The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is a deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, and then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
At present, four of the standards in the series are publicly available (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27006) while several more are under development.
ISO/IEC 27000 is scheduled for publication by 2009. Its scope is to specify the fundamental principles, concepts and vocabulary for the ISO/IEC 27000 (information security management system) series of documents.
ISO/IEC 27000 will contain the fundamentals and vocabulary, in other words:
- An overview of the ISO27k standards showing how they are used collectively to plan, implement, certify and operate an ISMS, with a basic introduction to information security, risk management and management systems Carefully-worded definitions for the information security-related terms as they are used throughout the ISO27k standards.
When released, ISO/IEC 27000 will be free of charge since (a) it introduces and promotes ISO27k as a whole; and (b) there is value in spreading an agreed set of definitions as widely as possible to bring some stability to the field of information security.