ISO 27000 - Information Security Management

ISO 27000 (or ISO27k) refers to a standard and a series of international standards (27001, 27002, ...) set up by the ISO (International Standards Organization) on information security management series (ISMS). The standard was initiated around 2005 and revised multiple times (2016, 2018) with the support of the different ISO member states representatives, people with an information security background and profession. 

The standard describes a norm to which organizations can organize themselves in order to properly manage information and information security. It sets out a series policies, defines the setup of a system to control and manage the policies. Today the standard is being referred to by many compliancy requirement regulations and setups such as the Network and Information Security Directive by the European Commission and the European Member States. 

The ISO 27000 series have been divised into multiple sub-standards

  • 27001 : This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard
  • 27002 : This is the 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1)
  • 27003 : guidance for the implementation of an ISMS (IS Management System) 
  • 27004 : measurement and metrics
  • 27005 : methodology independent ISO standard
  • 27006 : accreditation of organizations offering ISMS certification.
  • 27007 : ISMS auditing
  • 27032 : CyberSecurity
  • 27033 : Network Security

(* 27013 : Manufacturing)

The objective of the 27001 standard itself is to "provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization". The original standard was more oriented towards planning and organizing, the later versions more towards measuring and evaluating. 27002 is about controls and control mechanisms. 

Organizations can have their ISMS's or their ISO process certified, which can be needed for compliance reasons. 

https://www.iso.org/standard/73906.html

https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip  (public download)

 

 


See https://www.iso.org/standard/43759.html

Provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes.

It includes: 

  • central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
  • digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;
  • all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;
  • communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
  • Advanced Metering Infrastructure (AMI) components, e.g. smart meters;
  • measurement devices, e.g. for emission values; - digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;
  • energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures,
  • all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System); - any premises housing the above-mentioned equipment and systems;
  • remote maintenance systems for above-mentioned systems.

ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645. ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.