3

We want to start implementing the ISMS according to ISO 27001. Now I know that the ISO 2700x familiy consists of a lot of standards, a lot of them beeing industry-specific standard documents.

My question is: which documents are the most necessary to buy / read when starting with the implementation?

We will get external partners to help with the implementation, but at the moment we need to tell the management what the costs will be.

Tobias
  • 143
  • 7
  • The question is "what do you want to implement?". Are you just implementing a ISMS? Do you want to certify? What does getting implementing ISO 27001 do for you? – schroeder Jan 24 '19 at 09:01
  • The short answer is if you want to implement ISO 27001, then you purchase that standard document. – schroeder Jan 24 '19 at 09:27
  • @schroeder a far goal would be to some day certify ISO 27001. More important is a protprietary standard created by our industry association, based on ISO 27001. First question in there catalogue is, if an ISMS according to ISO27001 and the SOA are implemented. – Tobias Jan 24 '19 at 09:33
  • 1
    Then that's your answer: you just need that one standard – schroeder Jan 24 '19 at 09:36

1 Answers1

4

There are several dependencies between the standards in the ISO2700X series also called the "ISMS family of standards" that are not clear from the beginning - so your question is absolutely justified.

Fortunately there is a Figure for that:

ISMS family of standards relationships Source: ISO/IEC 27000:2016

What every single standard does can be somewhat inferred from their names. So here's a short list:

Vocabulary standard:

  • ISO/IEC 27000, Information security management systems — Overview and vocabulary

Requirement standards:

  • ISO/IEC 27001, Information security management systems — Requirements
  • ISO/IEC 27006, Requirements for bodies providing audit and certification of information security management systems
  • ISO/IEC 27009, Sector-specific application of ISO/IEC 27001 — Requirements

Guideline standards:

  • ISO/IEC 27002, Code of practice for information security controls
  • ISO/IEC 27003, Information security management system implementation guidance

  • ISO/IEC 27004, Information security management — Measurement

  • ISO/IEC 27005, Information security risk management

  • ISO/IEC 27007, Guidelines for information security management systems auditing

  • ISO/IEC TR 27008, Guidelines for auditors on information security controls

  • ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000‑1

  • ISO/IEC 27014, Governance of information security
  • ISO/IEC TR 27016, Information security management — Organizational economics

Sector-specific guideline standards:

  • ISO/IEC 27010, Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

  • ISO/IEC TR 27015, Information security management guidelines for financial services

  • ISO/IEC 27017, Code of practice for information security controls based on ISO/IEC 27002 for cloud services

  • ISO/IEC 27018, Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27019, Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry

You don't won't need every single one of these. It is best to start with the ISO27000 to get a good overlook. All the dependencies within the ISMS family of standards are explained here. Luckily this standard is available for free on the ISO website, although a little hidden1. After you have understood what you want you should know what standards to buy.

But, the important part here is this: the cost for buying the standards is probably insignificant (100 CHF+ per standard) in comparison to all the cost you will have when implementing your ISMS and getting ready to be audited. This is a very long and somewhat expensive process. Worrying that the 200 CHF you will maybe pay the ISO is too expensive, is the wrong mindset for this.

1 You can visit this site: https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html or look for "Publicly Available Standards".

Niklas Rosencrantz
  • 450
  • 5
  • 20
Tom K.
  • 7,913
  • 3
  • 30
  • 53
  • In the end, based on what the OP states is required, the only standard required is 27001. The rest is useful to know how they all relate, but the answer is still very simple: the one standard. – schroeder Jan 24 '19 at 13:32
  • 1
    @schroeder A lot of folks say - like the OP - "we want to get certified according to the ISO/IEC27001" and mean something else. Also a lot of context is only given from other standards in the ISMS family of standards. You do not really understand the ISO/IEC 27001 without reading some of the other documents listed. That is why I compiled the list. Another reason is, that now this answer is maybe a bit more helpful to others that want to get started in this process. – Tom K. Jan 24 '19 at 13:51
  • The ask is not to get certified, but to satisfy a 3rd party requirement to have a 27001 compliant ISMS. That's a much simpler ask. – schroeder Jan 24 '19 at 13:53
  • 1
    I myself could not analyse an ISMS and prove that it is "an ISMS according to ISO27001" only with the ISO/IEC 27001 as my only standard on hand. For instance all controls that are listed in the Annex only have a short description. The explanation of these controls can be checked in the ISO/IEC 27002. – Tom K. Jan 24 '19 at 14:05
  • Thank you for your responses. One quick followup question: I read that a basic part of ISO 27001 is risk analysis over all assets - how necessary is reading 27005? – Tobias Jan 29 '19 at 06:28
  • 1
    @Tobias IMO it is advised to read it. – Tom K. Feb 05 '19 at 12:33