ISO 27000
What is ISO 27000?
The international standard series ISO 27000 is a management system for information and cyber security that is based on a business-adapted risk analysis and where the security work follows a clear process. The application of the standards in this series facilitates the safety work within an organization and improves the possibilities of assessing safety and revising it in a uniform manner.
ISO stands for International Organization for Standardization. It works with industrial and commercial standardization and was founded in 1947. ISO has over 160 national standardization institutes as members.
Why Standardize?
A standard is a common way of solving a common problem. It is a way to achieve transparency and avoid misunderstandings. You save energy by not having to think of everything yourself. Instead, you can lean on something that has been proven. Standards developed and verified by leading experts around the world. For an organization, there are several advantages to using established standards as a basis for selecting and implementing security measures:
It utilizes accumulated knowledge
A generelly known quality stamp
Benefits of collaborating with others
Facilitates procurements and requirements for external partners
ISO 27000 - Management system for information security
This document is an introduction to and overview of the 27000 series with, among other things, explanations of terminology. The management system advocates a systematic approach and can be applied within all organizations intended for size, industry and operations. Implementing a security system according to the ISO 27000 series means applying security measures based on risk management so that the organization's assets are protected in a good way.
ISO 27000 requires that you set safety goals, identify the risks and manage the risks found. The scope of the security system is defined by what is to be protected. This is defined by the organization itself and its regulations and agreements. The organization's management has the main responsibility and must be involved and engaged in all the management system's processes. The systematic management work according to ISO 27000 is followed by two guidance standards that contain concrete safety-enhancing measures. They are called ISO 27001 and ISO 27002 and are the two main standards below ISO 27000.
ISO 27001 - Management system for information security - requirements
This standard requires an information security management system (LIS). By implementing the requirements standard ISO 27001, you equip your company to actively lead and constantly improve the organization's need for security. This standard contains the basic requirements that an organization can certify itself against.
To achieve the safety objectives, ISO 27001 requires a detailed safety plan that has been reviewed, updated and results monitored and documented. This is the best evidence of compliance in an audit of information security
Annex A of ISO 27001 contains 35 objectives and 114 controls (measures).
These security measures provide good support for protecting the organization's information assets. How they can be introduced is described in ISO 27002.
ISO 27002 - Guidelines for information security management
Provides guidance for the implementation of the safety measures in Annex A of ISO 27001.
The descriptions of objectives and controls in Annex A are rather vague. therefore, there is ISO 27002 with more detailed descriptions of goals and controls and how these are implemented.
In addition to ISO 27000 - ISO 27002, there are a large number of support standards for various applications of security measures in the ISO 27000 series
For more information on the ISO 27000 series, please refer to:
International Organization for Standardization www.iso.org