Information technology — Security techniques — Information security ma…
Page Information
Contents
Information technology — Security techniques — Information security management systems — Overview and vocabulary
Regardless of the type and scale of the organization, it collects, processes, stores, and transmits information. These information, processes, systems, networks, and personnel are recognized as important assets in achieving the organization's objectives. By implementing information security controls, the organization can address the various risks that may affect the functionality of these assets. ISO/IEC 27000:2018 provides a series of ISMS standards, along with related terms and definitions, and introduces information security management systems.
What is ISMS?
ISMS stands for Information Security Management System. It consists of policies, procedures, guidelines, resources, and activities that an organization collectively manages to protect its information assets. To effectively address and manage information risks, it is necessary to conduct prior risk assessments and understand the organization's risk tolerance level. Analyzing the requirements for protecting information assets and applying appropriate controls to ensure the protection of such information helps in successfully implementing ISMS.
What is Information Security?
Information security refers to the protection of information in three key dimensions: confidentiality, availability, and integrity. Information security involves the application and management of appropriate security measures considering a wide range of threats to ensure the ongoing success and continuity of business operations and minimize the impact of information security incidents. Information security is achieved through the selection of identified information assets to be protected, the implementation of a risk management process, and the enforcement of a set of applicable controls that are managed through ISMS. To ensure that specific information security and business objectives are achieved, it is necessary to specify, implement, monitor, review, and improve (when necessary) these controls within the organization.
< ISMS >
ISMS family of standards
The ISMS standard series consists of ISO/IEC 27001, which describes the requirements for ISMS, ISO/IEC 27009, which provides additional requirements framework for sector-specific implementation, and various guidelines for different aspects of ISMS implementation, including general processes, control-related guidelines, and sector-specific guidelines. ISO/IEC 27000 provides information on the types, scope, and purpose of the ISMS standard series.
ISMS family of standards
| Type | Requirement | Name |
|---|---|---|
| Vocabulary standard - Clause 5.2 | 27000 | Information technology — Security techniques — Information security management systems — Overview and vocabulary |
| Requirement standards - Clause 5.3 | 27001 | Information technology — Security techniques — Information security management systems — Requirements |
| 27006 | Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems | |
| 27009 | Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements | |
| Guidelines standards - Clause 5.4 | 27002 | Information technology — Security techniques — Code of practice for information security controls |
| 27003 | Information technology — Security techniques — Information security management — Guidance | |
| 27004 | Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation | |
| 27005 | Information technology — Security techniques — Information security risk management | |
| 27007 | Information technology — Security techniques — Guidelines for information security management systems auditing | |
| 27013 | Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 | |
| 27014 | Information technology — Security techniques — Governance of information security | |
| 27021 | Information technology — Security techniques — Information security management — Competence requirements for information security management systems professionals | |
| TR 27008 | Information technology — Security techniques — Guidelines for auditors on information security controls | |
| TR 27016 | Information technology — Security techniques — Information security management — Organizational economics | |
| Sector-specific guidelines standards - Clause 5.5 | 27010 | Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications |
| 27011 | Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations | |
| 27017 | Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services | |
| 27018 | Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors | |
| 27019 | Information technology — Security techniques — Information security controls for the energy utility industry |
*Control-speci ic guidelines standards (out of the scope of this document) 2703x, 2704x
- PreviousWhat is food fraud & food defense? 23.10.05
- NextPharmaceutical Packaging Material Quality Management System Specification Standard 23.08.18
Comment list
There are no registered comments.