The ISO/IEC 270001 series of standards, also called the ISO27K series, is a series of guidelines intended to help companies improve their data security. The series discusses how to apply the finest information management techniques.
Companies can achieve this by setting out the specifications of the ISMS (Information Security Management System). ISMS is a systemic approach to risk control. Thus, it incorporates steps covering the three foundations of information security. Namely, people, processes, and technology.
The sequence comprises 46 individual standards, ISO 27000 included. This introduces the family and the clarification of key terms and meanings.
You don’t need a thorough knowledge of ISO principles to see how the series operates. Some of them won’t be important to your company. There are, though, a few main ones that needed consideration.
ISO27K: ISO 27001
This is the core standard of the ISO 27000 series. Hence, it provides the specifications for ISMS implementation. This is essential, as the ISO IEC 27001: 2013 is the only standard in the sequence that companies can be audit and certified against. That because it offers an outline of what you intend to do to ensure conformity and applies to the following requirements.
ISO27K: ISO 270002
This is an additional standard that provides an outline of the information security controls that organizations can choose to carry out. Thus, it is only expected of organizations to install controls they consider important. Something that would become clear through a risk evaluation.
It explains controls in Annex A of ISO 27001, but although this is simply a brief rundown, ISO 27002 provides a more detailed description. Detailing how each control operates, what its purpose is, and how it applies.
ISO 27017 and ISO 27018
During the year 2015, they adopted these ISO standards, describing how companies can secure confidential cloud information. Recently, this has been relevant when companies move most of their confidential data onto web servers.
ISO 27017 is the information management code of practice. It includes additional information about how to implement controls in Annex A to the information stored in the Cloud.
You have the option of handling them as a different collection of controls under ISO 27001. So for your ‘normal’ data, you’d select a set of controls from Annex A and a set of controls from ISO 27017 for data in the cloud. ISO 27018 operates exactly the same way, except with personal data, with additional consideration.
Why use the standard ISO 27000-series?
Data leaks remain one of the greatest threats facing organizations in terms of information security. These days, they use confidential data in all fields of industry, growing its importance for legal and illegal use.
That is why, using ISO 27001 as a guideline for successful protection, companies are increasingly investing in their defenses. ISO 27001 will be applicable to companies of any scale and in any field. Furthermore, the broadness of the system ensures that the application can still be suitable for the size of the enterprise.