ISO 27000 (or ISO27k) refers to a standard and a series of international standards (27001, 27002, ...) set up by the ISO (International Standards Organization) on information security management series (ISMS). The standard was initiated around 2005 and revised multiple times (2016, 2018) with the support of the different ISO member states representatives, people with an information security background and profession.
The standard describes a norm to which organizations can organize themselves in order to properly manage information and information security. It sets out a series policies, defines the setup of a system to control and manage the policies. Today the standard is being referred to by many compliancy requirement regulations and setups such as the Network and Information Security Directive by the European Commission and the European Member States.
The ISO 27000 series have been divised into multiple sub-standards
- 27001 : This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard
- 27002 : This is the 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1)
- 27003 : guidance for the implementation of an ISMS (IS Management System)
- 27004 : measurement and metrics
- 27005 : methodology independent ISO standard
- 27006 : accreditation of organizations offering ISMS certification.
- 27007 : ISMS auditing
- 27032 : CyberSecurity
- 27033 : Network Security
(* 27013 : Manufacturing)
The objective of the 27001 standard itself is to "provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization". The original standard was more oriented towards planning and organizing, the later versions more towards measuring and evaluating. 27002 is about controls and control mechanisms.
Organizations can have their ISMS's or their ISO process certified, which can be needed for compliance reasons.