What is ISO 27000?
ISO 27000 is a set of international standards on Information Security. A 27000 family that contains a set of best practices for establishment, implementation, maintenance and improvement of Information Security Management Systems.
An Information Security Management Systemis a set of policies and procedures that serve to standardize management of Information Security. Below there are some details of each standards that are included in the ISO 27000 family. Below there are some details of each standards that are included in the ISO 27000 family.
- • ISO 27000: It contains the vocabulary on which the rest of rules are based. It is similar to a guide / dictionary that describes terms of all standards family.
- ISO 27001: it is a set of requirements to implement an ISMS. It is the only certifiable standard of those included in the list and consists of a main part based on the continuous improvement cycle and an Annex A, in which details general lines of controls proposed by the standard.
- ISO 27002: It is a compilation of best practices for Information Security that describes controls and control objectives. Currently they have 14 domains, 35 control objectives and 114 controls.
- ISO 27003:It is a guide to help in implementation of an ISMS. It serves as support for 27001 standard, indicating general directives necessary for correct implementation of an ISMS. Includes instructions on how to successfully implement an ISMS.
- ISO 27004: It describes a series of recommendations on how to carry out measurements for management of Information Security. It specifies how to configure metrics, what to measure, how often, how to measure it and how to achieve objectives.
- ISO 27005:It is a guide of recommendations on how to address management of information security risk that may compromise organizations. It does not specify any specific risk analysis and management methodology, but includes examples of possible threats, vulnerabilities and impacts.
- ISO 27006:It is a set of accreditation requirements for certifying organizations.
- ISO 27007:It is a guide to audit ISMSs. It establishes what to audit and when, how to assign appropriate auditors, planification and execution of audit, key activities, etc.
- ISO 27008:it provides information regarding implementation of security controlsand how is possible to verify technical compliance. Although it is not directed for certification entities, its use is helpful for both organizations and certifiers. It provides
a guidance on how to address controls defined in ISO 27002.
- ISO 27010: It is about information exchange between organizations, risks involved, controls that can be implemented, incidences that can occur. is very oriented to the protection of the information exchanged related to the Critical Infrastructures. It proposes common rules so that security problems do not occur in the exchange of sensitive information.
- ISO 27011: It is aimed at organizations in telecommunications sector. Due to the importance of information in this fragment of companies, it proposes a list of controls and the way to implement them with a special focus for this type of organization.
- ISO 27013: Standard that guides integration between 27001 and 20000 standards. It helps organizations to implement both standards at the same time or to benefit from implementation of one of them based on another existing one. This standard contains an annex that compares both standards.
- ISO 27014: It is a standard guide to information security governance. It facilitates management, control and assessment of information security in organization’s activities.
- ISO 27015: It provides a guide to initiate, implement, monitor and improve a Information Security Management System in financial sector. It is becoming increasingly important due to massive growth of online banking operations, and banking organizations are leaning on it to implement their management system.
- ISO 27016: It provides a guide for the assessment economic aspects of information security. It is used to understand economic consequences that maintain the information protected in an organization can have.
- ISO 27018:It is a guide of best practices for the protection of personally identifiable information (PII) in the cloud for organizations that act as processors of this information. Privacy and security in cloud environments is surrounded by big questions, in this context, this standard provides a set of good practices that aims to provide confidence in the sector.
- ISO 27019: It is a set of good practices based on the 27002 standard for energy industry can implement an Information Security Management System.
Likewise, main pillars of 27K family are 27001 and 27002 standards. The main difference The main difference between these two standards is that 27001 is based on continuous safety management supported by identification of risks on an ongoing basis. Instead, 27002 is a mere guide of best practices that describes a series of control and management objectives that should be pursued by organizations.
Obtaining the certification in ISO 27001 allows organizations to certify a level of Security in the face of users and organizations, it is more and more the importance that it is having among organizations and companies of all sectors that are implementing it.
How to approach ISO 27001 through a software?
At GlobalSUITE Solutions we have GlobalSUITE – Information Security. A software entirely developed by our team that allows implementation, management and maintenance of Information Security Management Systems based on ISO 27001 standard. A tool that helps companies and work teams in an integral management of standard and complies with complete cycle of the same, from the beginning and planning of project until maintenance and its continuous improvement.