The Ultimate Guide to the ISO 27000 Series

Open any news app and you’ll quickly see why information security is more important than ever. A new cyberattack is launched every 39 seconds, and each one costs companies an average of $8.64 million. 

If your company handles sensitive data, you need to earn and keep your customers’ trust. That’s where ISO 27000 security standards come in. 

The ISO 27000 family of standards is comprised of several sets of guidelines, all aimed at certifying a company’s information security policies. ISO 27001 is the central international standard, while the others provide information security guidelines independent auditors and certification bodies can use to certify your internal information security controls.

An ISO 27000 certificate is one of the best ways to show prospective clients that you can be trusted to safeguard their data. If you’re wondering how an audit works or what details you’ll need to document, this guide has all the answers you need.

What is ISO/IEC 27000?

The ISO 27000 series of standards is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission to help organizations improve their information technology security by building a strong information security management system (ISMS).

This ISMS is designed to mitigate risk across three pillars of information security: people, processes, and technology.

The ISO/IEC 27000-series is comprised of 46 individual standards, including ISO 27000 itself. 

At its core is ISO 27001, which details requirements for implementing an ISMS. ISO IEC 27001:2013 is the only standard in the ISO 27000 series that companies can be audited and certified against. 

While not every ISO standard will apply to your organization, it’s helpful to get an overall understanding of ISO 27000 and its core principles, including requirements for building an ISMS. 

What is an ISMS?

The concept of an ISMS is fundamental to ISO 27000, so let’s define it in more detail. 

An information security management system is the entire set of processes an organization uses to interact with secure data. An ISMS should protect information assets from unauthorized access, proactively identify and mitigate risk, and ensure data availability. 

Most people think of an ISMS in the context of hardware and software. Under ISO 27000, the definition is broader, including workflows, policies, plans, and culture.

What are the ISO 27000 standards?

The ISO 27000 standards list includes 12 separate standards. If you’re looking for a certificate, ISO 27001 is the only mandatory set. But working knowledge of the others can help you decide which apply to you.

ISO/IEC 27001:2013

ISO 27000 outlines the security techniques necessary to properly safeguard customer data. ISO 27001 is where those principles meet the real world. Businesses implement the requirements outlined in ISO 27000 standards and verify the effectiveness of their ISMS through an ISO 27001 audit. 

ISO 27001 lists the requirements for building a compliant ISMS. The ISMS must be: 

• Clearly documented
• Supported by senior leadership
• Capable of anticipating and mitigating risks
• Supplied with all the resources it needs to function
• Regularly reviewed and updated

Annex A of lists 114 specific ISO 27001 controls that an organization might use to meet these requirements.

ISO/IEC 27002

ISO 27002 builds on the controls discussed in Annex A of ISO 27001. While Annex A provides a quick rundown of each control, ISO 27002 describes them all in full.

ISO 27002 is useful because the company under ISO 27001 audit only needs to address the controls relevant to them. For example, if you don’t have any employees who work remotely, you likely don’t need to implement controls on leaving company computers in public spaces.

ISO/IEC 27003

ISO 27003 provides general guidance on building an ISMS. It’s an excellent resource for the pre-audit phase when you can use its guidelines to conduct a gap analysis and determine what your company still needs to do in order to reach ISO 27001 compliance.

ISO/IEC 27004

ISO 27004 builds on ISO 27003 by suggesting ways to evaluate and monitor the security of your ISMS. It also helps organizations determine which of the controls in ISO 27002 might be useful for audit preparation.

ISO/IEC 27005

ISO 27005 is a code of practice devoted to information security risk management. Since forecasting, analyzing, and mitigating risk is a crucial part of ISO 27001 certification, it pays to study this one in as much detail as possible. Sections cover assessing risks; choosing whether to mitigate, accept, or avoid them; and monitoring risk responses over time.

ISO/IEC 27006

ISO 27006 is a set of information security standards that determine whether a firm is qualified to perform ISO 27001 audits. Unless your business relates directly to performing compliance audits, this series isn’t likely to be meaningful for you.

ISO/IEC 27007 and ISO/IEC 27008

This new pair of information security standards was introduced in 2011 and revised in 2020. They build on ISO 27006 by providing guidelines for accredited organizations to conduct ISMS audits.

If you’re seeking an ISO 27001 certificate for your company, it’s a good idea to read these over. They’ll give you a sense of what your auditor will consider while they evaluate your ISMS.

ISO/IEC 27017 and ISO/IEC 27018

This pair of information security standards first appeared in 2014, near the beginning of the cloud services boom. They provide controls for securing any data your organization stores in the cloud.

ISO 27017 and ISO 27018 are to cloud data what ISO 27002 is to data managed on-premises. You’re free to use both sets of controls in parallel — ISO 27002 for your on-site data as well as ISO 27017 and ISO 27018 for data stored in the cloud.

ISO/IEC 27033

The code of practice in ISO 27033 governs network security. ISO 27002 includes several controls for securing a company’s internal network; ISO 27033 builds on these controls and offers specification and implementation guidance.

ISO/IEC 27034

This series centers on application security controls data structure and your assurance prediction framework. 

ISO/IEC 27035

This series covers information security incident management, including your organization’s incident response plan. 

How will you ensure business continuity if a breach occurs? Every company should clearly map out responsibilities and communication plans in the event of a security incident. 

ISO/IEC 27701

One of the newest ISO standards, ISO 27701 focuses on privacy. It was created in response to the EU strengthening GDPR and requiring organizations to take “appropriate measures” to secure users’ private information.

ISO 27701 explains what those appropriate measures might be. In essence, it’s about building a privacy information management system (PIMS) in conjunction with your ISMS.

How do I get ISO 27000 certified?

Technically, you don’t.

Just to clear up any remaining confusion, there’s no such thing as ISO 27000 certification. ISO 27001 is the standard that lays out instructions for certifying an organization as compliant with any part of ISO 27000.

With that out of the way, how do you get ISO 27001 certified?

Start the ISO 27001 certification process by understanding ISO 27000 standards in detail. For example, if you store part of your infrastructure in the cloud, study ISO 27017 and ISO 27018. If your customers are in the EU, study ISO 27701, etc.

Your next step is to make sure your ISMS is up to par. ISO 27003 will be helpful here. If your documented ISMS fits all relevant controls in each section of ISO 27000 (at least on paper), it’s time for the risk assessment.

Develop your risk assessment process using the guidelines in ISO 27005 to help you along. It will reveal areas in which your ISMS falls short of compliance, illuminating which unmitigated risks carry the greatest potential consequences. 

ISO 27001 compliance requires documentation of both the risk management process and the decision made regarding each risk — whether to avoid, mitigate, absorb, or transfer.

The last step is to document a process for continuously improving your ISMS. Use ISO 27004 as your guiding light for adapting your ISMS to constantly evolving information security threats.

At this point, if you’ve got all the required documentation and digital evidence, you’re ready for a Stage 1 audit. Choose an auditor who has experience working in your industry, and who’s a good fit for your corporate culture.

During the Stage I audit, the auditor will conduct a preliminary review of your documentation and ISMS and point out any shortfalls you may have missed. You’ll have a chance to review the initial report and rectify any mistakes before the final certification audit.

The auditor will then conduct a Stage 2 audit, which involves an on-site evaluation of your ISMS. Your auditor will also ensure that your company is following the policies and procedures they reviewed during Stage 1. 

If you’re found to be in compliance with all relevant ISO 27000 standards, the auditor will then issue you an ISO 27001 certificate. 

What is the purpose of an ISO 27001 audit?

During an ISO 27001 audit, a professional auditor accredited by ISO examines an ISMS and its documentation to see if it satisfies ISO 27001 standards. Based on the auditor’s evaluation, the business is rewarded with an ISO 27001 certificate.

Is ISO 27000 mandatory? No. 

Yet more than 33,000 organizations are currently ISO 27001 certified, and the reason is simple: the benefits outweigh the cost. Here are some of the advantages of ISO 27000 compliance:

• Attract more customers. Potential clients and customers are well aware of the growing risks posed by data breaches. When selecting partners to work with, clients take information security heavily into account. ISO 27001 certification can sharpen your competitive edge significantly.
• Prevent costly data breaches. A high-profile data breach can be devastating for a public-facing business, even without the fines. Hacks result in bad press, loss of value, employee defections, and lost productivity as the whole team shifts to damage control.
• Provide clarity for your team. Rapid business growth can result in added confusion for your team around who is responsible for which information security policies and assets. ISO 27000 standards can help organizations clarify responsibilities. 
• Offer an expert, third-party opinion on your overall security posture. The real benefit of compliance isn’t just the badge on your website — it’s the advantage of knowing your ISMS and internal controls are working as intended and you’ve implemented best-in-class security practices.

In the end, every organization that seeks ISO 27000 compliance through ISO 27001 certification has its own reasons. Only you can decide if it’s the right choice for your business.

How can I pass my ISO 27001 audit?

When embarking on an audit using the ISO 27000 standard, here are a few ways to set yourself up for success:

• Choose the right auditor. Selecting an auditor is an important and often overlooked part of the process. We suggest evaluating a registrar/auditor based on their level of experience with companies similar to yours, the type of support offered for surveillance audits to maintain compliance, and cost.
• Do an internal audit first. This won’t just help you prepare for the Stage 1 and Stage 2 audits; it’ll also get you ready to maintain your ISO 27001 certification after you receive it.
• Select the right controls. Look through every requirement throughout ISO 27000, not just ISO 27001. They’re all in there for a reason, whether it’s to provide advice, help you understand your auditor’s perspective, or offer controls that will suit your company’s unique situation.
• Consider automation tools. Compliance automation makes it easier than ever to prepare for an ISO 27001 audit. With Secureframe, you can integrate all the technology in your ISMS, automatically scan for risks and potential violations — and get expert help from our in-house compliance team at every step. 

ISO 27000 is a rigorous set of standards for a reason — in an evolving cybersecurity landscape, it’s necessary to keep data secure.

If you’re considering ISO 27001 certification, a compliance platform can clarify and streamline the entire process. Schedule a demo today for expert help understanding the intricacies of ISO 27000.