ISO 27000 Series

ISO 27000 is the generic name given to a family of international standards developed to provide a framework around which an information security management system can effectively be implemented. These standards are given below:

• ISO 27000 - ISMS Introduction & Vocabulary
• ISO 27001 - ISMS Requirements (revised BS 7799 Part 2:2005)
• ISO 27002 - Code of practice for information security management
• ISO 27003 - ISMS implementation guidance
• ISO 27004 - Information security metrics and measurements
• ISO 27005 - Information security risk management
• ISO 27006 - Requirements for bodies providing audit and certification of information security management systems
• ISO 27000 is maintained by the International Organisation for Standardisation (ISO) and is administered by accreditation and certification bodies. The standards are revised every few years to keep them up-to-date

The ISO 27000 series applies to all types and sizes of organisation and requires a commitment to continual improvement and compliance with applicable legislation and regulations. In particular, organisations are encouraged to assess their information security risks, and then implement appropriate information security controls using the relevant guidance and suggestions.

Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.

The series gives recommendations on risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality (the ISO 9000 series) and environmental (the ISO 14000 series).