2 minute read
Support
• ISO/IEC 27003 — Information security management system implementation guidance • ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation • ISO/IEC 27005 — Information security risk management • ISO/IEC 27017 – Information security for cloud services • ISO/IEC 27018 – Protecting Personally Identifiable Information in the cloud • ISO/IEC 27032 — Guidelines for cybersecurity • ISO/IEC 27033 — Network security (multiple parts) • ISO/IEC 27034 — Application security (multiple parts) • ISO/IEC 27035 — Information security incident management (multiple parts) • ISO/IEC 27036 — Information security for supplier relationships (multiple parts) • ISO/IEC 27037 – Identification, collection, acquisition and preservation of digital evidence • ISO/IEC 27039 – Intrusion prevention • ISO/IEC 27042 - Analysing digital evidence • ISO/IEC 27043 — Incident investigation • ISO/IEC 27701 – Privacy information management
It’s worth pointing out that, although useful, none of these are required reading for certification to the ISO/IEC 27001 standard so if you are limited in time and budget, just a copy of ISO/IEC 27001 itself will suffice (although if you haven’t purchased the standard yet, we would recommend you look at our Enhanced Gap Assessment Tool as an alternative as it includes all of the requirements in the standard but in a more useful format).
There’s no obligation to go for certification to ISO/IEC 27001 and many organizations choose to simply use the standard as a set of good practice principles to guide them along the way to managing their information security risks.
One subject worth mentioning is that of something the ISO calls “Annex SL” (also called the “High Level Structure” and more recently “Annex L”). This is a very obscure name for a concept that represents a big change in ISO management system standards and ISO/IEC 27001 is an early adopter of this concept. There are some ISO standards that involve operating a “management system” to address the specific subject of the standard. Some of the main examples are:
• ISO 9001: Quality management • ISO 14001: Environmental management • ISO45001: Occupational health and safety • ISO50001: Energy management • ISO 22301: Business continuity management • ISO/IEC 20000: IT service management
Traditionally, all these standards have had a slightly different way of implementing and running a management system and the wording of the standards has varied sometimes quite significantly. This is ok until an organization decides to try to run a single management system across multiple standards, for example ISO9001 and ISO/IEC 27001. Then it becomes
