ISO 27000 compliance primer

The last two articles on compliance have covered the Health Insurance Portability and Accountability Act (HIPAA) and the ramifications of that bill on healthcare providers and business associates and the Payment Card Industry Data Security Standard (PCI-DSS) which provides guidelines for securely handling credit card and related personal data.  This article outlines the ISO (International Organization for Standardization) 27000 and its benefits for organizations.


ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts.┬á The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and in made part of the ISO 27000 series in 2000.┬á Part two, titled ÔÇ£Information Security Management Systems – Specification with Guidance for UseÔÇØ became ISO 27001 and dealt with the implementation of an information security management system.┬á The third part was not incorporated into the ISO 27000 series.┬á Similar to ISOÔÇÖs 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a certain level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS).  This document  will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS.  An overview of what the series deals with can be found  in the table below.

ISO 27000 Series

ISO27001 ISMS Requirements
ISO27002 ISMS controls
ISO27003 ISMS implementation guidelines
ISO27004 ISMS Measurements
ISO27005 Risk management
ISO27006 Guidelines for ISO 27000 accreditation bodies

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard.  ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.  ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design.  ISO 27004 outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics.  ISO 27005 defines the high level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for ÔÇ£establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management SystemÔÇØ (┬á The standard can be broken down into the following sections:

  • Risk assessment ÔÇô a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
  • Security policy ÔÇô formal statements defining the organizationÔÇÖs security expectations.
  • Asset management – inventory and classification of information assets.
  • Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
  • Physical and environmental security ÔÇô physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
  • Communications and operations management – management of technical security controls in systems and networks.
  • Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
  • Information systems acquisition, development and maintenance – building security into applications when they are designed or purchased.
  • Information security incident management ÔÇô planning and responding appropriately to information security breaches.
  • Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document there are specifications to which a companyÔÇÖs ISMS can be submitted for potential certification.┬á The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001.┬á Once this organization determines that the company has met the requirements of ISO 27001, the certification is granted.┬á Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the company is in compliance with the requirements of this well-recognized standard.  It also gives employees and clients more assurance that their data is safe with the company.  In some cases, companies may require ISO certification in order to do business.  The ISO 27000 standard contains many useful recommendations and companies are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified.  The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.


ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security.  Similar to the ISO 9000 quality standard, ISO 27000 is optional but it may soon be a business requirement.

4 thoughts on “ISO 27000 compliance primer

  1. I find many of the arguments for ISO 27000 unconvincing but you gave me something other than hype. “Compliance with the ISO standards provides companies with a credential which demonstrates that the company is in compliance with the requirements of this well-recognized standard.” – Vanderburg

  2. What exactly are the standards for iso27000, I heard there are 15 sections.

    Can someone provide some clarity.

    Thank you.

    • You are correct. ISO 27002 has 15 clauses as follows:
      Terms and Definitions
      Structure of the Standard
      Risk Assessment and Treatment
      Security Policy
      Organization of Information Security
      Asset Management
      Human Resources Security
      Physical and Environmental Security
      Communications and Operations Management
      Access Control
      Information Systems Acquisition, Development and Maintenance
      Information Security Incident Management
      Business Continuity Management

      The last 11 of these contain 39 security categories that map to the Annex A of ISO 27001. Each of these 39 categories lists a control objective (what needs to be accomplished) and a selection of controls that can meet the control objective (133 in all).

  3. Are people seeing the demand for this certification? Most companies want you to agree to their security & data privacy terms, and are not asking for ISO 27000, in my experience.

Leave a Reply

Your email address will not be published. Required fields are marked *