Demystifying ISO/IEC 27000: Navigating the Landscape of Cybersecurity Standards

The ISO/IEC 27000 family provides cybersecurity standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The best practices developed by these organizations’ teams of experts help all types of organizations in implementing and operating an information security management system. This comes with benefits. Implementing a robust information security management system that is based upon the ISO/IEC 27000 series helps the organization to prevent and reduce the impact of security incidents, thereby protecting the organization from significant loss of revenue and also possible damages to its reputation. The internationally recognized ISO/IEC 27001 certification also lets everybody know that the organization prioritizes security, allowing it to stand out among a sea of options.

What is ISO/IEC 27000 all about and which standard can be of help?

The popular ISO/IEC 27001 certification is the backbone of ISO/IEC 27000 compliance, and the newer ISO/IEC 27701 standard expands on the famous 27001. ISO/IEC 27701 again expands the original and it is especially aimed for organizations that process personally identifiable information. Additional standards of the 27000 series complement these by providing supplementary details and information, that is tailored to specific sectors and regulations.

ISO/IEC 27001 is in high demand in organizations that handle sensitive information, such as customer, third party or employee data. It is also very popular with organizations that deal in proprietary knowledge. Although it is often associated with the world of information technology, the ISO/IEC 27001 certification benefits organizations in all fields of operations, such as finance, telecommunications, healthcare and government. ISO/IEC 27001 calls for a systematic examination of security risks across an organization to develop an overarching management process that protects the organization’s information on an ongoing basis, and therefore it is suitable for a very wide range of different institutions. When the requirements of ISO/IEC 27001 are applied, organizations can ensure the confidentiality, the integrity, and also the availability of its data.

While ISO/IEC 27001 is the main standard in the series, ISO/IEC 27002 burrows deeper into security-based control measures, from human resources to system acquisition and asset management. Organizations that have identified or are in the process of identifying security controls specific to their needs can use this standard to get more details about the controls they want to implement.

Similar to ISO/IEC 27002, the ISO/IEC 27003 standard complements ISO/IEC 27001 by providing detailed information on how to plan the implementation of an information security management system. It clarifies what you should do, as well as what you can do, and also what you may do. No new requirements are included in ISO/IEC 27003, but the framework can help organizations identify guidance that best suits their own context.

ISO/IEC 27701 is a recent addition to the 27000 series that adds personal data privacy protection to the information security management system. As a complementary certification to ISO/IEC 27001, this standard helps organizations strengthen their personal data privacy protection and it also helps the organization to achieve compliance with regulations such as the General Data Protection Regulation (GDPR). Organizations that collect personally identifiable information, benefit immensely from obtaining this certification.

The ISO/IEC 27017 standard focuses again on cloud-based environments. It defines the responsibilities and obligations between cloud service providers and cloud customers, expanding and supplementing the ISO/IEC 27002 to outline security controls for the protection of virtual and cloud environments, assets, and any other matters that are specific to cloud-based environments.

ISO/IEC 27018 provides in its turn guidance for cloud providers, focusing on assessing risks and implementing controls for the processing of personally identifiable information in cloud services. For cloud service providers interested in additional ISO/IEC 27701 certifications, ISO/IEC 27018 addresses the specific requirements for personally identifiable information that is aimed to protect public cloud users.

Achieving compliance with ISO/IEC 27000 standards

The process of achieving compliance with ISO/IEC 27000 standards starts with developing a better understanding of the standards, so after you have read this short news post you are already very well on your way!

However, the big question in every process that aims towards achieving compliance is; how do you want to proceed? For example, will your work be limited to a smaller geographic area or is it supposed to benefit the entire worldwide organization? How will the interested parties, e.g. employees and stakeholders, be affected? Drawing up a plan on how to proceed in order to implement the standard with responsibilities, will ease the initial part of the process, and it will also help you maintain long-term compliance.

After this, the process of achieving certification is quite strait forward. It is about assessing, minimizing, and recording your activities in compliance with the standard. Once you have defined controls and provided the required evidence that you are implementing them, you only need to gather your documentation and send it to your auditor. Then, it is just a question of waiting for an audit and preparing yourself for certification!

Read more about these standards from the International Organization for Standardization:

ISO/IEC 27000 family
Information security management