An Overview Of ISO/IEC 27000 Family Of Information .
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsWhat is ISO/IEC 27001?The ISO/IEC 27001 standard, published by theInternational Organization for Standardization (ISO)and the International Electrotechnical Commission(IEC), is known as “Information technology —Security techniques — Information securitymanagement systems — Requirements”. ISO/IEC27001:2013 (hereafter referred to as ISO/IEC27001) is the most recent edition of ISO/IEC 27001standard which revises the previous editionpublished in 2005 (ISO/IEC 27001:2005).ISO/IEC 27001 specifies the requirements forestablishing, implementing, maintaining andcontinually improving an information securitymanagement system (ISMS). The ISMS presents asystematic approach to keep sensitive informationsecure.It manages people, processes and ITsystems through applying risk managementprocesses.The ISMS suits not only largeorganisations but also small and mediumbusinesses.ISO/IEC 27001 is designed to be used in conjunctionwith supporting controls, an example of which ispublished in document, ISO/IEC 27002:2013(hereafter referred to as ISO/IEC 27002). ISO/IEC27002 details 114 security controls which areorganised into 14 sections and 35 control objectives.The table of contents from ISO/IEC 27001 andISO/IEC 27002 are provided in Appendix A.Compliance with ISO/IEC 27001 can be formallyassessed and certified by an accredited certificationbody. An organisation’s ISMS certified against theISO/IEC 27001 standard demonstrates anorganisation’s commitment to information securityand provides confidence to their customers,partners and stakeholders.ISO/IEC 27001 CertificationRequirementsTo meet ISO/IEC 27001 certification requirements,an organisation’s ISMS must be audited by aninternationally accredited certification body.Requirements in sections 4 to 10 in the ISO/IEC27001 (see Appendix A) are mandatoryrequirements with no exclusion allowed. Havingpassed the formal audit, the certification bodyawards an organisation with an ISO/IEC 27001certificate for its ISMS.The ISO/IEC 27001certificate is valid for 3 years, after which the ISMSneeds to be re-certified.During the 3-year validity period, an organisationmust perform certificate maintenance so as toconfirm the ISMS remains compliant, operates asspecified, and continually improves. To maintainthe certification, the certification body will visit theISMS site at least once a year to carry out asurveillance audit. During the surveillance audit,only a portion of the ISMS will be audited.Towards the end of the 3-year period, thecertification body audits the entire ISMS.Published by the Office of the Government Chief Information Officer Updated in Nov 20201
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsBenefits of ISO/IEC 27001 CertificationAn organisation certified with ISO/IEC 27001 willbring benefits to its internal security as well as itsexternal competitiveness.Internally, by adopting the ISO/IEC 27001, anorganisation can:Form a basis to enable the secure exchange ofinformation and to protect data privacy, inparticular relating to sensitive information;Manage and lower risk exposure, hence lesschance of incidents being realised and in turnreducing time and money spent on respondingto incidents;Strengthen the internal organisation andimprove the security structure of the business,such as to clearly define responsibilities andduties related to information security;Reduce the resources needed for completingsecurity-related information in bidding forcontracts, as well as on-going submission afterthe contracts awarded, as required by clients.Externally, by publicising the fact that ISO/IEC27001 is certified, an organisation can:Provide customers and stakeholders withconfidence in how it manages risks andsecurity of their sensitive information;Facilitate compliance with legal obligationssuch as the Personal Data (Privacy) Ordinance(PD(P)O);Receive a competitive advantage, which assiststhe organisation to attract more investors andcustomers as a result;Improve consistency in the delivery of itsservices and products, thus enhancingcustomer satisfaction and client retention;Safeguard and enhance the organisation’sreputation as its security processes have beenvalidated by an independent certification body,and hence improve protection to theorganisation, assets, shareholders anddirectors;Better prepare to face ever-increasingcustomer expectations. Nowadays thecommunity is becoming more sensitive toinformation security incidents. Certificationto a recognised international standard maygradually become a pre-requisite imposed bymany customers.Certification BodiesThe ISO/IEC 27001 certification process involvesthe accreditation of certification bodies. Suchaccreditation is granted to organisations who havedemonstrated that they fully meet the requirementsof the international standards ISO/IEC 17021“Conformity assessment – Requirements for bodiesproviding audit and certification of managementsystems” and ISO/IEC 27006 “Requirements forbodies providing audit and certification ofinformation security management systems”.Accreditation service for ISO/IEC 27001certification was officially launched by Hong KongAccreditation Service (HKAS) on 15 November 2011.Certification bodies can contact HKAS and apply foraccreditation on a voluntary basis.Costs for CertificationFor initial certification, it includes the costs for bothimplementing the ISMS and certifying the ISO/IEC27001.The cost of implementation dependslargely on the gaps between the existing securitycontrols and the required controls within theorganisation. In terms of costs to implement, thereare costs and resources for implementing securitycontrols, writing documentation, training staff, etc.For the certification itself, it includes the cost of theexternal auditors (that charge a certain rate per day),application fees, certificate fees and maintenancefees, etc.Adoption in Hong K ongAccording to ISO Survey 2019, at least 36 362ISO/IEC 27001 certificates have been issued in 133countries and economies worldwide. In 2019, thetop three countries for the total number ofcertificates issued were China (8 356), Japan (5 245)and the United Kingdom of Great Britain andNorthern Ireland (2 818). From the information ofthe same survey, the number of certificates acquiredin Hong Kong was 158. The number includedsome government departments certified againstISO/IEC 27001 for specific functional areas.Published by the Office of the Government Chief Information Officer Updated in Nov 20202
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsOverview of the ISO/IEC 27001 Implementation and Certification process ISO/IEC 27001 Implementation123456 Define information security policy Task: Identify business objectives and obtain management support to implement a securityimprovement program Define scope of the ISMS Task: Compare the existing information security management system against the requirements ofISO/IEC 27001 and select what business units, departments or systems are to be covered by the ISMS Perform a risk assessment Task: Define a method of risk assessment, inventory the information assets to protect, and rank assetsaccording to risk classification based on risk assessment Manage the identified risk Task: Create a risk treatment plan to identify appropriate management actions, resources,responsibilities and priorities for managing information security risks Select controls to be implemented Task: Prepare a Statement of Applicability (SoA) to document which of the controls (e.g. the 114security controls from ISO/IEC 27002) that are applicable to the ISMS and the way they will beimplemented Implement controls Task: Develop programs to implement the identified controls ISO/IEC 27001 Certification78 Prepare for certification Task: Operate the ISMS and conduct a full cycle of internal audits, management reviews and activities Apply for certification Task: Proceed to certification application which includes stages of document review and on-sitecompliance auditPublished by the Office of the Government Chief Information Officer Updated in Nov 20203
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsFamily of ISO/IEC 27000The ISO/IEC 27000 family of standards (seeAppendix B) consists of inter-related standards andguidelines, already published or under development,and contains a number of significant structuralcomponents. These components are focused uponnormative standards describing ISMS requirements(ISO/IEC 27001), certification body requirements(ISO/IEC 27006) for those certifying conformitywith ISO/IEC 27001, and additional requirementframework for sector-specific implementations ofthe ISMS (ISO/IEC 27009). Other standards andguidelines provide guidance for various aspects ofan ISMS implementation, addressing a genericprocess as well as sector-specific guidance.Published by the Office of the Government Chief Information Officer Updated in Nov 20204
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsThe current version of ISO/IEC 27001 was releasedin 2013. Apart from the most mentioned ISO/IEC27001, ISO/IEC 27002 and ISO/IEC 27018, someother standards in the ISO/IEC 27000 family arealso being widely referenced. Some examples are:ISO/IEC 27000 – “Information securitymanagement systems -- Overview andvocabulary” provides an overview of ISMS, andterms and definitions commonly used in theISMS family of standards.To ensureconsistency in adopted terminology, all 27000family of standards rely on the terms anddefinitions provided in ISO/IEC 27000. Thisstandard provides readers with overallstarting point by which they can get introducedto the 27000 family.ISO/IEC 27003 – “Information securitymanagement systems -- Guidance” providesguidance on the requirements for an ISMS asspecified in ISO/IEC 27001, as well as therecommendations,possibilitiesandpermissions in relation to the requirements.ISO/IEC 27004 – “Information securitymanagement -- Monitoring, measurement,analysis and evaluation” provides guidelines toassist organisations in evaluating theinformation security performance and theeffectiveness of an ISMS in order to fulfil themonitoring, measurement, analysis andevaluation requirements as specified in theISO/IEC 27001.ISO/IEC 27005 – “Information security riskmanagement” provides guidelines forinformation security risk management. Itsupports the general concepts specified inISO/IEC 27001 and is designed to assist thesatisfactory implementation of informationsecurity based on a risk management approach.ISO/IEC 27017 – “Code of practice forinformation security controls based onISO/IEC 27002 for cloud services” providesguidelines supporting the implementation ofinformation security controls for cloud serviceconsumers and providers. The selection ofappropriate controls and the application of theimplementation guidance are based on riskassessment and other requirements for the useof cloud services.The standard isaccompanied by ISO/IEC 27018 to cover thewider information security angles of cloudcomputing in addition to privacy.ISO/IEC 27031 – “Guidelines for informationand communication technology readiness forbusiness continuity” describes the s technology (ICT) readinessfor business continuity, and provides aframework of methods and processes toidentify and specify all aspects for improvingan organisation's ICT readiness to ensurebusiness continuity.ISO/IEC 27035-1 – “Information securityincident management -- Part 1: Principles ofincident management” provides basicconcepts and phases of information securityincident management and combines theseconcepts with principles in a structuredapproach to detecting, reporting, assessing andresponding to incidents, and applying lessonslearnt.ISO/IEC 27035-2 – “Information securityincident management -- Part 2: Guidelines toplan and prepare for incident response”provides guidelines to plan and prepare forincident response.ISO/IEC 27036-4 – “Information security forsupplier relationships -- Part 4: Guidelines forsecurity of cloud services” defines guidelinessupporting the implementation of ISMS for theuse of cloud services.ISO/IEC 27037 – “Guidelines for identification,collection, acquisition and preservation ofdigital evidence” provides guidelines forspecific activities in the handling of digitalevidence, which are identification, collection,acquisition and preservation of potentialdigital evidence that can be of evidential value.Published by the Office of the Government Chief Information Officer Updated in Nov 20205
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsPersonally Identifiable Information(PII) in Cloud C omputingPII Protection C ontrols of ISO/IEC27018Cloud computing is now evolving like never before.This trend will continue to grow and develop in thecoming few years. It is well-known that cloudcomputing has potential advantages. It is the costefficient method to use, maintain and upgrade.Backup and recovery method in cloud computing isrelatively easier than traditional methods of datastorage. Moreover, it gives the advantage of quickdeployment and easy access to information.ISO/IEC 27018 was developed taking into accountthe requirements already contained in ISO/IEC27002.It augments ISO/IEC 27002 in twoapproaches: firstly, supplementing implementationguidance for those controls prescribed by ISO/IEC27002; and, secondly, providing additional controlsand associated guidance that are tailored to addresspublic cloud PII protection requirements but notcovered by the ISO/IEC 27002 control set. For thefirst approach, ISO/IEC 27018 provides additionalimplementation guidance on the following 11ISO/IEC 27002 controls:Information security policiesOrganization of information securityHuman resource securityAccess controlCryptographyPhysical and environmental securityOperations securityCommunications securityInformation security incident managementInformation security aspects of businesscontinuity managementComplianceSome organisations are migrating applications tothe cloud. From the organisations' perspective,cloud computing security is of great concern,especially on data security and privacy protectionissues, and remains the primary inhibitor foradoption of cloud computing services.The ISO/IEC 27018:2019 (hereafter referred to asISO/IEC 27018) standard is known as “Code ofpractice for protection of personally identifiableinformation (PII) in public clouds acting as PIIprocessors”. It is the first international standardfocusing on the protection of personal data in thepublic cloud. ISO/IEC 27018 primarily sets forthcommonly accepted control objectives, controls andguidelines pertaining to the protection of PII that isprocessed by the public cloud service providers (i.e.,PII processors).ISO/IEC 27018 has been designed for all types andsizes of organisations in private and public sectorproviding information processing services via cloudas PII processors.For the second approach, Annex A of ISO/IEC 27018lists 11 extended ISO/IEC 27002 controls to meetthe requirements for PII protection which apply topublic cloud service providers acting as PIIprocessors. These extended controls are classifiedunder the 11 privacy principles in ISO/IEC29100:2011 (hereafter referred to as ISO/IEC29100), known as “Information technology —Security techniques — Privacy framework”. Theprivacy principles of ISO/IEC 29100 are provided inAppendix A.Benefits of ISO/IEC 27018ISO/IEC 27018 is applicable to the processing of PII obtained from a customer for the purposes determinedby the customer under its contract with the cloud service provider.By adopting ISO/IEC 27018, an organisation can:Use it as a guideline to facilitate the compliance with the relevant data protection requirements;Win the confidence of customers to entrust their data in the cloud, and thus broaden their customerbase; andAssist public cloud service provider, operating in a multinational market, in coping with variousnational data protection standards and performing complex assessments in each jurisdiction.Published by the Office of the Government Chief Information Officer Updated in Nov 20206
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsAfterwordISO/IEC 27001 lays out a formal specification forISMS, with the emphasis very much on“management system” rather than “informationsecurity”.A certified ISMS provides a strongindication that an organisation is using a systematicapproach for the identification, assessment andmanagement of information security risks. If thereis an effective ISMS in operation, then the ISMS willensure that there are adequate security controls inplace.The ISO/IEC 27001 certificate hasmarketing potential and should help improvecredibility and enhance customer confidence.Appendix ATable of contents of ISO/IEC 27001:2013Table of contents of ISO/IEC pe2.Normative references2.Normative references3.Terms and definitions3.Terms and definitions4.Context of the organization4.Structure of this standard5.Leadership5.Information security policies6.Planning6.Organization of information security7.Support7.Human resource security8.Operation8.Asset management9.Performance evaluation9.Access control10. Improvement10. CryptographyAnnex A Reference control objectives and controls11. Physical and environmental securityBibliography12. Operations security13. Communications securityThe privacy principles of ISO/IEC 29100:201114. System acquisition, development andmaintenance1.Consent and choice2.Purpose legitimacy and specification15. Supplier relationships3.Collection limitation16. Information security incident management4.Data minimization17. Information security aspects of business5.Use, retention and disclosure limitation6.Accuracy and quality18. Compliance7.Openness, transparency and noticeBibliography8.Individual participation and access9.Accountabilitycontinuity management10. Information security11. Privacy compliancePublished by the Office of the Government Chief Information Officer Updated in Nov 20207
An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsAppendix BThe following ISO/IEC 27000-series information security standards are either published or currently beingdeveloped (Note: TR refers to Technical Report; TS refers to Technical Specification):StandardPublishedTitleISO/IEC 27000ISO/IEC 27001ISO/IEC 27002ISO/IEC 27003201820132013*2017ISO/IEC 270042016ISO/IEC 270052018*ISO/IEC 270062015*ISO/IEC 27007ISO/IEC TS 27008ISO/IEC 27009202020192020ISO/IEC 270102015*ISO/IEC 270112016*ISO/IEC 270132015*ISO/IEC 27014ISO/IEC TR 270162013*2014ISO/IEC 270172015*ISO/IEC 270182019ISO/IEC 270192017ISO/IEC 270212017ISO/IEC 27022ISO/IEC TR 27023Draft 2015ISO/IEC 270312011*ISO/IEC 27032ISO/IEC 27033-12012*2015*ISO/IEC 27033-22012ISO/IEC 27033-32010ISO/IEC 27033-42014*ISO/IEC 27033-52013Information security management systems -- Overview and vocabularyInformation security management systems -- RequirementsCode of practice for information security controlsInformation security management systems -- GuidanceInformation security management -- Monitoring, measurement, analysisand evaluationInformation security risk managementRequirements for bodies providing audit and certification of informationsecurity management systemsGuidelines for information security management systems auditingGuidelines for the assessment of information security controlsSector-specific application of ISO/IEC 27001 -- RequirementsInformation security management for inter-sector and interorganizational communicationsCode of practice for Information security controls based on ISO/IEC27002 for telecommunications organizationsGuidance on the integrated implementation of ISO/IEC 2700
The current version of ISO/IEC 27001 was released in 2013. Apart from the most mentioned ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27018, some other standards in the ISO/IEC 27000 family are also being widely referenced. Some examples are:
IEC 61215 IEC 61730 PV Modules Manufacturer IEC 62941 IEC 62093 IEC 62109 Solar TrackerIEC 62817 PV Modules PV inverters IEC 62548 or IEC/TS 62738 Applicable Standard IEC 62446-1 IEC 61724-1 IEC 61724-2 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/
IEC has formed IECRE for Renewable Energy System verification - Component quality (IEC 61215, IEC 61730, IEC 62891, IEC 62109, IEC 62093, IEC 61439, IEC 60947, IEC 60269, new?) - System: - Design (IEC TS 62548, IEC 60364-7-712, IEC 61634-9-1, IEC 62738) - Installation (IEC 62548, IEC 60364-7-712)
ISO/IEC 27011:2008 . Information security management guidelines for tele-communications organizations based on ISO/IEC 27002. ISO/IEC 27013:2015 . Guidance on the integrated implementation of ISO/IEC 27001 . and ISO/IEC 20000-1. ISO/IEC 27014:2013includes nearly 20 standards. The . Governance of information security. ISO/IEC 27015:2012
IEC 61869-9, IEC 62351 (all parts), IEC 62439-1:2010, IEC 62439-3:2010, IEC 81346 (all parts), IEC TS 62351- 1, IEC TS 62351- 2, IEC TS 62351- 4, IEC TS 62351- 5, Cigre JWG 34./35.11, IEC 60044 (all parts), IEC 60050 (all parts), IEC 60270:2000, IEC 60654-4:1987, IEC 60694:1
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This first edition of ISO/IEC 27002 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005.
ISO/IEC 27001:2005 ISO/IEC 27002:2005 . ISMS Standards ISO/IEC 27001, 27002 . 23 / VSE-Gruppe 2013 . Standardization under ISO/IEC 27000 Standards Series in Cooperation with Additional Consortia . ISO/IEC 27001: Information Security Management System (ISMS) ISO/IEC 27002: Implementation Guidelines for ISO/IEC 27001 Con
ISO 37120. PAS 181/ISO 37106. PAS 183 – data sharing & IT. PAS 184. PAS 185. a security-minded approach. ISO/IEC 30145 . reference architecture. ISO/IEC . 30146. ISO 37151. ISO 37153. ISO 37156. Data exchange. ISO 37154. ISO 37157. ISO 37158. Monitor and analyse . data. PAS 182/ ISO/IEC 30182. PD 8101. PAS 212. Hypercat. BIM. PAS 184. Role of .
ISO/IEC Date: 2018-04-30 ISO/IEC_2018 TMB ISO/IEC Directives, Part 1 — Consolidated ISO Supplement — Procedures specific to ISO Directives ISO/IEC, Partie 1 — Supplément ISO consolidé — Procédures spécifiques à l’ISO Ninth edition, 2018 [Based on the fourteenth edition (2018
