Standards for information security - an overview

CONTENT

• Information security standards - an overview list
• Certification is a competitive advantage
• Ten ISO information security standards you should be familiar with
• Other topics in the ISO 2700x family of standards
• DQS - What we can do for you

Standards for information security: The ISO 2700X family of standards

The individual standards for information security in the ISO 2700x series deal with diverse topics in the area of information security. For example, the international standard specifies ISO 27001 An information security management system (ISMS), ISO 27701 a data protection management system, ISO 27017 provides guidance on information security measures for cloud computing, and ISO 27005 provides guidelines for information security risk management.

Companies in all industries can benefit from the systematically structured approach of these standards for information security. It enables confidential data to be protected against loss and misuse, and helps to reliably identify and reduce (potential) threats. The approach helps to ensure the availability of corporate IT systems, thus contributing to the optimization of business processes, IT and process costs, and the minimization of business and liability risks.

Certification is a competitive advantage

Certification to ISO 27001, for example by DQS, requires a certain amount of preparation and effort. However, the company provides documented proof that it complies with information security requirements and implements measures to protect sensitive company data. This is a clear competitive advantage. 

Ten ISO standards on information security that you should be familiar with

The list below provides an informative overview of the current status of the ISO 2700x series of standards in information security. All standards are available for purchase from the ISO website.

ISO 27001 - Requirements for information security management systems

In times when data and information are traded like rare commodities, their protection is essential. An optimal basis for the effective implementation of a holistic security strategy is provided by a well-structured information security management system (ISMS) in accordance with the standard ISO 27001. This is an internationally recognized standard for information security in private, public or non-profit organizations, which not only covers the aspects of IT security.

An ISO 27001 ISMS defines requirements, rules, and methods for ensuring the security of information that requires protection in organizations. The ISO standard provides a model for establishing, implementing, monitoring, and improving the level of protection. The aim is to identify potential risks for the company, analyze them and make them controllable through appropriate measures. ISO 27001 formulates the requirements for such a management system, which are audited as part of an external certification process .

You can achieve this with the standard:

• Making the security of sensitive information an integral part of corporate processes.
• Preventive safeguarding of the protection goals confidentiality, availability and integrity of information
• Maintaining business continuity through continuous improvement of the security level
• Sensitization of employees and significantly increased security awareness at all levels of the company
• Building trust with interested parties
• Establishment of an effective risk management process

ISO 27019 - Information security measures for energy supply.

The ISO 27019 information security standard formulates complementary measures for the energy industry sector.

This standard helps you secure your electronic process control systems used to control and monitor the production, transmission, storage, and distribution of electrical energy, gas, oil, and heat, and to control related supporting processes.

What you can do with the standard:

• Systematically ensure the protection goals of confidentiality, availability, integrity of information.
• Continuously improve the security level and resistance to unauthorized access
• Achieve greater security of action and legal certainty, improve adherence to relevant compliance requirements
• Increase security awareness among employees and managers
• Achieve a high level of trust and loyalty among all interested parties
• Demonstrate recognized proof of the effectiveness of your security measures to the authorities, such as the German Federal Network Agency (BNetzA)

ISO 27006 - Requirements for certification bodies

ISO 27006 is aimed at bodies such as DQS that perform certifications of information security management systems. The ISO 27006 accreditation standard describes the requirements that certification bodies must follow when assessing their clients' management systems to ISO 27001 for certification.

This includes, for example, the proof of specified audit efforts or specifications on the qualifications of auditors. The accreditation processes outlined in the standard guarantee that ISO 27001 certificates issued by accredited certification bodies have international validity.

What you can achieve with this standard:

• Uniform criteria for certification, surveillance, and recertification audit procedures
• Ensure the validity of ISO 27001 certificates
• Ensure minimum requirements for audit effort and qualification of personnel calculating and performing certification procedures

ISO 27002 - Guidance on information security controls

The Information Security Management System (ISMS) according to ISO 27001 contains a normative Annex A: Reference control objectives and controls. This Annex contains specific measures to be implemented as part of the management system, as relevant to the organization. ISO 27002 is a guideline with recommendations for the implementation of measures from ISO 27001. 

The guideline was comprehensively revised and updated at the beginning of 2022. The new edition provides information security managers with precise implementation guidance to ensure that no important measures to address information security risk are overlooked.

What you can do with this standard:

• Support for the implementation of ISO 27001
• Implementation of the recommendations on the controls in Annex A of ISO 27001

ISO 27000 - Overview and vocabulary of information security management systems

 
ISO 27000 contains terms and definitions that are utilized in the ISO 2700X series of standards. ISO 27000 provides an overview of information security management systems and the ISO 2700x series of standards with their information security standards.

In a glossary, the (technical) terms are defined explicitly and formally.

What you can do with this standard:

• Glossary: coverage of most of the technical terms used in the ISO2700x series of standards in the field of information security.
• Clarity about terminology
• Clear understanding of vocabulary among assessors and assessors ("a common language")
• Overview of information security management systems: introduction of information security, risk and security management, and management systems

ISO 27701 - Guidance on data protection management

The standard for information security specifically related to data privacy ISO 27701 specifies a data protection management system based on ISO 27001, ISO 27002 (information security controls) and ISO 29100 (data privacy framework) to deal appropriately with both the processing of personal data and information security. This applies to both controllers and processors of personal data.

How you can succeed with this standard:

• Better management of personal data and information security
• Easier application of common information risk management principles to personal data
• Align and extend the controls within ISO 27001 as well as the related ISO 27002

ISO 27017 - Guide to information security measures in cloud services

The ISO 27017 standard provides guidance on information security measures in cloud computing within the standards for information security.

It recommends, supports, and provides additional measures for implementing cloud-specific information security controls.

What you can achieve with this standard:

• Understanding the information security aspects of cloud computing.
• Design and implement cloud-specific information security controls
• Control over the options for selecting, implementing, and managing information security for cloud computing

ISO 27018 - Guidance on data protection in cloud services.

The ISO 27018 standard provides guidance to ensure that cloud service providers offer appropriate information security controls to protect the privacy of their customers' clients by securing the personal data entrusted to them.

This standard is followed by ISO 27017 (Information security measures in cloud services), which covers other information security aspects of cloud computing than just data protection.

Here's what you can do with the standard:

• Select PII protection controls as part of implementing a cloud computing information security management system based on ISO 27001.
• Implement commonly accepted PII protection controls.
• Deepen knowledge as the standard is based on ISO 27002 and expands on its general advice in some areas
• Linking OECD privacy principles embodied in several data protection laws and regulations

ISO 27005 - Guidance on information security risk management.

The ISO 27005 standard provides guidance on information security risk management and supports the general concepts on this set out in ISO 27001.

ISO 27005 is also intended to support the implementation of information security based on a risk management concept.

You can do this with the standard:

• Implement information security based on a risk management approach.
• Definition of the risk management context
• Quantitative or qualitative assessment (i.e., identification, analysis, and evaluation) of relevant information risks
• Continuous monitoring and review of risks, risk treatments, requirements and criteria
• Appropriate handling of risks
• Ongoing communication of all stakeholders

ISO 27007 - Guide to auditing ISMS

ISO 27007 is a guide for conducting audits and is intended for internal and external auditors who assess an ISMS according to ISO/IEC 27001.

The guide is based heavily on the Guide to auditing management systems (ISO 19011) and provides additional guidance for an information security management system (ISMS).

Here's how you can succeed with the standard:

• Guidance specifically for ISO 27001 ISMS audits
• Guidance on planning and conducting audits integrated from ISO 19011
• Important information on the competencies of ISMS auditors
• Understanding and performing ISMS audits

DQS - what we can do for you

DQS has been a leading specialist in the certification of management systems and processes since 1985. Since then, the history of DQS has been closely linked to the history of ISO 9001 We bring our worldwide know-how and extensive understanding of standards to our customers on about 30,000 audit days per year. So you can see what your options are.

Trust and expertise

Our texts and white papers are written exclusively by our standards experts or long-standing auditors. So is the overview of information security standards. If you have any questions about the text content or our services to our author, please feel free to contact us. 

Information security standards: Other topics in the ISO 2700X family of standards

ISO 27003 - Guide to the development and implementation of an ISMS

ISO/IEC 27003:2017

Information technology - Security techniques - Information security management systems - Guidance.

ISO 27004 - Guidance on information security management measurement methods

ISO/IEC 27004:2016

Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation.

ISO 27008 - Guidance on the evaluation of information security measures

ISO/IEC TS 27008:2019

Information technology - Security techniques — Guidelines for the assessment of information security controls

ISO 27009 - Guide to the sector-specific application of an information management system

ISO/IEC 27009:2020

Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements

ISO 27010 - Guidance on information security management for intersectoral and interorganizational communications

ISO/IEC 27010:2015

Information technology - Security techniques — Information security management for inter-sector and inter-organizational communications

ISO 27011 - Guidance on information security management in the telecommunications sector

ISO/IEC 27011:2016

Information technology - Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations

ISO 27013 - Guidance for the integrated implementation of an ISMS and IT service management

ISO/IEC 27013:2021

Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

ISO 27014 - 'Governance' of information security

ISO/IEC 27014:2020

Information security, cybersecurity and privacy protection - Governance of information security

ISO 27016 - Economics of information security management

ISO/IEC TR 27016:2014

Information technology - Security techniques — Information security management — Organizational economics

ISO 27021 - Requirements for the competence of ISMS professionals

ISO/IEC 27021:2017/AMD 1:2021

echniques — Competence requirements for information security management systems professionals — Amendment 1: Addition of ISO/IEC 27001:2013 clauses or subclauses to competence requirements

ISO 27031 - Guidance on business continuity

ISO/IEC 27031:2011

Information technology - Security techniques — Guidelines for information and communication technology readiness for business continuity

TIP: Read our blog post on business continuity management to learn what the ISO 22301 standard recommends to ensure a company's continued existence in exceptional situations.

ISO 27032 - Cybersecurity guide

ISO/IEC 27032:2012

Information technology - Security techniques — Guidelines for cybersecurity

ISO 27033 - Guidance on network security

ISO/IEC 27033

Information technology - Security techniques - Network security
Part 1: Overview and concepts, Part 2: Guidelines for the design and implementation of network security, Part 3: Reference network scenarios -Tthreats, design techniques and control issues, Part 4: Securing communications between networks using security gateways, Part 5: Securing communications across networks using virtual private networks (VPNs), Part 6: Securing wireless IP network access

ISO 27034 - Guidance on application security

ISO/IEC 27034

Information technology - Security techniques - Application security
Part 1: Overview and concepts, Part 2: Organization normative framework, Part 3: Application security management process, Part 4: Validation and Verification, Part 5: Protocols and application security controls data structure, Part 6: Cast studies, Part 7: Assurance prediction framework

ISO 27035 - Guidance on incident management of information security incidents

ISO/IEC 27035

Information technology - IT security practices - Information security incident management
Part 1: Fundamentals of incident management, Part 2: Guidelines for incident response planning and preparation, Part 3: Guidelines for information and communications technology incident response (draft)

ISO 27036 - Guidance on supplier relationships

ISO/IEC 27036

Information technology - Security techniques - Information security for supplier relationships
Part 1: Overview and concepts, Part 2: Requirements, Part 3: Guidelines for information and communications technology supply chain security, Part 4: Guidelines for cloud services security

ISO 27037 - Guidelines for handling digital evidence.

ISO/IEC 27037:2012

Information technology - Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence

ISO 27038 - Specification for digital redaction

ISO/IEC 27038:2014

Information technology - Security techniques - Specification for digital redaction

ISO 27039 - Guidance on intrusion detection systems (IDPS)

ISO/IEC 27039:2015

Information technology - Security techniques — Selection, deployment and operations of intrusion detection and prevention systems (IDPS)

ISO 27040 - Guidance on storage security

ISO/IEC 27040:2015

Information technology - Security techniques - Storage security 

ISO 27041 - Guidance on incident investigation methods

ISO/IEC 27041:2015

Information technology - Security techniques — Guidance on assuring suitability and adequacy of incident investigative method

ISO 27042 - Guidance on analysis and interpretation of digital evidence.

ISO/IEC 27042:2015

Information technology - Security techniques — Guidelines for the analysis and interpretation of digital evidence

ISO 27043 - Guidance on incident investigation processes.

ISO/IEC 27043:2015

Information technology - Security techniques — Incident investigation principles and processes

ISO 27050 - Guidance on electronic detection

ISO/IEC 27050

Information technology - Electronic discovery
Part 1: Overview and concepts, Part 2: Guidance for governance and management of electronic discovery, Part 3: Code of practice for electronic discovery

ISO 27102 - Guidance on cyber insurance

ISO/IEC 27102:2019

Information security management — Guidelines for cyber-insurance

ISO 27103 - Guide to cyber security and ISO/IEC standards

ISO/IEC TR 27103:2018

Information technology - Security techniques - Cybersecurity and ISO and IEC standards

ISO 27550 - Privacy engineering for system lifecycle processes

ISO/IEC TR 27550:2019-09

Information technology - Security techniques — Privacy engineering for system life cycle processes

ISO 27799 - Information security management in the health care sector

ISO 27799:2016

Health informatics — Information security management in health using ISO/IEC 27002