logo_FEDER español
gss-logo-header
EN
ESPTFR
DemoRequest a demo
Security

ISO 27000 and the set of Information Security standards

César Alonso
🕑 6 minutes read

Table of contents

What is ISO 27000?

The standards that make up the ISO/IEC-27000 series are a set of standards created and managed by the International Organization for Standardization (ISO) and the International Electronic Commission (IEC). Both international organizations are involved in many countries, ensuring their wide dissemination, implementation and recognition around the world.

Today, information is one of a company’s most important assets, so it needs to be properly protected. The ISO 27000 family of standards deals with information security management and can be combined to provide a globally recognized framework.

These standards are aimed at establishing good practices in relation to the implementation, maintenance, and management of the Information Security Management System (ISMS). These guidelines aim to establish best practices in relation to different aspects related to information security management, with a strong focus on continuous improvement and risk mitigation. It should be noted that the recommendations presented in these standards are applicable to any type of organization, whether large, small, public, private companies, etc.

The ISO 27000 standard specifically provides the basis and common language for the rest of the standards in the series.

Set of Standards of the ISO 27000 Family

  • ISO 27001: Specifies the requirements needed to deploy and manage an SGSI. It is the most important standard in the family and is certifiable.
  • ISO 27002: in support of the risk management process of the ISO/IEC-27001 standard, it defines a set of good practices for the implementation of the ISMS, through 93 controls, structured in 4 major domains.
  • ISO 27003: provides guidance for the correct implementation of an ISMS, focusing on the important aspects for successfully carrying out this process.
  • ISO 27004: provides guidelines aimed at the correct definition and establishment of metrics that allow a correct evaluation of the performance of the ISMS.
  • ISO 27005: defines how to perform risk management linked to information management systems, focusing on how to establish the methodology to be used.
  • ISO 27006: establishes the requirements that must be met by those organizations that want to be accredited to certify others in compliance with ISO/IEC-27001.
  • ISO 27007: is a guide that establishes the procedures for conducting internal or external audits with the aim of verifying and certifying implementations of ISO/IEC-27001.
  • ISO 27008: defines how ISMS controls should be evaluated in order to review their technical adequacy so that they are effective in mitigating risks.
  • ISO 27009: complements the ISO/IEC-27001 standard to include requirements and new added controls that are applicable in specific sectors, with the aim of making its implementation more effective.
  • ISO 27010: Indicates how information should be treated when it is shared among multiple organizations, what risks may appear, and the controls that should be used to mitigate them, especially when they are related to security management in critical infrastructures.
  • ISO 27011: Establishes the principles for implementing, maintaining and managing an SGSI in telecommunications organizations, indicating how to implement controls efficiently.
  • ISO 27013: establishes a guide for the integration of ISO/IEC-27001 (ISMS) and ISO/IEC-20000 Service Management System (SMS) standards in those organizations that implement both.
  • ISO 27014: establishes principles for the governance of information security.
  • ISO 27015: facilitates the principles of implementation of an ISMS in companies that provide financial and insurance services.
  • ISO 27016: Provides guidance for economic decision-making related to information security management, to support the management of organizations.
  • ISO 27017: provides a guide for Cloud services, with controls based on the ISO/IEC-27002 standard.
  • ISO 27018: complements the ISO/IEC-27001 and ISO/IEC-27002 standards in the implementation of procedures and controls to protect personal data in those organizations that provide services in Cloud for third parties.
  • ISO 27019: provides a guide based on the ISO/IEC-27002 standard to apply to industries linked to the energy sector, so that they can implement an ISMS.
  • ISO 27021: establishes the competence requirements for ISMS professionals who lead or participate in the establishment, implementation, maintenance, and continuous improvement of one or more ISMS processes.
  • ISO 27022: provides a reference model of processes for the ISMS.
  • ISO 27023: facilitates a guide of correspondences between the ISO/IEC-27001 and ISO/IEC-27002 standards.
  • ISO 27031: provides support for the adequacy of information and communication technologies.
  • ISO 27032: facilitates the identification of the general guidelines to strengthen the state of cybersecurity in a company.
  • ISO 27033: establishes the security guidelines for the administration, operation, and use of networks.
  • ISO 27034: provides guidance in the area of information technology, security techniques, and application security.
  • ISO 27035: defines a set of best practices related to security incident management, emphasizing the detection, reporting, and evaluation of security incidents.
  • ISO 27036: referred to Information Security for relations with suppliers, offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers.
  • ISO 27037: offers guidelines for the identification, collection, acquisition, and preservation of digital evidence.
  • ISO 27038: specifies the characteristics of the techniques for digital redaction.
  • ISO 27039: provides a guide to help companies with the selection, deployment, and operation of intrusion detection and prevention systems.
  • ISO 27040: facilitates guidelines for protecting the security of storage systems, as well as for the protection of the data contained therein.
  • ISO 27041: offers a guide and guidelines to ensure the suitability and adequacy of incident investigation methods.
  • ISO 27042: defines the guidelines for a correct analysis and interpretation of digital evidence.
  • ISO 27043: provides a guide of principles and processes for the collection of digital evidence and incident investigation.
  • ISO 27050: this is a standard developed in four parts that deals with information stored on electronic devices.
  • ISO 27070: defines security requirements that aim to establish roots of trust for the provision of reliable computing environments.
  • ISO 27099: offers requirements to manage information security for public key infrastructure (PKI) trust service providers.
  • ISO 27100: provides an overview of cybersecurity and defines relevant concepts that are related.
  • ISO 27102: describes management guidelines for when considering the acquisition of cyber insurance as a risk treatment option.
  • ISO 27103: offers a guide on leveraging existing standards and norms in a cybersecurity framework.
  • ISO 27110: based on the principles of flexibility, compatibility, and interoperability, this standard provides guidelines for standardizing security measures.
  • ISO 27400: provides a guide based on guidelines on risks, principles, and controls for the security and privacy of Internet of Things (IoT) solutions.
  • ISO 27550: offers privacy engineering guidelines aimed at helping organizations integrate advances in privacy engineering into their system processes.
  • ISO 27555: facilitates guidelines for the development and implementation of policies and procedures for the elimination of personally identifiable information (PII) in organizations.
  • ISO 27570: provides guidance on privacy protection in the development of smart city ecosystems.
  • ISO 27701: developed as an extension guide to the requirements and controls of ISO 27001, it provides organizations with the requirements to manage, manage data, and protect the privacy of personally identifiable information (PII).
  • ISO 27799: defines guidelines for the implementation of ISO/IEC-27002 in the healthcare industry.

The ISO/IEC-27001 stands out from the aforementioned set, which is considered the main standard of the ISO 27000 family and where the necessary requirements are specified to implement, maintain, and manage an ISMS, within the continuous improvement process known as the Deming Cycle or PDCA, acronym for Plan-Do-Check-Act, in relation to the phases of Plan, Do, Check and Act. On the other hand, ISO/IEC-27002 is a set of 93 controls, grouped into 4 domains, which aim to facilitate good practices in relation to the management of the ISMS.

How to approach ISO 27001 through a software?

From GlobalSuite Solutions we have a security system software. A tool that allows the implementation, management and maintenance of Information Security Management Systems based on the ISO 27001 standard. A tool that helps companies and work teams in an integral management of standard and complies with complete cycle of the same, from the beginning and planning of project until maintenance and its continuous improvement.

Share:

César Alonso
. Director del departamento de Consultoría de GlobalSuite Solutions. Ingeniero industrial por la Universidad Politécnica de Madrid (UPM), CISA, CISM, PMP, Lead Auditor ISO 27001, ISO 20000 e ISO 22301, ITIL Foundations v3 y cuenta con la certificación GlobalSuite® Expert.

More articles