ISO 27001 certification in a nutshell

ISO 27000 certification in a nutshell:

The ISO 27001 standard is a standard, which was developed through the ISO (the international Organisation for Standardization) and the IEC (the International Electro Technical Commission).

This standard is addresses to all types of company’s and also sizes of company’s within the whole world. This fact makes it a lot more harder to understand and successfully apply these standards within your company’s… all of the documentation are quite „high level“… because the authors have to consider the „big picture“ (all company’s with all different sizes within the whole World).

The standard describes methods and approaches to apply a Management System to manage Information Security. This is documented as  Information Security Management System (ISMS).

The ISO 27000 standard describes how to apply such a ISMS and it describes specific goals or requirements which need to be applied to follow the ISO 27000 Standard.

The ISO 27000 standard contains the following „sub“standards:

ISO 27000 – gives you an overview and a description of the vocabulary

ISO 27001 – gives you some basic principles on how to apply the ISO 27000 standard and a list of Requirements

ISO 27002 – gives you additional Information and examples to actually apply or achieve the requirements

ISO 27003 – contains guidance on how to implement a ISMS

ISO 27004 – describes the Measurement of a ISMS

ISO 27005 – describes the Information Security risk management

ISO 27006 – Requirements for Auditors

ISO 27008 – Guidelines for Auditors

ISO 27010 – Guidelines for communications

ISO 27011 – Guidelines for telecommunications organisations

ISO 27013 – Guidelines on integrated implementation of ISO 27001 and ISO 20000

ISO 27014 – Governance of information security

If you want to get familiar with the ISO 27000 you should start reading the ISO 27001. The first part of the ISO 27001 will give you a quick overview and it contains some principles applying the ISO 27000 standards. Appendix A contains a full list of all requirements (114 requirements in 13 different topics (ISO 27001 version 2013)) which need to be applied to actually “work” after the ISO 27000 standard.

If you are struggling understanding the requirements you should consult the ISO 27002, it contains some additional guidance and specific examples on how to apply the requirements.

When applying a ISMS in your company you should also consult the ISO 27003. After applying the ISMS and also applying the requirements, it will be necessary to measure the application of the requirements… at this point you should consult the ISO 27004. As soon as you are measuring the application of the requirements you need to implement a Risk management for Information security, at that point the ISO 27005 will guide you.