4.2 Series of Standards ISO 2700x

What Is the ISO?

Important ISO Standards for Information Security

Naming conventions for ISO/IEC standards
Пример:

  • ISO/IEC 27000-1:2018, which means it is a standard with multiple parts and was published or revised in 2018
    Short form of name:
  • ISO/IEC 27017:2015, for example, would generally be called “ISO 27017”

ISO/IEC 20000-1:2018—Service management
This standard outlines requirements for the running of IT services (service management, includes planning, delivery, service improvement and response to service failures)

  • is quite similar to ISO 27001 but ISO 20000 doesn't completely cover

ISO/IEC 27001:2013—Information security management systems (the most important)

  • essential for ISMS
  • it focuses on the establishment, implementation, execution, monitoring, inspection, maintenance, and improvement of an ISMS

• understanding requirements for an IT security organization

• defining a guideline and goals for IT security

• cyber security risk management and its integration with the organization’s general business risk

• monitoring and reviewing ISMS performance and effectiveness

• objectively measuring continuous improvement of the ISMS

ISO/IEC 22301:2019—Security and resilience

  • e standard for business continuity management (BCM) and establishes requirements for BCM systems in institutions.

ISO/IEC 27002:2013—Information security controls

  • ISO 27002 is a supplementary guideline for the management of IT security.

ISO/IEC 27003:2017—Information security management system implementation guidance

  • ISO 27003 provides guidance for on the implementation of the information security management system (ISMS) as outlined in ISO27001

ISO/IEC 27004:2016—Information security management—measurement

  • ISO 27004 provides a framework for the measurement of security program effectiveness.

ISO/IEC 27005:2018—Information security risk management

  • rovides a structure for understanding and evaluating risk within an organization.

ISO/IEC 27006:2015—Requirements for bodies providing audit and certification of information security management systems

  • ISO 27006 is a standard for those entities that intend to provide audit or certification services against the ISO 27001 standards.

ISO/IEC 27007:2020—Guidelines for information security management systems auditing

  • ISO 27007 provides information to assist (помощи) in the audit of an ISMS.

ISO/IEC 27017:2015—Information security controls based on ISO/IEC 27002 for cloud services

  • This cloud security standard expands (расширяет) the operational and implementation guidance found in ISO/IEC 27002.

ISO/IEC 27018:2019—Protection of personally identifiable information (PII) in public clouds acting as PII processors

  • ISO 27018 is a standard with specific scope—it deals with the processing of personally identifiable information (PII) by public cloud service providers.

ISO/IEC 27033—Security techniques—network security

  • The ISO 27033 series provides guidance on the secure
    procurement (преобретение), maintenance (обслуживание), and operation (эксплуатация) of networks.

ISO/IEC 27039:2015—Selection, deployment and operations of intrusion detection and
prevention systems (IDPS)

  • Both IDS (Intrusion Detection System) and IPS (Intrusion Protection System) are systems that ensure the organization is alerted by behaviors that indicate an intruder into the network or hosts