Global cyber attacks reached an all-time high in the fourth quarter of 2022, jumping to 1,168 a week per organization. That's a 38% increase from 2021. 

If your company handles sensitive data, you need to build trust with customers by keeping it safe from cyber criminals. That’s where ISO 27000 security standards come in. 

An ISO 27000 certificate is one of the best ways to show prospects and customers that you can be trusted to safeguard their personal data. If you’re wondering how an audit works or what details you’ll need to document, this guide has all the answers you need.

What is the ISO/IEC 27000 series?

Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission, the ISO/IEC 27000 series is comprised of over a dozen standards designed to help organizations improve their information technology security by building a strong information security management system (ISMS). An ISMS implemented according to these standards is designed to mitigate risk across three pillars of information security: people, processes, and technology.

At the core of the ISO 27000 family is ISO 27001, which details requirements for implementing an ISMS. 

The concept of an ISMS is fundamental to ISO 27000, so let’s define it in more detail below. 

ISO information security management system

An information security management system is the entire set of information assets, systems, technologies, people, partners, processes, and policies that an organization uses to protect sensitive data. An ISMS should protect information assets from unauthorized access, proactively identify and mitigate risk, and ensure data availability. 

Most people think of an ISMS in the context of hardware and software. Under ISO 27000, the definition is broader, including workflows, policies, plans, and culture.

What are the ISO 27000 standards?

The ISO 27000 family of standards is designed to certify a company’s information security policies.

ISO 27001 is the central standard and only one in the series that companies can be audited and certified against. The others provide information security guidelines that independent auditors and certification bodies can use to certify your internal information security controls. 

While not every ISO standard will apply to your organization, it’s helpful to get an overall understanding of ISO 27000 and its core principles, including requirements for building an ISMS. 

ISO/IEC 27000

ISO 27000 provides an overview of information security management systems as well as terms and definitions commonly used in the other standards in the ISO/IEC 27000 family. It also explains each standards’ scope, roles, function, and relationship to each other.

ISO/IEC 27001

ISO 27000 outlines the security techniques necessary to properly safeguard customer data. ISO 27001 is where those principles meet the real world. Businesses implement the requirements outlined in ISO 27000 standards and verify the effectiveness of their ISMS through an ISO 27001 audit. 

ISO 27001 lists the requirements for building a compliant ISMS. The ISMS must be: 

• Clearly documented
• Supported by senior leadership
• Capable of anticipating and mitigating risks
• Supplied with all the resources it needs to function
• Regularly reviewed and updated

Annex A of the most recent version — ISO/IEC 27001:2022 — lists 93 controls that an organization might use to meet these requirements.

ISO/IEC 27002

ISO 27002 builds on the controls discussed in Annex A of ISO 27001. While Annex A provides a quick rundown of each control, ISO 27002 describes them all in full.

ISO 27002 is useful because the company under ISO 27001 audit only needs to address the controls relevant to them. For example, if you don’t have any employees who work remotely, you likely don’t need to implement controls on leaving company computers in public spaces.

ISO/IEC 27003

ISO 27003 provides general guidance on building an ISMS. It’s an excellent resource for the pre-audit phase when you can use its guidelines to conduct a gap analysis and determine what your company still needs to do in order to reach ISO 27001 compliance.

ISO/IEC 27004

ISO 27004 builds on ISO 27003 by suggesting ways to evaluate and monitor the security of your ISMS. It also helps organizations determine which of the controls in ISO 27002 might be useful for audit preparation.

ISO/IEC 27005

ISO 27005 is a code of practice devoted to information security risk management. Since forecasting, analyzing, and mitigating risk is a crucial part of ISO 27001 certification, it pays to study this one in as much detail as possible.

Sections cover:

• assessing risks
• choosing whether to mitigate, accept, or avoid them
• monitoring risk responses over time

ISO/IEC 27006

ISO 27006 is a set of information security standards that determine whether a firm is qualified to perform ISO 27001 audits. Unless your business relates directly to performing compliance audits, this series isn’t likely to be meaningful for you.

ISO/IEC 27007 and ISO/IEC 27008

This new pair of information security standards was introduced in 2011 and revised in 2020. They build on ISO 27006 by providing guidelines for accredited organizations to conduct ISMS audits.

If you’re seeking an ISO 27001 certificate for your company, it’s a good idea to read these over. They’ll give you a sense of what your auditor will consider while they evaluate your ISMS.

ISO/IEC 27017 and ISO/IEC 27018

This pair of information security standards first appeared in 2014, near the beginning of the cloud services boom. They provide controls for securing any data your organization stores in the cloud.

ISO 27017 and ISO 27018 are to cloud data what ISO 27002 is to data managed on-premises. 

You’re free to use both sets of controls in parallel — ISO 27002 for your on-site data as well as ISO 27017 and ISO 27018 for data stored in the cloud.

ISO/IEC 27033

The code of practice in ISO 27033 governs network security. ISO 27002 includes several controls for securing a company’s internal network. ISO 27033 builds on these controls and offers specification and implementation guidance.

ISO/IEC 27034

This series centers on application security controls data structure and your assurance prediction framework. 

ISO/IEC 27035

This series covers information security incident management, including your organization’s incident response plan. 

How will you ensure business continuity if a breach occurs? Every company should clearly map out responsibilities and communication plans in the event of a security incident. 

ISO/IEC 27701

One of the newest ISO standards, ISO 27701 focuses on privacy. It was created in response to the EU strengthening GDPR and requiring organizations to take “appropriate measures” to secure users’ private information.

ISO 27701 explains what those appropriate measures might be. In essence, it’s about building a privacy information management system (PIMS) in conjunction with your ISMS.

History of the ISO 27000 family of standards

The history of ISO 27000 can be traced back to the British Standard (BS) 7799.

In 1993, the UK’s Department of Trade and Industry commissioned a committee to create evaluation criteria for IT security products as well as a list of information technology best practices. This ultimately led to the creation of BS 7799, which was published in three parts in 1995.

One part covered information security management systems and implementation and eventually became ISO 27001. ​​ISO 27001 was released as the first standard in the ISO 27000 series in 2005.

Another part of BS 7799 covered best practices of information security and was later integrated into ISO 17799. This was eventually renamed ISO 27002 in 2007 to align with the numbering system of the ISO 27000 series. 

Both ISO 27001 and 27002 were revised in 2013 and again in 2022 to respond to the changing threat landscape.

How do I get ISO 27000 certified?

Technically, you don’t. There’s no such thing as ISO 27000 certification.

ISO 27001 is the standard that lays out instructions for certifying an organization as compliant with any part of ISO 27000.

Let’s take a look at the process for getting ISO 27001 certified below.

Step 1: Understand the ISO 27000 standards.

Start the ISO 27001 certification process by understanding ISO 27000 standards in detail, not just ISO 27001. They’re all in there for a reason, whether it’s to provide advice, help you understand your auditor’s perspective, or offer controls that will suit your company’s unique situation.

For example, if you store part of your infrastructure in the cloud, study ISO 27017 and ISO 27018. If your customers are in the EU, study ISO 27701, etc.

Step 2: Build a compliant ISMS.

Your next step is to make sure your ISMS is up to par. ISO 27003 will be helpful here. If your documented ISMS fits all relevant controls in each section of ISO 27000 (at least on paper), it’s time for the risk assessment.

Step 3: Perform a risk assessment.

Develop your risk assessment process using the guidelines in ISO 27005 to help you along. It will reveal areas in which your ISMS falls short of compliance, illuminating which unmitigated risks carry the greatest potential consequences. 

Step 4: Create a risk treatment plan and implement controls.

ISO 27001 compliance requires documentation of both the risk management process and the decision made regarding each risk — whether to avoid, mitigate, absorb, or transfer.

Step 5: Define a process for continuous improvement.

The last step is to document a process for continuously improving your ISMS. Use ISO 27004 as your guiding light for adapting your ISMS to constantly evolving data security threats.

Step 6: Complete Stage 1 and 2 audits.

At this point, if you’ve got all the required documentation and digital evidence, you’re ready for a Stage 1 audit. Choosing an auditor is an important and often overlooked part of the process. We suggest evaluating a registrar/auditor based on their level of experience with companies similar to yours, the type of support offered for surveillance audits to maintain compliance, and cost.

During the Stage 1 audit, the auditor will conduct a preliminary review of your documentation and ISMS and point out any shortfalls you may have missed. You’ll have a chance to review the initial report and rectify any mistakes before the final certification audit.

The auditor will then conduct a Stage 2 audit, which involves an on-site evaluation of your ISMS. Your auditor will also ensure that your company is following the policies and procedures they reviewed during Stage 1. 

If you’re found to be in compliance with all relevant ISO 27000 standards, the auditor will then issue you an ISO 27001 certificate. 

What is the purpose of ISO/IEC 27000?

The purpose of the ISO/IEC 27000 series of standards is to help organizations of all sectors and sizes protect their information assets. 

ISO 27001 is a highly regarded international standard for information security management systems and their requirements. An organization that completes an ISO 27001 audit by an accredited auditor will receive a certificate. This certificate provides customers with third-party reassurance that the organization has built an ISMS capable of protecting sensitive data.

The other standards in the ISO 27000 family provide additional best practices in data protection and cyber resilience. 

Following these standards and getting ISO 27001 certified is not mandatory, but it can provide significant advantages for growing businesses, including:

• Attracting more customers. Potential clients and customers are well aware of the growing risks posed by data breaches. When selecting partners to work with, clients take information security heavily into account. ISO 27001 certification can sharpen your competitive edge significantly.
• Preventing costly data breaches. A high-profile data breach can be devastating for a public-facing business, even without the fines. Hacks result in bad press, loss of value, employee defections, and lost productivity as the whole team shifts to damage control.
• Providing clarity for your team. Rapid business growth can result in added confusion for your team around who is responsible for which information security policies and assets. ISO 27000 standards can help organizations clarify responsibilities. 
• Offering an expert, third-party opinion on your overall security posture. The real benefit of compliance isn’t just the badge on your website — it’s the advantage of knowing your ISMS and internal controls are working as intended and you’ve implemented best-in-class security practices.

In the end, every organization that seeks ISO 27000 compliance through ISO 27001 certification has its own reasons. Only you can decide if it’s the right choice for your business.

How Secureframe can help your organization secure its information assets

ISO 27000 is a rigorous set of standards for a reason — in an evolving cybersecurity landscape, it’s necessary to keep data secure.

If you’re considering ISO 27001 certification, a compliance platform can clarify and streamline the entire process. With Secureframe, you can integrate all the technology in your ISMS, automatically scan for risks and potential violations — and get expert help from our in-house compliance team at every step. 

Schedule a demo today for expert help understanding the intricacies of ISO 27000.