In times when data and information are traded like commodities, protecting them is essential. One way to do this is to implement information security management based on the ISO/IEC 2700x series of information security standards. This is an international family of standards for IT security and information security in private, public or non-profit organizations. Based on ISO 27001, an information security management system (ISMS) can be implemented, which organizations and public authorities can set up, operate and have certified for their own protection.
Standards for information security: The ISO 2700X family of standards
The individual standards for information security in the ISO 2700x series deal with diverse topics in the area of information security. For example, the international standard specifies ISO 27001. An information security management system (ISMS), ISO 27701 a data protection management system, ISO 27017 provides guidance on information security measures for cloud computing, and ISO 27005 provides guidelines for information security risk management.
Companies in all industries can benefit from the systematically structured approach of these standards for information security. It enables confidential data to be protected against loss and misuse, and helps to reliably identify and reduce (potential) threats. The approach helps to ensure the availability of corporate IT systems, thus contributing to the optimization of business processes, IT and process costs, and the minimization of business and liability risks.
Certification is a competitive advantage
Certification to ISO 27001, for example by DQS, requires a certain amount of preparation and effort. However, the company provides documented proof that it complies with information security requirements and implements measures to protect sensitive company data. This is a clear competitive advantage.
Ten ISO standards on information security that you should be familiar with
The list below provides an informative overview of the current status of the ISO 2700x series of standards in information security. All standards are available for purchase from the ISO website.
ISO 27001 - Requirements for information security management systems
In times when data and information are traded like rare commodities, their protection is essential. An optimal basis for the effective implementation of a holistic security strategy is provided by a well-structured information security management system (ISMS) in accordance with the standard ISO 27001. This is an internationally recognized standard for information security in private, public or non-profit organizations, which not only covers the aspects of IT security.
ISO 27001 in practice
The DQS Audit Guide
The DQS Audit Guide (based on ISO 27001:2013)
Benefit from good audit questions and possible evidence on selected controls from Annex A.
From experts in the field.
An ISO 27001 ISMS defines requirements, rules, and methods for ensuring the security of information that requires protection in organizations. The ISO standard provides a model for establishing, implementing, monitoring, and improving the level of protection. The aim is to identify potential risks for the company, analyze them and make them controllable through appropriate measures. ISO 27001 formulates the requirements for such a management system, which are audited as part of an external certification process .
You can achieve this with the standard:
- Making the security of sensitive information an integral part of corporate processes.
- Preventive safeguarding of the protection goals confidentiality, availability and integrity of information
- Maintaining business continuity through continuous improvement of the security level
- Sensitization of employees and significantly increased security awareness at all levels of the company
- Building trust with interested parties
- Establishment of an effective risk management process
Information technology - Security techniques - Information security management systems - Requirements
The revised version was published on October 25, 2022. The current version ISO/IEC 27001:2013 will expire in October 2025.
ISO 27019 - Information security measures for energy supply.
The ISO 27019 information security standard formulates complementary measures for the energy industry sector.
Information technology - Security techniques - Information security controls for the energy utility industry
This standard helps you secure your electronic process control systems used to control and monitor the production, transmission, storage, and distribution of electrical energy, gas, oil, and heat, and to control related supporting processes.
What you can do with the standard:
- Systematically ensure the protection goals of confidentiality, availability, integrity of information.
- Continuously improve the security level and resistance to unauthorized access
- Achieve greater security of action and legal certainty, improve adherence to relevant compliance requirements
- Increase security awareness among employees and managers
- Achieve a high level of trust and loyalty among all interested parties
- Demonstrate recognized proof of the effectiveness of your security measures to the authorities, such as the German Federal Network Agency (BNetzA)
ISO 27006 - Requirements for certification bodies
ISO 27006 is aimed at bodies such as DQS that perform certifications of information security management systems. The ISO 27006 accreditation standard describes the requirements that certification bodies must follow when assessing their clients' management systems to ISO 27001 for certification.
Information technology - Security techniques — Requirements for bodies providing audit and certification of information security management systems
This includes e.g. the proof of specified audit efforts or specifications on the qualifications of auditors. The accreditation processes outlined in the standard guarantee that ISO 27001 certificates issued by accredited certification bodies have international validity.
What you can achieve with this standard:
- Uniform criteria for certification, surveillance, and recertification audit procedures
- Ensure the validity of ISO 27001 certificates
- Ensure minimum requirements for audit effort and qualification of personnel calculating and performing certification procedures
ISO 27002 - Guidance on information security controls
The Information Security Management System (ISMS) according to ISO 27001 contains a normative Annex A: Reference control objectives and controls. This Annex contains specific measures to be implemented as part of the management system, as relevant to the organization. ISO 27002 is a guideline with recommendations for the implementation of measures from ISO 27001.
The guideline was comprehensively revised and updated at the beginning of 2022. The new edition provides information security managers with precise implementation guidance to ensure that no important measures to address information security risk are overlooked.
ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls
Audit Guideline to ISO 27001
From our experts in the field.
The guideline is based on ISO/IEC 27001:2013.
Benefit from good audit questions and possible evidence on selected controls in Annex A.
You can do this with the standard:
- Support for the implementation of ISO 27001
- Implementing the recommendations for the measures in Annex A of ISO 27001
ISO 27000 - Overview and vocabulary of information security management systems
ISO 27000 contains terms and definitions that are used in the ISO 2700X series of standards. ISO 27000 provides an overview of information security management systems and the ISO 2700x series of standards with their information security standards.
Information technology - Security techniques — Information security management systems — Overview and vocabulary
In a glossary, the (technical) terms are defined explicitly and formally.
What you can do with this standard:
- Glossary: coverage of most of the technical terms used in the ISO2700x series of standards in the field of information security.
- Clarity about terminology
- Clear understanding of vocabulary among assessors and assessors ("a common language")
- Overview of information security management systems: introduction of information security, risk and security management, and management systems
ISO 27701 - Guidance on data protection management
The standard for information security specifically related to data privacy ISO 27701 specifies a data protection management system based on ISO 27001, ISO 27002 (information security controls) and ISO 29100 (data privacy framework) to deal appropriately with both the processing of personal data and information security. This applies to both controllers and processors of personal data.
ISO/IEC 27701:2019-08 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
ISO 27017 - Guide to information security measures in cloud services
The ISO 27017 standard provides guidance on information security measures in cloud computing within the standards for information security.
Information technology - Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
It recommends, supports, and provides additional measures for implementing cloud-specific information security controls.
What you can achieve with this standard:
- Understanding the information security aspects of cloud computing.
- Design and implement cloud-specific information security controls
- Control over the options for selecting, implementing, and managing information security for cloud computing
ISO 27018 - Guidance on data protection in cloud services.
The ISO 27018 standard provides guidance to ensure that cloud service providers offer appropriate information security controls to protect the privacy of their customers' clients by securing the personal data entrusted to them.
Information technology - techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
This standard is followed by ISO 27017 (Information security measures in cloud services), which covers other information security aspects of cloud computing than just data protection.
Here's what you can do with the standard:
- Select PII protection controls as part of implementing a cloud computing information security management system based on ISO 27001.
- Implement commonly accepted PII protection controls.
- Deepen knowledge as the standard is based on ISO 27002 and expands on its general advice in some areas
- Linking OECD privacy principles embodied in several data protection laws and regulations
ISO 27005 - Guidance on information security risk management.
The ISO 27005 standard provides guidance on information security risk management and supports the general concepts on this set out in ISO 27001.
Information technology - IT security techniques - Information security risk management.
ISO 27005 is also intended to support the implementation of information security based on a risk management concept.
You can do this with the standard:
- Implement information security based on a risk management approach.
- Definition of the risk management context
- Quantitative or qualitative assessment (i.e., identification, analysis, and evaluation) of relevant information risks
- Continuous monitoring and review of risks, risk treatments, requirements and criteria
- Appropriate handling of risks
- Ongoing communication of all stakeholders
Never miss a thing...
Our free newsletter keeps you up to date on audits, management systems and certifications. Read our best practice examples and get tips for your schedule.
ISO 27007 - Guide to auditing ISMS
ISO 27007 is a guide for conducting audits and is intended for internal and external auditors who assess an ISMS according to ISO/IEC 27001.
Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing
The guide is based heavily on the Guide to auditing management systems (ISO 19011) and provides additional guidance for an information security management system (ISMS).
Here's how you can succeed with the standard:
- Guidance specifically for ISO 27001 ISMS audits
- Guidance on planning and conducting audits integrated from ISO 19011
- Important information on the competencies of ISMS auditors
- Understanding and performing ISMS audits
DQS - what we can do for you
DQS has been a leading specialist in the certification of management systems and processes since 1985. Since then, the history of DQS has been closely linked to the history of ISO 9001. We bring our worldwide know-how and extensive understanding of standards to our customers on about 30,000 audit days per year. So you can see what your options are.
Trust and expertise
Our texts and white papers are written exclusively by our standards experts or long-standing auditors. So is the overview of information security standards. If you have any questions about the text content or our services to our author, please feel free to contact us.
Information security standards: Other topics in the ISO 2700X family of standards
ISO 27003 - Guide to the development and implementation of an ISMS
Information technology - Security techniques - Information security management systems - Guidance.
ISO 27004 - Guidance on information security management measurement methods
Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation.
ISO 27008 - Guidance on the evaluation of information security measures
ISO/IEC TS 27008:2019
Information technology - Security techniques — Guidelines for the assessment of information security controls
ISO 27009 - Guide to the sector-specific application of an information management system
Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements
ISO 27010 - Guidance on information security management for intersectoral and interorganizational communications
Information technology - Security techniques — Information security management for inter-sector and inter-organizational communications
ISO 27011 - Guidance on information security management in the telecommunications sector
Information technology - Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations
ISO 27013 - Guidance for the integrated implementation of an ISMS and IT service management
Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO 27014 - 'Governance' of information security
Information security, cybersecurity and privacy protection - Governance of information security
ISO 27016 - Economics of information security management
ISO/IEC TR 27016:2014
Information technology - Security techniques — Information security management — Organizational economics
ISO 27021 - Requirements for the competence of ISMS professionals
ISO/IEC 27021:2017/AMD 1:2021
Techniques — Competence requirements for information security management systems professionals — Amendment 1: Addition of ISO/IEC 27001:2013 clauses or subclauses to competence requirements
ISO 27031 - Guidance on business continuity
Information technology - Security techniques — Guidelines for information and communication technology readiness for business continuity
TIP: Read our blog post on business continuity management to learn what the ISO 22301 standard recommends to ensure a company's continued existence in exceptional situations.
ISO 27032 - Cybersecurity guide
Information technology - Security techniques — Guidelines for cybersecurity
ISO 27033 - Guidance on network security
Information technology - Security techniques - Network security
Part 1: Overview and concepts, Part 2: Guidelines for the design and implementation of network security, Part 3: Reference network scenarios -Threats, design techniques and control issues, Part 4: Securing communications between networks using security gateways, Part 5: Securing communications across networks using virtual private networks (VPNs), Part 6: Securing wireless IP network access
ISO 27034 - Guidance on application security
Information technology - Security techniques - Application security
Part 1: Overview and concepts, Part 2: Organization normative framework, Part 3: Application security management process, Part 4: Validation and Verification, Part 5: Protocols and application security controls data structure, Part 6: Cast studies, Part 7: Assurance prediction framework
ISO 27035 - Guidance on incident management of information security incidents
Information technology - IT security practices - Information security incident management
Part 1: Fundamentals of incident management, Part 2: Guidelines for incident response planning and preparation, Part 3: Guidelines for information and communications technology incident response (draft)
ISO 27036 - Guidance on supplier relationships
Information technology - Security techniques - Information security for supplier relationships
Part 1: Overview and concepts, Part 2: Requirements, Part 3: Guidelines for information and communications technology supply chain security, Part 4: Guidelines for cloud services security
ISO 27037 - Guidelines for handling digital evidence.
Information technology - Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO 27038 - Specification for digital redaction
Information technology - Security techniques - Specification for digital redaction
ISO 27039 - Guidance on intrusion detection systems (IDPS)
Information technology - Security techniques — Selection, deployment and operations of intrusion detection and prevention systems (IDPS)
ISO 27040 - Guidance on storage security
Information technology - Security techniques - Storage security
ISO 27041 - Guidance on incident investigation methods
Information technology - Security techniques — Guidance on assuring suitability and adequacy of incident investigative method
ISO 27042 - Guidance on analysis and interpretation of digital evidence.
Information technology - Security techniques — Guidelines for the analysis and interpretation of digital evidence
ISO 27043 - Guidance on incident investigation processes.
Information technology - Security techniques — Incident investigation principles and processes
ISO 27050 - Guidance on electronic detection
Information technology - Electronic discovery
Part 1: Overview and concepts, Part 2: Guidance for governance and management of electronic discovery, Part 3: Code of practice for electronic discovery
ISO 27102 - Guidance on cyber insurance
Information security management — Guidelines for cyber-insurance
ISO 27103 - Guide to cyber security and ISO/IEC standards
ISO/IEC TR 27103:2018
Information technology - Security techniques - Cybersecurity and ISO and IEC standards
ISO 27550 - Privacy engineering for system lifecycle processes
ISO/IEC TR 27550:2019-09
Information technology - Security techniques — Privacy engineering for system life cycle processes
ISO 27799 - Information security management in the health care sector
Health informatics — Information security management in health using ISO/IEC 27002