ISO Standards Explained

ISO/IEC 27001:2022 and ISO/IEC 27002:2022 are a set of “paired” standards Closely linked through
Annex A of ISO/IEC 27001

ISO/IEC 27001 defines the requirements for an ISMS and proposes controls that may be used to the risks associated with information assets in scope and the processes that interact with them

ISO/IEC 27002 is a guidance document providing details on implementing the controls required by the ISMS

History

  • 1995  BS7799 – British  standard was published
  • 1997  Adaptation BS7799 – Netherlands
  • 1999  AS/NZS 4444 – Australia/New Zealand standard was published
  • 1999  BS7799-2  Specification was published
  • 2000  BS7799-1  Code of Practice was  fast tracked as an ISO standard – ISO/IEC 17799
  • 2005  ISO/IEC 17799 updated new technologies – e.g., email,   encryption
  • 2005  ISO/IEC 27001 specification was published – contains Audit Requirements, with Controls aligned with ISO 17799
  • 2006  ISO/IEC 27006 was published – Guidelines for Certification Bodies
  • 2007  ISO 17799 renumbered as ISO 27002:2005
  • 2009  ISO 27000 ISMS Vocabulary was published
  • 2013  ISO/IEC 27001 and ISO/IEC 27002 updated to reflect ISO Annex SL requirements and changing landscape
  • 2022  ISO/IEC 27002:2022 released.  ISO 27001:2022 updated with Appendix A to reflect the changes in ISO 27002:2022
  • 2024 ISO/IEC 27006:2024 was revised and published with revisions to align with modern technologies, such as cloud, and reduced auditor experience and competence requirements

Some of the published standards in this family include

  • 27000 – Vocabulary and definitions
  • 27001 – Requirements
  • 27002 – Information security controls
  • 27003 – Implementation guidance
  • 27005 – Information security risk management
  • 27007 – Guidelines for auditing an ISMS
  • 27008 – Guidelines on auditing information security controls
  • 27011 – Guidelines for ISMS for telecommunications organisations
  • 27013 – ISMS and ITIL integration
  • 27014 – Information Security Governance
  • 27015 – ISMS for financial service organisations
  • 27017 – Security controls in the Cloud
  • 27018 – Protection of PII in public clouds
  • 27031 – ICT focused standard on business continuity
  • 27701 – Privacy Information Management