Guide to The ISO 27000 Series of Information

Security Standards

Most people have heard of ISO27001/2, but relatively few could explain the difference between
the two or would know about the rest of the series. Here's a series of international information
security standards.

ISO 27001

Originating from the ISO adoption and enhancement of British Standard BS7799-2, 27001 has a
long history dating back to the 1990s. It set's out requirements for "establishing, implementing,
operating, monitoring reviewing, maintaining and improving" an Information Security
Management System (ISMS). As such it provides a high level framework for the governance of
Information Security in an organisation. It provides high level control objectives, but not detailed
controls.

ISO 27002
The origins of this standard pre-date 27001, being based on the original BS27002. This is the
standard that sets out actual controls to be addressed through a formal risk assessment process.
Whilst 27001 is relatively timeless, 27002, being more specific, can be a victim of changing
times - social media, for example. 27002 is of more practical use in establishing information
security controls, whilst 217001 provides the overall framework and process.
This is why the two standards are often referred to as "ISO27001/2" - they are complimentary
and designed to be used together.

ISO 27003
The focus of this newer standard is on implementing 27001, based on the PDCA (Plan, Do,
Check, Act) cycle. It's aim is help and guidance, recognizing that 270001 by itself requires an
approach to implementation.

ISO 27004

This standard recognizes that once an ISMS has been implemented, an approach needs to be
established for monitoring and measuring the security condition of the organization. As such, it
provides a process for determining and establishing effective, objective and justified
measurements and suggests specific metrics aligned to controls in 27002.
ISO 27005

This standard provides guidelines for information security risk management supporting an ISMS
based on 27001. 27005 is also process driven, stopping short of requiring a specific
methodology.

ISO 27006

27006 has a slightly different audience from the other standards in the series, setting out
requirements for accrediting organizations that certify against 27001. It's not one for end user
organizations to worry about.

What about alternatives?

There is no direct alternative to the international standards - they are the international standards!
However, there are a number of complementary but different standards and frameworks that set
out to achieve many of the same objectives. Examples would be the Information Security
Foundation (ISF) Standard of Good Practice (SoGP), and ISACA's wider focused Control
Objectives for IT (CoBIT).

How do you use them?

Use 27001 to establish a framework for information security governance, 27002 to design
controls and 27004 to determine an approach to monitoring you