ISO 27000 and the set of Information Security standards

🕑 4 minutes read

What is ISO 27000?

The standards that make up the ISO/IEC-27000 series are a set of standards created and managed by the International Organization for Standardization (ISO) and the International Electronic Commission (IEC). Both international organizations are involved in many countries, ensuring their wide dissemination, implementation and recognition around the world.

The 27000 series are aimed at establishing good practices in relation to the implementation, maintenance and management of the Information Security Management System (SGSI) or by its name in Information Security Management System (ISMS). These guidelines aim to establish best practices in relation to different aspects related to information security management, with a strong focus on continuous improvement and risk mitigation.

ISO 27000: provides the basics and common language for the rest of the standards in the series.

What is ISO 27001?

  • ISO 27001: Specifies the requirements needed to deploy and manage an SGSI. This standard is certifiable.
  • ISO 27002: defines a set of best practices for the implementation of the SGSI, through 114 controls, structured in 14 domains and 35 control objectives.
  • ISO 27003– Provides a guide to successfully implementing an SGSI, focusing on the important aspects to successfully perform this process.
  • ISO 27004: provides guidelines for correct definition and setting of metrics to correctly assess SGSI performance
  • ISO 27005: defines how the management of risks linked to information management systems should be carried out, oriented on how to establish the methodology to be used.
  • ISO 27006: sets out the requirements that must be met by organizations that want to be accredited to certify others in compliance with ISO/IEC-27001
  • ISO 27007: is a guide that establishes the procedures for conducting internal or external audits with the aim of verifying and certifying implementations of ISO/IEC-27001
  • ISO 27008: defines how ISMS controls should be evaluated in order to review their technical adequacy so that they are effective in mitigating risks.
  • ISO 27009: complements the 27001 standard to include requirements and new added controls that are applicable in specific sectors, with the aim of making its implementation more effective.
  • ISO 27010: Indicates how information should be treated when it is shared among multiple organizations, what risks may appear, and the controls that should be used to mitigate them, especially when they are related to security management in critical infrastructures.
  • ISO 27011: Establishes the principles for implementing, maintaining and managing an SGSI in telecommunications organizations, indicating how to implement controls efficiently.
  • ISO 27013: Establishes a guide to the integration of standards 27001 (SGSI) and 20000 Service Management System (SGS) into those organizations that implement both.
  • ISO 27014: Establishes principles for information security governance, so that organizations can evaluate, monitor and communicate information security activities.
  • ISO 27015: facilitates the principles of implementation of an SGSI in companies that provide financial services, such as banking or electronic banking services.
  • ISO 27016: Provides guidance for economic decision-making related to information security management, to support the management of organizations.
  • ISO 27017: Provides a guide to 37 specific controls for cloud services, these controls are based on the 27002 standard.
  • ISO 27018: complements standards 27001 and 27002 in the implementation of procedures and controls to protect personal data in organizations that provide cloud services for third parties.
  • ISO 27019: Provides a guide based on standard 27002 to apply to energy-related industries so that they can implement an SGSI.


Highlights of the aforementioned set are 27001 specifying the requirements necessary to implement, maintain and manage an SGSI, within the process of continuous improvement known as The Deming Cycle or PDCA, an acronym for Plan-Do-Check-Act, in relation to the planning, doing, verifying and acting phases. On the other hand, 27002, is a set of 114 controls, grouped into 14 domains, which aim to facilitate good practices in relation to the management of the SGSI

How to approach ISO 27001 through a software?

From GlobalSuite Solutions we have a security system software. A tool that allows the implementation, management and maintenance of Information Security Management Systems based on the ISO 27001 standard. A tool that helps companies and work teams in an integral management of standard and complies with complete cycle of the same, from the beginning and planning of project until maintenance and its continuous improvement.