4

We want to start implementing the ISMS according to ISO 27001. Now I know that the ISO 2700x familiy consists of a lot of standards, a lot of them beeing industry-specific standard documents.

My question is: which documents are the most necessary to buy / read when starting with the implementation?

We will get external partners to help with the implementation, but at the moment we need to tell the management what the costs will be.

Improve this question
4
  • The question is "what do you want to implement?". Are you just implementing a ISMS? Do you want to certify? What does getting implementing ISO 27001 do for you?
    – schroeder
    Commented Jan 24, 2019 at 9:01
  • The short answer is if you want to implement ISO 27001, then you purchase that standard document.
    – schroeder
    Commented Jan 24, 2019 at 9:27
  • @schroeder a far goal would be to some day certify ISO 27001. More important is a protprietary standard created by our industry association, based on ISO 27001. First question in there catalogue is, if an ISMS according to ISO27001 and the SOA are implemented.
    – Tobias
    Commented Jan 24, 2019 at 9:33
  • 1
    Then that's your answer: you just need that one standard
    – schroeder
    Commented Jan 24, 2019 at 9:36

1 Answer 1

Reset to default
5

There are several dependencies between the standards in the ISO2700X series also called the "ISMS family of standards" that are not clear from the beginning - so your question is absolutely justified.

Fortunately there is a Figure for that:

ISMS family of standards relationships Source: ISO/IEC 27000:2016

What every single standard does can be somewhat inferred from their names. So here's a short list:

Vocabulary standard:

  • ISO/IEC 27000, Information security management systems — Overview and vocabulary

Requirement standards:

  • ISO/IEC 27001, Information security management systems — Requirements
  • ISO/IEC 27006, Requirements for bodies providing audit and certification of information security management systems
  • ISO/IEC 27009, Sector-specific application of ISO/IEC 27001 — Requirements

Guideline standards:

  • ISO/IEC 27002, Code of practice for information security controls
  • ISO/IEC 27003, Information security management system implementation guidance

  • ISO/IEC 27004, Information security management — Measurement

  • ISO/IEC 27005, Information security risk management

  • ISO/IEC 27007, Guidelines for information security management systems auditing

  • ISO/IEC TR 27008, Guidelines for auditors on information security controls

  • ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000‑1

  • ISO/IEC 27014, Governance of information security
  • ISO/IEC TR 27016, Information security management — Organizational economics

Sector-specific guideline standards:

  • ISO/IEC 27010, Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

  • ISO/IEC TR 27015, Information security management guidelines for financial services

  • ISO/IEC 27017, Code of practice for information security controls based on ISO/IEC 27002 for cloud services

  • ISO/IEC 27018, Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27019, Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry

You don't won't need every single one of these. It is best to start with the ISO27000 to get a good overlook. All the dependencies within the ISMS family of standards are explained here. Luckily this standard is available for free on the ISO website, although a little hidden1. After you have understood what you want you should know what standards to buy.

But, the important part here is this: the cost for buying the standards is probably insignificant (100 CHF+ per standard) in comparison to all the cost you will have when implementing your ISMS and getting ready to be audited. This is a very long and somewhat expensive process. Worrying that the 200 CHF you will maybe pay the ISO is too expensive, is the wrong mindset for this.

1 You can visit this site: https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html or look for "Publicly Available Standards".

Improve this answer
6
  • In the end, based on what the OP states is required, the only standard required is 27001. The rest is useful to know how they all relate, but the answer is still very simple: the one standard.
    – schroeder
    Commented Jan 24, 2019 at 13:32
  • 1
    @schroeder A lot of folks say - like the OP - "we want to get certified according to the ISO/IEC27001" and mean something else. Also a lot of context is only given from other standards in the ISMS family of standards. You do not really understand the ISO/IEC 27001 without reading some of the other documents listed. That is why I compiled the list. Another reason is, that now this answer is maybe a bit more helpful to others that want to get started in this process.
    – Tom K.
    Commented Jan 24, 2019 at 13:51
  • The ask is not to get certified, but to satisfy a 3rd party requirement to have a 27001 compliant ISMS. That's a much simpler ask.
    – schroeder
    Commented Jan 24, 2019 at 13:53
  • 1
    I myself could not analyse an ISMS and prove that it is "an ISMS according to ISO27001" only with the ISO/IEC 27001 as my only standard on hand. For instance all controls that are listed in the Annex only have a short description. The explanation of these controls can be checked in the ISO/IEC 27002.
    – Tom K.
    Commented Jan 24, 2019 at 14:05
  • 1
    @Tobias IMO it is advised to read it.
    – Tom K.
    Commented Feb 5, 2019 at 12:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .