation cannot become certified to ISO 27018.
ISO 27701:2019
Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy information management – Requirements & guidelines
ISO 27701 provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). As an extension to ISO 27001 and ISO 27002, it provides a framework to establish roles of ‘Personally Identifiable Information (PII) Controllers’ and ‘PII Processors’ within an organisation. People assigned to these roles are responsible for managing privacy controls to reduce the risk to the privacy rights of individuals.
When considering the controls that are applicable to your ISMS from Annex A of ISO 27001/ISO 27002, ISO 27701 requires you to also consider whether they are applicable to your PIMS. There are also additional controls to consider for your PIMS in Annex A & B of ISO 27701.
This Standard also provides mapping against the requirements of ISO 27018 (Cloud-Based Services), ISO 29100 (Privacy Principles), and the European Union General Data Protection Regulation (GDPR).
ISO 27701 is designed to enhance an existing ISMS, and an organisation can achieve certification to this Standard, together with and subject to ISO 27001 certification.
Which Standard should you implement in your organisation?
In the ISO 27000 Family of Standards, ISO 27001 is currently the Standard proving most popular with our clients as it provides a broad risk management framework for managing information security and is ideal for all businesses that want to protect their information.
Whilst ISO 27001 provides sufficient security controls in Annex A for an organisation with an ISMS scope that includes cloud-based services, your organisation may also have a need to implement one or more specific controls from ISO 27017 which are stipulated within a tender requirement or client contract. In which case, you could consider becoming certified to ISO 27001, and also asking your certification body to assess your ISMS against the requirements of ISO 27017 and provide a “verification of conformity” to ISO 27017, alongside your ISO 27001 accredited certification. Similarly, if your organisation’s operations involve handling personal data within the cloud, you may want to consider certification to ISO 27001 along with “verification of conformity” to ISO 27018.
ISO 27701 (PIMS) is designed to enhance an existing ISMS. It is applicable to any organisation that controls or processes personal data and has an ISO 27001 ISMS. Therefore, accredited certification can be achieved to this Standard, with and subject to ISO 27001 accredited certification.
How can we help?
Whether your management system is already certified to one or more of the other ISO Management Standards, or you’re considering implementing your first management system framework, ISO Certification Experts have the expertise and the experience to assess whether your business would benefit from implementing an ISMS, conforming to the relevant Standard(s) in the ISO 27000 Family of Standards.
If our recommendation is to go ahead, we would spend time with key stakeholders and find out the current state of your work practices. As a starting point, we would conduct a Gap Analysis and provide you with a comprehensive report detailing the actions needed to fulfill the requirements of the ISO 27001 Standard. Following that we can assist with closing these action items to get you certification-ready!
About the author
Anthony is the Consulting Manager at ISO Certification Experts. He is a Certified Implementer and Auditor for ISO 27001, ISO 9001, ISO 14001 and ISO 45001.
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.