The Ultimate Guide to the ISO 27000 Series

The Ultimate Guide to the ISO 27000 Series

  • June 17, 2021

Open any news app and you’ll quickly see why information security is a bigger issue than ever. A new cyberattack is launched every 39 seconds, and nearly 4,000 confirmed data breaches occurred in 2020 alone. Each one costs companies an average of $8.64 million. 

If your company handles sensitive data for other businesses, you need to work harder than ever to earn and keep your customers’ trust. That’s where ISO 27000 security standards come in. 

The ISO 27000 family of standards is comprised of several sets of guidelines, all aimed at certifying a company’s information security policies. ISO 27001 is the central standard, while the others provide information security guidelines an independent auditor can use to certify your internal controls.

An ISO 27000 certificate is one of the best ways to show prospective clients that you can be trusted to safeguard their data. If you’re wondering how an audit works or what details you’ll need to document, this guide has all the answers you need.

What is ISO 27000?

What does ISO 27000 stand for? Published by the International Organization for Standardization (ISO), ISO 27000 is a series of best practices designed to help organizations improve their information security, primarily through building an information security management system (ISMS). This ISMS is designed to mitigate risk across three pillars of information security: people, processes, and technology.

The ISO 27000 series is comprised of 46 individual standards, including ISO 27000 itself. At its core is ISO 27001, which details requirements for implementing an ISMS. ISO IEC 27001:2013 is the only standard in the ISO 27000 series that companies can be audited and certified against. 

While not every ISO standard will apply to your organization, it’s helpful to get an overall understanding of ISO 27000 and its core principles, including requirements for building an ISMS. 

What is an ISMS?

The concept of an ISMS is fundamental to ISO 27000, so let’s define it in more detail. 

An information security management system is the entire set of processes an organization uses to interact with secure data. An ISMS should protect that data from unauthorized access, proactively identify and mitigate risk, and ensure data availability. 

Most people think of an ISMS in the context of hardware and software. Under ISO 27000, the definition is broader, including workflows, policies, plans, and culture.

ISO 27000 is a broad set of standards defining what makes a good ISMS. It’s a system that can defend customer data against the increasing threat of hacks and breaches. But how does it work in practice? What is the difference between ISO 27000 and 27001? 

Understanding ISO 27000 vs 27001 boils down to this: ISO 27000 outlines the security principles necessary to properly safeguard customer data. ISO 27001 is where those principles meet the real world, when businesses implement the requirements outlined in ISO 27000 standards and verify the effectiveness of their ISMS through an ISO 27001 audit. 

What is the purpose of an ISO 27001 audit?

During an ISO 27001 audit, a professional auditor accredited by ISO examines an ISMS and its documentation to see if it satisfies ISO 27001 standards. If any other ISO standards are relevant, the auditor will consider them as well. If a business passes the audit, it’s rewarded with an ISO 27001 certificate.

Is ISO 27000 mandatory? No. Yet more than 33,000 organizations are currently ISO 27001 certified, and the reason is simple: the benefits outweigh the cost. Here are some of the advantages of ISO 27000 compliance:

  • Attract more customers: Potential clients and customers are well aware of the growing risks posed by data breaches. When selecting partners to work with, clients take information security heavily into account. ISO 27001 certification can sharpen your competitive edge significantly.
  • Prevent costly data breaches: A high-profile data breach can be devastating for a public-facing business, even without the fines. Hacks result in bad press, loss of value, employee defections, and lost productivity as the whole team shifts to damage control.
  • Provide clarity for your team: Rapid business growth can result in added confusion for your team around who is responsible for which information security policies and assets. ISO 27000 standards can help organizations clarify responsibilities. 
  • Offer an expert, third-party opinion on your overall security posture: The real benefit of compliance isn’t just the badge on your website — it’s the advantage of knowing your ISMS and internal controls are working as intended and you’ve implemented best-in-class security practices.

In the end, every organization that seeks ISO 27000 compliance through ISO 27001 certification has its own reasons. Only you can decide if it’s the right choice for your business.

How is ISO 27000 different from SOC?

Let’s clear up a common point of confusion — the difference between ISO 27000 and the Service Organization Control (SOC) set of standards.

SOC is a set of criteria overseen by the American Institute of Certified Public Accountants (AICPA). Unlike the standardized control checklists published in ISO 27000, SOC standards allow each organization to implement its own set of controls to meet SOC requirements. 

Ultimately, though, their values are about the same, with 95% of controls duplicated across ISO 27000 and SOC criteria. The best choice for your company depends mostly on location: a SOC report carries more prestige in the United States, while ISO 27001 certification is more popular in the rest of the world.

What are the ISO 27000 standards?

12 separate standards comprise ISO 27000. If you’re looking for a certificate, ISO 27001 is the only mandatory set. However, working knowledge of the others can help you decide which apply to you.

ISO 27000 Standards List

ISO 27001

ISO 27001 lists the requirements for building a compliant ISMS. If you don’t meet these standards, you can’t get a certificate.

ISO 27001 requirements are detailed in seven clauses. It states that an ISMS must be: 

  • Clearly documented
  • Supported by senior leadership
  • Capable of anticipating and mitigating risks
  • Supplied with all the resources it needs to function
  • Regularly reviewed and updated

Annex A of ISO 27001 lists 114 specific controls that an organization might use to meet these requirements.

ISO 27002

ISO 27002 builds on the controls discussed in Annex A of ISO 27001. While Annex A provides a quick rundown of each control, ISO 27002 describes them all in full.

ISO 27002 is useful because the company under ISO 27001 audit only needs to address the controls relevant to them. For example, if you don’t have any employees who work remotely, you likely don’t need to implement controls on leaving company computers in public spaces.

ISO 27003

ISO 27003 provides general guidance on building an ISMS. It’s an excellent resource for the pre-audit phase when you can use its guidelines to conduct a gap analysis and determine what your company still needs to do in order to reach ISO 27001 compliance.

ISO 27004

ISO 27004 builds on ISO 27003 by suggesting ways to evaluate and monitor the security of your ISMS. It also helps organizations determine which of the controls in ISO 27002 might be useful for audit preparation.

ISO 27005

ISO 27005 is devoted to risk management. Since forecasting, analyzing, and mitigating risk is a crucial part of ISO 27001 certification, it pays to study this one in as much detail as possible. Sections cover assessing risks; choosing whether to mitigate, accept, or avoid them; and monitoring risk responses over time.

ISO 27006

ISO 27006 is a set of standards that determine whether a firm is qualified to perform ISO 27001 audits. Unless your business relates directly to performing compliance audits, this series isn’t likely to be meaningful for you.

ISO 27007 and ISO 27008

This new pair of standards was introduced in 2011 and revised in 2020. They build on ISO 27006 by providing guidelines for accredited organizations to conduct ISMS audits.

If you’re seeking an ISO 27001 certificate for your company, it’s a good idea to read these over. They’ll give you a sense of what your auditor will consider while they evaluate your ISMS.

ISO 27017 and ISO 27018

This pair of standards first appeared in 2014, near the beginning of the cloud services boom. They provide controls for securing any data your organization stores in the cloud.

ISO 27017 and ISO 27018 are to cloud data what ISO 27002 is to data managed on-premises. You’re free to use both sets of controls in parallel — ISO 27002 for your on-site data as well as ISO 27017 and ISO 27018 for data stored in the cloud.

ISO 27033

The standards in ISO 27033 govern network security. ISO 27002 includes several controls for securing a company’s internal network; ISO 27033 builds on these controls and offers advice for implementing them.

ISO 27701

One of the newest ISO standards, ISO 27701 focuses on privacy. It was created in response to the EU strengthening GDPR and requiring organizations to take “appropriate measures” to secure users’ private information.

ISO 27701 explains what those appropriate measures might be. In essence, it’s about building a privacy information management system (PIMS) in conjunction with your ISMS.

How do I get ISO 27000 certified?

Technically, you don’t.

Just to clear up any remaining confusion, there’s no such thing as ISO 27000 certification. ISO 27001 is the standard that lays out instructions for certifying an organization as compliant with any part of ISO 27000.

With that out of the way, how do you get ISO 27001 certified?

Start the process by understanding ISO 27000 standards in detail. For example, if you store part of your infrastructure in the cloud, study ISO 27017 and ISO 27018. If your customers are in the EU, study ISO 27701, etc.

Your next step is to make sure your ISMS is up to par. ISO 27003 will be helpful here. If your documented ISMS fits all relevant controls in each section of ISO 27000 (at least on paper), it’s time for the risk assessment.

Develop your risk assessment process using the guidelines in ISO 27005 to help you along. It will reveal areas in which your ISMS falls short of compliance, illuminating which unmitigated risks carry the greatest potential consequences.

ISO 27001 compliance requires documentation of both the risk management process and the decision made regarding each risk — whether to avoid, mitigate, absorb, or transfer.

With these documents in hand, the last step is to document a process for continuously improving your ISMS. Use ISO 27004 as your guiding light for adapting your ISMS to constantly evolving information security threats.

At this point, if you’ve got all the required documentation on file, you’re ready for a Stage 1 audit. Choose an auditor who has experience working in your industry, and who’s a good fit for your corporate culture.

During the Stage I audit, the auditor will conduct a preliminary review of your documentation and ISMS and point out any shortfalls you may have missed. You’ll have a chance to review the initial report and rectify any mistakes before the final certification audit.

The auditor will then conduct a Stage 2 audit, which involves an on-site evaluation of your ISMS. Your auditor will also ensure that your company is following the policies and procedures they reviewed during Stage 1. 

If you’re found to be in compliance with all relevant ISO 27000 standards, the auditor will then issue you an ISO 27001 certificate. The whole process can take up to a year, so it’s not surprising that many organizations choose to hire expert help.

How much does ISO 27000 cost?

ISO 27000 certification cost depends on several factors, including the size and complexity of the organization and its systems. A larger company usually builds an ISMS with a greater scope, which takes longer to audit. The longer the auditor spends at your offices, the more you’ll pay.

A company with 50 or fewer employees can expect to spend between 8-32 hours on a Stage I audit. A Stage II audit typically lasts 3-6 days and costs $5,000-$10,000. From there, add approximately $1,800 for each extra day of the audit. For example, a company with 500 employees can expect about 11 days of auditing at a cost of $19,000.

However, the absolute price of the audit doesn’t tell the whole story. An audit may take one to two weeks, but preparation might take up to six months at a mid-sized company. For those six months, you either need to hire new contract employees or reassign some current employees from their normal duties.

Suppose you build an ISO 27000 compliance team consisting of an IT engineer, a lawyer, a tech writer, and your VP in charge of security. Those are all high-value employees. The cost of ISO 27000 preparation should reflect lost productivity and the loss of revenue from fewer hours spent contributing to your product.

How can I pass my ISO 27001 audit?

When embarking on an audit using the ISO 27000 standard, here are a few ways to set yourself up for success:

  • Choose the right auditor: Selecting an auditor is an important and often overlooked part of the process. We suggest evaluating a registrar/auditor based on their level of experience with companies similar to yours, the type of support offered for surveillance audits to maintain compliance, and cost. Because cost depends so heavily on the length of the audit, it’s important to align with your auditor around an appropriate number of days to expect given your company size and audit scope. 
  • Do an internal audit first: This won’t just help you prepare for the Stage 1 and Stage 2 audits; it’ll also get you ready to maintain your ISO 27001 certification after you receive it. ISO 27001 requires certified organizations to conduct internal audits at regular intervals. 
  • Choose the right controls: Look through every requirement throughout ISO 27000, not just ISO 27001. They’re all in there for a reason, whether it’s to provide advice, help you understand your auditor’s perspective, or offer controls that will suit your company’s unique situation.
  • Consider automation tools: Compliance automation makes it easier than ever to prepare for an ISO 27001 audit. With Secureframe, you can integrate all the technology in your ISMS, automatically scan for risks and potential violations, continuously improve your security posture — and get expert help from our in-house compliance team at every step of the way. 

ISO 27000 is a rigorous set of standards for a reason — in an evolving cybersecurity landscape, it’s necessary to keep data secure.

If you’re considering ISO 27001 certification, a compliance platform can clarify and streamline the entire process. Secureframe can help you design a compliant ISMS while automating time-consuming tasks like evidence collection and vendor management, freeing up hundreds of hours for your employees. 

Talk to our team today for expert help understanding the intricacies of ISO 27000 and ace your ISO 27001 audit.

Become a security expert.

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo