Standards Within the ISO 27000 Series

ISO 27001. (Latest version 2005) Originally BS (British Standard) 7799 Part 2, this is the element of the series against which organisations can be certified. As such, it is a series of control element statements that must either be evidenced as being complied with or, with appropriate justification from your Risk Review, ruled as out of scope.

ISO 27002. (Latest version nominally 2005) The "Code of Practice" for Information Security Management. Non-obviously, the oldest part of this series - previously known as BS7799 Part 1 and, more recently, as ISO 17799. ISO27002 provides a detailed framework of guidance on setting up an ISMS and on the ISO27001 controls objectives.

ISO 27003. Implementation guidance for ISMS. Not yet published.

ISO 27004. Metrics and Measurement. Not yet published. Measuring the effectiveness of information security is one of the perennial troubles for a professional function that only draws attention when things have gone. This standard will be based upon the June 2005 BSI publication BIP 0074/2006, and will offer guidance on setting up and running a comprehensive regime for monitoring the effectiveness of information security controls.

ISO 27005. Risk Management. This standard has yet to be published but will be based on the current BS7799 Part 3, which is, in turn, a development of ideas from ISO TR (Technical Report - not a standard) 13335. The important thing to note is that different organisations will require widely different risk management approaches - deterministic versus expert; qualitative versus quantative; tool-based versus fre-form - and the standard will need to ensure that existing methodologies, especially the expensive quantitative tool-based approaches often used for large government projects are not unduely favoured over those suitable for less formal business sectors.

ISO 27006. (Latest version 2007) Certification Bodies. This is further guidance to ISO17021 accredited certification audit bodies on the specific requirements for ISMS auditing. Unlikely to be relevant to many Idrach Ltd customers.

Sector Specific Guidance. A number of industry sector or "domain" specific guides to implementing ISO 27001 compliant ISMS are currently in development. ISO 27799 is intended to provide guidance for the health services sector.