Secure Your Business



Thanks to publication of the ISO/IEC 27001 Standard in October 2005, the topic of information security was lifted to an international level. The British predecessor model BS 7799-2 became a standard recognised worldwide. In 2007, the Code of Practice BS 7799-1 was turned into ISO 27002 and became the first non-certifiable supplementary standard of the ISO-27k Family. The dynamism is reflected in the fact that the number of certifications increased constantly worldwide: there were more than 2,000 new cases each year. Currently both standards are available in the revised versions
ISO/IEC 27001:2013 and ISO/IEC 27002:2013. 


When announcing new supplementary standards for ISO-27k, the International Organisation for Standardisation set a strong signal for the future. The standard for information security is constantly being extended by adding sector and topic specific subjects. As early as 2008, the “Guideline for Information Security Risk Management“ ISO/IEC 27005 followed. But meanwhile this suplematary standard has lost its significance, because the revised standard ISO 27001:2013 refers to ISO 31000 for Enterprise Riskmanagement with a completely different approach.


New supplementary standards of the ISO 27k Series*


ISO/IEC 27000: In “Fundamentals and Vocabulary”, ISO 27000 gives an overview of the ISO-27x Standards and special vocabulary of the certification standard ISO 27001 and gives an introduction

into the contents.


ISO/IEC 27003: This guideline for the implementation of an information security management system (ISMS) describes the process of ISMS specification and design – also covering the preparation and planning activities prior to the actual implementation.


ISO/IEC 27004: The supplementary standard for "Information Security Management Measurements" is to help to measure the effectiveness of an ISMS within the optimization cycle and includes measuring techniques relating to benchmarking and performance targeting. The contents are aimed at ISO-27001 processes and controls acc. to ISO 27002.


ISO/IEC 27006: The “Requirements for Certification Bodies” guide certification bodies through the formal process of registration and certification of other companies.


ISO/IEC 27007: guideline for auditing information security management systems
ISO/IEC 27008: guidance on auditing information security controls
ISO/IEC 27009: security techniques - sector-specific application of ISO/IEC 27001 - requirements
ISO/IEC 27010: guidance on information security management for inter-sector communications 


Supplementary standards of the ISO 27k Series for sectors and special topics*


ISO/IEC 27799: The guideline “Health Informatics - information security management in health using ISO/IEC 27002” includes best practices for the healthcare sector. Such topics as safe handling of patient data, sound and video recordings, archival or transmission of data are included.


ISO/IEC 27011: The standard serves as a guideline for “Information Security Management ... for Telecommunications Organizations” and also is known as ITU X.1051.


ISO/IEC 27013: guidance on the integrated implementation of ISO 20000 and ISO 27001
ISO/IEC 27014: information security governance
ISO/IEC 27015: information security management systems guidance for financial services
ISO/IEC 27017: code of practice for information security controls based on ISO 27002 for cloud services
ISO/IEC TR 27019: Guidelines for process control systems specific to the energy industry
ISO/IEC 27031: ICT-focused standard on business continuity
ISO/IEC 27032: guidelines for cyber security
ISO/IEC 27033: replaces ISO/IEC 18028 on IT network security
ISO/IEC 27034: guidelines for application security
ISO/IEC 27035: replace ISO TR 18044 on security incident management
ISO/IEC 27036: guideline for security of outsourcing
ISO/IEC 27037: guideline for digital evidence


* These standards are not certifiable. Their contents refer to the requirements placed by the certification standard ISO 27001 or the Code of Practice for information security controls ISO/IEC 27002.






CIS - Certification & Information Security Services GmbH T +43 (0)1 532 98 90 office@cis-cert.com