Here is the straightforward definition: The ISO 27000 series is a collection of guidance that is used to set a standard for how an organization protects data and similar assets. It comes from a lot of deep thinking and collaboration and has been maintained for over 20 years. Getting introduced to it all at once can be a drink-from-a-firehose experience. The simple explanations below will help it all feel a little less overwhelming.

Keep in mind that ultimately, standards like the ISO 27000 series are about trust. The International Organization for Standardization in conjunction with the International Electrotechnical Commission (collectively referred to as the ISO/IEC) maintains the ISO 27000 family to provide a method for customers and partners to feel confident that an organization is diligently using best practices to protect assets.

What is the International Organization for Standardization (ISO)?

The International Organization for Standardization, also known as the International Standards Organization, is a voluntary, consensus-based, non-governmental standard development organization. Headquartered in Geneva, Switzerland, ISO experts from 167 national standards bodies determine and document best practices to create highly respected and widely adopted standards employed all over the world. For the better part of a century, the ISO has been a leading voice in developing international standards for everything from environmental protection (ISO 14000), to quality management (ISO 9000), to information technology security (ISO/IEC 27000). Their responses to the rapidly evolving field of information technology provide a gold standard for best practices in IT security.

Ready to get an ISO 27000 series certification? Schedule a demo today to learn how Strike Graph makes it simple.

What are the ISO 27000 series standards?

The ISO 27000 series provides information security standards published collectively between ISO and the International Electrotechnical Commission (IEC). The best practices developed by expert teams from these organizations act as a model to guide all types and sizes of organizations to implement and operate a well structured information security management system (ISMS) that protects valuable assets such as financial information, intellectual property, and data of customers, employees, and third parties.

ISO 27000 compliance grows revenue and prevents fines.

Implementing a strong ISMS can prevent and/or reduce the impact of a security incident, protecting your organization from substantial revenue loss and reputational damage. A data breach may come with data protection law penalties or fines, not to mention a slew of additional costs from investigating the breach, customer hotline support, customer credit monitoring, and discounts on future products and services to retain customers. The diminished reputation that comes from a data breach also means decreased customer loyalty and acquisition rates.

Attaining ISO 27000 compliance is not just about protecting your company from disaster, though. It also provides your organization with a heightened status and reliability that will increase revenue. The internationally recognized ISO 27001 certification lets customers know that your organization prioritizes security both internally and externally, making your services stand out in a sea of options. Additionally, utilizing ISO 27000 standards streamlines business-to-business deals. Businesses within supply chains look to globally recognized ISO standards to know that they can rely on partners to meet security expectations.

What are all these ISO 27000 standards, and which ones can help you?

While the ISO 27000 series may seem daunting at first, its exhaustive scope need not be a deterrent. Strike Graph can help identify which standards will benefit your organization. Here are the basics. 

• ISO/IEC 27001 certification is the backbone of ISO 27000 compliance.
• A newer standard, ISO/IEC 27701, expands on 27001 for organizations processing personally identifiable information (PII), and can be added on to any ISO/IEC 27001 certification process. 
• Additional standards expand on these guides providing more detail and/or tailored information for specific sectors and regulations. 

Familiarity with the following standards provides a jumping off point toward achieving compliance with these internationally recognized standards.

ISO/IEC 27001

ISO/IEC 27001 is used by any organization that deals with sensitive information belonging to its customers, clients, third-parties, or employees or relating to proprietary knowledge. While commonly associated with the world of IT, ISO 27001 certification benefits organizations across industries, most notably, financial, telecommunication, health, and government sectors. While many information security management systems focus on data protection in IT, this set of standards calls for a systematic examination of security risks across an organization to develop an overarching management process that protects an organization’s holistic information on an ongoing basis. 

By adopting ISO 27001’s requirements for establishing, implementing, maintaining, and continually improving an ISMS, organizations can ensure the confidentiality, integrity, and availability of sensitive data. Organizations that have achieved ISO 27001 certification are recognized by customers and business partners worldwide for prioritizing the security of sensitive data.

ISO/IEC 27002

While ISO/IEC 27001 is the primary certification standard in the series, ISO 27002 dives deep on every possible security control from human resources security to systems acquisition to asset management.  Organizations who’ve identified or are in the process of identifying the security controls particular to their needs may look to this framework for more details on the controls they wish to implement. 

There are two versions of ISO 27002 — a 2013 version and a recently released 2022 version. It’s important to understand the differences between ISO 27002: 2013 and ISO 27002: 2022 before getting started on any ISO 27000 series certifications.

ISO/IEC 27003

Similar to ISO/IEC 27002, ISO/IEC 27003 supplements the ISO/IEC 27001 certification standard by providing details on creating an ISMS implementation plan. This framework clarifies the ISO’s recommendations (what you should do), as well as possibilities (what you can do) and permissions (what you may do). No new requirements are included here, but this framework can help organizations identify which guidance is most relevant to their own context.

ISO/IEC 27701

ISO/IEC 27701 is a recent addition to the 27000 series that layers in data privacy of personal information on top of the ISMS. A certification add-on to ISO/IEC 27001, this framework helps organizations strengthen privacy protections and meet compliance obligations, such as the GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act). Organizations that collect personally identifiable information, especially those with multiple jurisdictions for customer bases or operations, benefit from achieving this internationally recognized certification.

ISO/IEC 27017

ISO/IEC 27017 focuses specifically on reducing security risks for cloud-based environments. These standards regulate responsibilities and obligations between cloud service providers and cloud customers, expanding and adding onto ISO/IEC 27002 to outline security controls for the protection of assets, virtual and cloud environments, and additional concerns specific to cloud-based security controls.

ISO/IEC 27018

This standard provides increasingly relevant guidance to cloud providers, focusing on assessing risk and implementing controls for processing personally identifiable information (PII) within cloud services. For cloud-service providers interested in ISO/IEC 27701 add-on certification, ISO/IEC 27018 gets into the specific PII requirements to protect public cloud users.

Achieving ISO 27000 series compliance

ISO/IEC 27001 certification starts with learning about the nature of ISO 27000 series standards, so you’re already on your way! 

Preparing for certification can make or break your success. Using a security compliance platform — like Strike Graph — simplifies and speeds the process. Your organization will also want to appoint one of your team members to shepherd the ISMS implementation process.

Make a plan.

You’ll want to get clear on scope and context early in the ISMS project. Will your ISO 27000 series compliance work be limited to one geographic area or the entire organization? How will interested parties, including regulators, employees, and stakeholders be affected? Additionally, establishing a plan for implementation responsibilities will ease your initial ISO 27001 certification and help you maintain compliance in the long run.

Assess, mitigate, and document.

ISO compliance doesn’t have to be overwhelming when you use a security compliance platform like Strike Graph. Our software walks you through ISO 27001 risks, controls, and evidence, breaking down each step of the process and paving a smooth path to a successful audit. 

Strike Graph takes a risk-based approach to compliance, which means instead of going through an endless security checklist, you answer some initial questions to identify your company’s unique security risks. Then, we provide preloaded, ISO 27000-series controls based on your assessment, eliminating the need to comb through and understand every security control.

To make sure you keep on track with ISO 27000 documentation, Strike Graph provides policy and documentation templates that ensure your proverbial Ts are crossed and Is dotted.

Audit and prepare for certification.

Once you’ve defined controls and provided evidence that you’re implementing them, you’ll need to pull together all of your documentation for your auditor. Strike Graph makes this easy. With a click of a button, you can export your audit documentation packet, ready to send off to your auditor or choice. Then, you wait for certification!

Additional standards

Curious whether additional ISO/IEC standards might be relevant to your organization? Here’s a quick glance at some of the most significant standards.

ISMS implementation

• ISO/IEC 27014, originally published in 2020, provides a framework for best governance practices with respect to information security.
• ISO/IEC TR 27016 was published in 2014 to provide guidance assessing the economic impact of information security decisions. It aims to help organizations with cost/benefit analysis for data protection as it interacts with other economic factors like people, facilities, and materials.
• ISO/IEC 27021, published in 2017, details what constitutes competency in an ISMS professional responsible for the development, maintenance, and improvement of an ISO/IEC 27000 compliant ISMS.
• ISO/IEC TS 27022, published in 2021, provides an operational, process-oriented point of view for creating and maintaining an ISMS to complement the ISO/IEC 27003’s requirements-focused guidance.
• ISO/IEC TR 27023, explains the relationship between prior and current versions of ISO/IEC 27001 (certification) and ISO/IEC 27002 (controls) for users migrating from the 2005 versions to the 2013 versions.

Incident management

• ISO/IEC 27031, published in 2011, focuses on information and communication technology readiness for business continuity. It promotes readiness for emerging events, incidents, and disruptions that could impact critical business functions.
• ISO/IEC 27035, a 4-part framework, explains the principles of incident management and provides guidance for planning, preparation, and response to the event of an ICT incident. Note: Part 4, on Coordination, is still in development.
• ISO/IEC 27041 and 27043 look at methods, principles, and processes for investigating information security incidents. 27041 includes evidence-based best practices for ensuring methods are “fit for purpose.” 27043 describes processes and principles for various kinds of investigations, including data corruption and corporate breaches.

Network security

• ISO/IEC 27033, a seven-part framework published in 2015, focuses on network security with guidelines for design and implementation, as well as scenarios and guidance for security gateways, virtual private networks (VPNs), wireless IPs, and virtualization security.

Application security

• ISO/IEC 27034 is a seven-part framework published in 2011 to guide organizations managing application security. It addresses in-house development, third-party, and outsourced applications.

Cybersecurity

• ISO/IEC 27032, published in 2012, is geared toward Cyberspace stakeholders with guidance for improving Cybersecurity, in particular, information security, network security, internet security, and critical information infrastructure protection (CIIP).
• ISO/IEC TS 27110, published in 2021, provides guidelines for creating a cybersecurity framework for organizations of any type, size, or nature.

Supply chain security

• ISO/IEC 27036, a four-part framework updated in 2021, focuses on information security for supplier relationships, including requirements and guidelines for information and communications technology (ICT) supply chain security and cloud services security.

Digital Evidence

• ISO/IEC 27037 and ISO/IEC 27042 relate to digital evidence with guidelines on the handling of digital evidence, including sharing between jurisdictions, as well as guidance for the analysis and interpretation of it.
• ISO/IEC 27038 provides guidance for digital redaction of documents, including adequate software tools for ensuring secure redaction. 

Standards for specific sectors

• ISO/IEC 27019, published in 2013 and updated in 2017, extends ISO 27002’s security control information to energy management, specifically electric power.
• ISO 27799, published in 2016, focuses on effective information security for health information. It provides tailored guidance for healthcare organizations and other health data custodians implementing controls described in ISO/IEC 27002.
• ISO/IEC TR 27015 has been withdrawn, but was published in 2012 to provide a framework for information security within organizations providing financial services.

Additional security technique standards

• ISO/IEC 27039, published in 2015, provides guidance on deploying intrusion detection and prevention systems (IDPS).
• ISO/IEC 27040 provides guidance for protecting data in storage systems and ecosystems by publicizing the risks involved, recommending practices for securing data, and providing a framework for designing and auditing storage security controls.
• ISO/IEC 27050, a three-part framework on electronic discovery, explains concepts and provides guidance for governance, management and practices for the identification, collection and production of electronically stored information.

Take a strong security posture starting with ISO 2700 series standards.

SO/EFC 27000 series standards focus on ongoing InfoSec compliance and improvement. The ISO 27000 series is exhaustive, but it doesn’t have to exhaust you. Strike Graph’s tools streamline your ISO 27000 series compliance process and help ensure you’re audit-ready. 

Even better, our cross-framework approach supports multiple certification processes. As your organization grows, there’s no need to reinvent the wheel for new compliance requirements. Strike Graph’s platform leverages work you’ve already done for ISO 27000 series certifications to easily achieve SOC 2, HIPAA, PCI DSS, GDPR, or CCPA compliance. We’ve got you covered!