Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001, ISO27002, ISO27017, ISO27018 etc. – Explained

 

The ISO (International Organization for Standardization), helped by the IEC  (International Electrotechnical Commission) is always releasing new standards across a wide variety of subject areas and few have been quite as busy as the 27000 family which addresses information security. The family starts at ISO/IEC 27000 ( Overview and vocabulary) and currently goes all the way through to ISO/IEC 27037 (Guidelines for identification, collection, acquisition and preservation of digital evidence), with more extending up to ISO/IEC 27043 in the pipeline.

But with (appropriately enough) 27 existing standards to choose from in the ISO/IEC 27000 family, how do you decide which ones are worth a) implementing and b) becoming certified to? I’ll answer these questions, but in reverse order.

Internet security concept. Flat design. Icon in turquoise circle on white background

Which ones can an organization be certified to?

There is officially only one standard that an organization can become certified to and that’s ISO/IEC 27001, Information Security Management Systems – Requirements. All the others (Ok, with the exception of ISO/IEC 27006 which is just for auditors) are defined as being guidance for making the best job you can of ISO/IEC 27001; some cover particular aspects of the requirements in more detail, some address extra controls you should consider if you’re in a specific industry and some cover the types of systems you might want to have to improve your information security. The best known guidance standard is ISO/IEC 27002 – Code of practice for information security management which goes into a lot more detail about how to implement all those reference controls in Annex A of ISO/IEC 27001.

But as I said, that is the official position. The reality is that it is possible to pay an auditing organization to certify that your company meets one of the other standards too and you can see why a company might want to do that. It’s all about credibility and assurance to the customer after all. This is why large hosting companies like Amazon Web Services proudly display their ISO/IEC 27017 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services) certificate on their website. In theory it’s not allowed, but in practice…

What standard(s) should we implement?

This is obviously going to depend on what you are trying to achieve. Organizations implement information security standards for varying reasons, although most of these are usually to do with either making more sales or protecting themselves from risk. The most important principle to establish however is that whichever standards you feel fit your industry and/or business model best, you are still going to need an Information Security Management System (ISMS) and this is what ISO/IEC 27001 (and only this standard) delivers. The ISMS is the framework that defines the setting of objectives, the monitoring, the risk management process, the management reviews, the internal audits and the continual improvement, to name but a few of its benefits. You could, if you choose, implement any of the other codes of practice but without the fundamental building block of the ISMS this may simply amount to a one-off control-tightening exercise. The threats are constantly adapting so you have to also, and the ISMS gives you that essential mechanism. So for me, ISO/IEC 27001 is still top of the implementation schedule every time.

Ok, having got that out the way, what’s next? Well, some of the standards simply add further detail to the main parts of your ISMS so whilst you could use these to make sure you do a great job of your implementation, you’re probably not going to want to claim certification to them. I would put the following into this category:

ISO/IEC 27002 — Code of practice for information security management

ISO/IEC 27003 — Information security management system implementation guidance

ISO/IEC 27004 — Information security management — Measurement

ISO/IEC 27005 — Information security risk management

ISO/IEC 27033 — Network security (multiple parts)

ISO/IEC 27035 — Information security incident management

Although sometimes organizations do advertise their conformance to ISO/IEC 27002 which is fair enough (but it’s still not an ISMS).

Then there are some standards in the ISO/IEC 27000 family that help if you are in a particular industry. The main ones are:

ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

ISO/IEC TR 27015 — Information security management guidelines for financial services

ISO 27799 — Information security management in health using ISO/IEC 27002

ISO/IEC 27019 — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry

These may well be appropriate to claim certification (or at least conformance) to if an appropriate auditing body offers such a service and you felt it would mean something to your customers or your organization.

Finally, there are the standards that relate to specific types of business model and these are receiving quite a lot of press at the moment. These are:

ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

These standards are raising a lot of interest amongst cloud service providers for obvious reasons. Let’s look at each of these in a bit more detail.

ISO/IEC 27017

The shared nature of cloud services means that they have their own particular set of benefits but also risks. The ISO/IEC 27001 standard and the ISO/IEC 27002 code of practice are fairly vague when it comes to the specifics of cloud services so this standard has been produced to plug that gap. The layout of the standard mirrors that of Annex A of the 2013 version of ISO/IEC 27001 (and therefore the 2013 version of ISO/IEC 27002) but goes into more detail about thirty-seven of the Annex A controls, with an extra seven added for good measure in areas such as virtual machine configuration and customer environment separation. Both the customer and supplier perspective are given, implying that the security of the cloud is very much a two-way deal.

Note that, as at the date of publication of the 2022 version of ISO/IEC 27001, we await a revised version of ISO/IEC 27017 that relates to the new Annex A control set.

ISO/IEC 27018

With the EU General Data Protection Regulation (GDPR) now established and continuing debate over transfers of PII to the USA, Privacy is a hot topic and the intention of this standard is to help organizations protect Personally Identifiable Information (PII) more effectively. As with ISO/IEC 27017, this standard builds on the 2013 version of ISO/IEC 27001/2 but also introduces an extended control set for PII protection, covering areas such as consent and choice, data minimization and privacy compliance.

In Summary

There is a confusing array of different members of the ISO/IEC 27000 family and the number seems set to only expand as further specific industries and organization types are catered for. The key thing to remember is that all of these are built upon the ISO/IEC 27001 standard and this represents the starting point for the enhancements.

For organizations such as cloud service providers there is some very relevant guidance available and we would encourage them to use the available resources to create the very best ISMS they can.

Note, this blog has been updated in November 2022 to ensure accuracy for the ISO27001:2022 standard.


More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

The example documents provided were of high quality, so the decision to purchase the document pack in full was made easy. I looked around, but couldn't find anything that had the same level of quality.

SMG Health
Australia

View all Testimonials