ISO/IEC 27000 Family of

UNIT 2 ISO/IEC 27000 FAMILY OF Information Security

Management Systems
INFORMATION SECURITY (ISMS) Standards

MANAGEMENT SYSTEMS
(ISMS) STANDARDS
Structure
2.0 Introduction
2.1 Objectives
2.2 General form of Information Security Management
2.3 An Introduction to Information Security Management Systems (ISMS)
2.3.1 Risk Management: A Brief Description
2.3.2 Plan – Do – Check – Act (PDCA) Process/Approach
2.3.3 Development of an ISMS Framework
2.4 ISO/IEC Information Security Management Systems Family of Standards
2.4.1 Relationship Between Various ISMS Family of Standards
2.4.2 Standards Describing an Overview and Terminology
2.4.3 Standards Specifying Requirements: (ISO/IEC 27001 and ISO/IEC 27006)
2.4.4 Standards Describing General Guidelines: (ISO/IEC 27002, 27003, 27004,
27005 and 27007)
2.4.5 Standards Describing Sector-specific Guidelines: (ISO/IEC 27011 and ISO
27799)
2.4.6 Summary and Conclusion of the ISMS Family of Standards
2.4.7 Benefits of the ISMS Family of Standards
2.5 Let Us Sum Up
2.6 Check Your Progress: The Key

2.0 INTRODUCTION
ISO is the International Organization for Standardization set up at Geneva in 1947.
IEC is the International Electrotechnical Commission set up at Geneva in 1906 to
develop standards for all types of electrotechnologies. ISO and IEC form the
specialized system for worldwide standardization. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC
JTC 1. ISO/IEC JTC 1 SC 27 (a subcommittee of ISO/IEC JTC 1) maintains an
expert committee dedicated to the development of international management
systems standards for information security, otherwise known as the Information
Security Management System (ISMS) family of standards. Fig. 1 shows various
organizations, their relationship and their responsibilities.

Fig. 1: International standards organizations, their relationship and their responsibilities 31

Introduction to ISO 27000 There is need for organizations (e.g. commercial enterprises, government agencies,
non-profit organizations) to protection of information assets, such as financial
information, intellectual property and employee details or information entrusted to
them by customers or third parties. Therefore, the organizations have to develop
and implement a framework for:
l managing the security of their information assets and
l prepare for an independent assessment of their ISMS applied to the protection
of information
Fig. 2 shows how ISMS family of standards enable the organizations to develop
and implement a framework for managing the security of their information assets
and prepare for an independent assessment of their ISMS applied to the protection
of information.

to Develop

to

Fig. 2: Usefulness of ISMS Family of Standards to the Organizations

2.1 OBJECTIVES
After studying this unit, you should be able to:
l understand the concepts of information security managements concepts and
management system;
l understand the fundamental concepts of information security management
systems (ISMS);
l understand embedded hierarchy of risk assessment and risk management;
l understand the Plan-Do-Check-Act (PDCA) process approach for ISMS;
l list the steps involved in the development of an ISMS framework;
l understand the scope and purpose of the International Standards in ISMS
family;
l understand the inter-relation between the standards of the ISMS family; and
l understand the benefits of the standards of the ISMS family.

Control is a means of managing risk, 2.2 GENERAL FORM OF INFORMATION SECURITY

including policies, procedures, guideline,
practices or organizational structures, which
can be administrative, technical, management,
MANAGEMENT
or legal in nature.
The idea of this section is to take look and get a feel of what the following terms
are:
l Information
32 l Information security ( using controls)
l Management system ISO/IEC 27000 Family of
Information Security
l Information security management Management Systems
(ISMS) Standards
l Management system
Information: is an asset that, like other important business assets, is essential to
an organization’s business and consequently needs to be suitably protected.
Information can be stored in many forms, including:
l digital form (e.g. data files stored on electronic or optical media),
l material form (e.g. on paper) and
l in the form of knowledge of the employees.
Information may be transmitted by various means including:
l courier,
l electronic or
l verbal communication.
Organizations of all types and sizes (e.g. commercial enterprises, government
agencies, non-profit organizations):
l collect, process, store and transmit large amounts of information
l recognize that information and related processes, systems networks and people
are important assets for achieving organization objectives
l face a range of risks that may affect the functioning of assets
Asset is defined
l modify risks by implementing information security controls as “anything
that has value to
Whatever form information takes or the means by which the information the is
transmitted, held and processed by an organization is subject to threatorganization”.
s of attack,
error, nature (for example, flood or fire) etc. and is subject to vulnerabilities inherent
in its use. It always needs appropriate protection. Fig. 3 below shows how the
vulnerabilities lead to risks due to threats from the attackers. It also shows a security
layer shielding the information asset characterized by confidentiality, integrity
and availability. The security layer modifies risks (reduce or transfer) by
implementing information security controls.
Information security: is defined as the preservation of confidentiality, integrity
and availability of information, i.e. Information security is responsible for enabling Information
accurate and complete information to be available in a timely manner to those may be the
with an authorized need is a catalyst for business efficiency. data on CD/
paper, or
Confidentiality is the property that information is not made available or disclosed knowledge of
to unauthorized individuals, entities or processes. the employees.
Integrity: is the property of protecting the accuracy and completeness of
information
Availability: is ensuring that the authorized users have access to the information
when required.
Processes: is a set of interrelated or interacting activities which transforms inputs
into outputs.

33
Introduction to ISO 27000

Fig. 3: Security Layer protects Information from attacks

Protecting information assets through:

l Defining information security;
l Achieving information security;
l Maintaining information security; and
l Improving information security.
effectively is essential to enable an organization to achieve its objectives and
maintain and enhance its legal compliance and image.
Information security management: These coordinated activities directing the
implementation of suitable controls and treating unacceptable information security
risks are generally known as elements of information security management.
As information security risks and the effectiveness of controls change depending
on shifting circumstances, organizations need to:
l monitor and evaluate the effectiveness of implemented controls and procedures;
l identify emerging risks to be treated; and
l select, implement and improve appropriate controls as needed.
Management system: To interrelate and coordinate such information security
activities, each organization needs to establish its policy and objectives for
information security and achieve those objectives effectively by using a management
system.
Check Your Progress 1
Notes: a) Space is given below for writing your answers.
b) Compare your answers with the one given at the end of this Unit.
1) Name the committee which develops ISMS family of standards and explain
how this committee is related to ISO/IEC.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................

34
2) Explain how Organizations can make use of ISMS Family of Standards.
 ............................................................................................................................. ISO/IEC 27000 Family of
Information Security
............................................................................................................................. Management Systems
(ISMS) Standards
.............................................................................................................................
.............................................................................................................................
3) How does the Information differ from an asset?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
4) Explain how Security Layer protects Information from attacks.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
5) Why does an organization need security?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
6) Explain how Information security management differs from security
management system.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................

2.3 AN INTRODUCTION TO INFORMATION

SECURITY MANAGEMENT SYSTEMS (ISMS)
An ISMS is a documented system certifying that:
l Information assets in your company are described and secured,
l Information security risks are managed and mitigated,
l Security policies together with their ownerships and guarantees are in place
and
l Adherence to security measures is inspected periodically.
An ISMS (Information Security Management System) is defined as management
system which provides a model for:
l establishing,
l implementing,
35
Introduction to ISO 27000 l operating,
l monitoring,
l reviewing,
l maintaining and
l improving
The protection of information assets to achieve business objectives based upon:
l a risk assessment; and
l the organization’s risk acceptance levels.
designed to effectively treat and manage risks.
As per the definition of the ISMS mentioned above, it consists of two parts namely:
1) Provision of a model for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving protection of information assets.( PDCA-
model)
2) The basis of this information protection model should be “Risk management”.
A clear definition and understanding of the concepts of Risk Management is a
prerequisite for to developing and implementing a framework for managing the
security of information assets and the preparation for an independent assessment
of ISMS applied to the protection of information.
Along with the knowledge of risk management, a clear understanding of the
concepts of Plan - Do - Check - Act (PDCA) process/approach is also a prerequisite
for to developing and implementing a framework for managing the security of
information assets and the preparation for an independent assessment of ISMS
applied to the protection of infProcess:
ormation is.any activity that
transforms inputs into outputs
In the next sub-sections we willusing
takea set
al ofook at theortwo important pre-requisites of
interrelated
ISMS namely: interacting activities making
use of resources needs to be
l Risk Management and managed.

l Plan – Do – Check – Act (PDCA) process/approach

2.3.1 Risk Management: A Brief Description
The Fig. 4 shows various terms involved in the definition of Risk Management.
It shows that Risk management depends on: risk assessment, risk treatment, risk
acceptance, risk communication, risk monitoring and risk review. Risk assessment
in turn depends upon risk analysis and risk evaluation. Risk analysis depends upon
risk estimation. Finally, risk evaluation depends upon risk estimation and Risk
criteria. All these terms are defined in table 1. The table also contains other
important terms and definitions related to risk management.

36 Fig. 4: Risk Management a comprehensive understanding it’s embedded hierarchy

 Table-1: Important terms and definitions related to risk management ISO/IEC 27000 Family of
Information Security
Risk is combination of the probability of an event and its consequence. Management Systems
(ISMS) Standards
Risk management coordinated activities to direct and control an organization
with regard to risk.
Risk management generally includes risk assessment, risk treatment, risk
acceptance, risk communication, risk monitoring and risk review.
Risk assessment is the process of risk analysis and risk evaluation.
Risk treatment is the process of selection and implementation of measures to
modify risk.
Risk acceptance is the decision to accept a risk.
Risk communication is the exchange or sharing of information about risk
between the decision-maker and other stakeholders.
Risk analysis is systematic use of information to identify sources and to estimate
risk.
Risk evaluation is the process of comparing the estimated risk against given
risk criteria to determine the significance of the risk.
Risk estimation is an activity to assign values to the probability and
consequences of a risk.
Risk criteria are a reference standard by which the significance of risk is
assessed.
Residual risk the risk remaining after risk treatment.

2.3.2 Plan – Do – Check – Act (PDCA) Process/Approach

The Fig. 5 below, illustrates the process approach for the ISMS presented in the
ISMS family of standards. This approach is based on the operating principle adopted
in ISO’s management system standards commonly known as the Plan – Do –
Check – Act (PDCA) Process/Approach. It takes as input the information security
requirements and expectation of the organization and through the necessary actions
and processes produces information security outcomes that meet those requirements
and expectations.
PDCA approach shown in Fig. 5 is a schematic representation of a continuous
process that is used when implementing ISO/IEC compliant Information Security
Management System (ISMS). PDCA signifies the importance of a continuous
process resulting in continuous improvement.
The PDCA Process approach:
l Understands organization’s information security requirements and the need to
establish policy
l Implements and operates controls to manage risk, in context of business risk
l Monitors and reviews
l Incorporates continuous feedback and continuous improvement activities

37
Fig. 5: PDCA process model applied to ISMS process
Introduction to ISO 27000 Phase-1: The Plan phase is about establishing ISMS i.e. designing the ISMS,
assessing information security risks and selecting appropriate controls.
To establish the ISMS, the organization shall do the following.
l Define the scope and boundaries of the ISMS.
l Define an ISMS policy in terms of the characteristics of the business, the
organization, its location, assets and technology.
l Define the risk assessment approach of the organization.
l Identify, analyse and evaluate the risks.
l Identify and evaluate options for the treatment of risks.
l Select control objectives and controls for the treatment of risks.
l Obtain management approval of the proposed residual risks.
l Obtain management authorization to implement and operate the ISMS.
l Prepare a Statement of Applicability. (The Statement of Applicability provides
a summary of decisions concerning risk treatment.)
Phase-2: The Do phase involves implementing and operating the controls, i.e.do
what was planned to do.
To Implement and operate the ISMS, the organization shall do the following:
l Formulate a risk treatment plan for managing information security risks.
l Implement the risk treatment plan in order to achieve the identified control
objectives. Risk treatment plan is
the process of selection
and implementation of
l Implement controls selectemeasures
d to metoetmodify
the risk.
control objectives.
l Define how to measure the effectiveness of the selected controls and specify
how these measurements are to be used to assess their effectiveness.
l Implement training and awareness programmes.
l Manage operation of the ISMS.
l Manage resources for the ISMS.
l Implement procedures and other controls capable of detecting of security events
and response to security incidents.
Phase-3: The Check phase is about monitoring and reviewing ISMS i.e. measure
the extent to which achievements meet planned objectives.
To Monitor and review the ISMS, the organization shall do the following.
l Execute monitoring procedures to:
l Detect errors in the results of processing;
l Identify attempted and successful security breaches and incidents
l Undertake regular reviews of the effectiveness of the ISMS.
l Review risk assessments at planned intervals.
l Measure the effectiveness of controls to verify that security requirements have
been met.
38
l Conduct internal ISMS audits at planned intervals. ISO/IEC 27000 Family of
Information Security
l Update security plans to take into account the findings of monitoring and Management Systems
reviewing activities. (ISMS) Standards

l Record actions and events that could have an impact on the effectiveness or
performance of the ISMS
Phase-4: In the Act phase is about maintaining and improving ISMS i.e. changes
are made where necessary to bring the ISMS back to peak performance. It enables
organization to learn from the mistakes and improve activities to achieve better
results.
To maintain and improve the ISMS, the organization shall regularly do the
following:
l Implement the identified improvements in the ISMS.
l Take appropriate corrective and preventive. Apply the lessons learnt from the
security.
l Communicate the actions and improvements to all interested parties.
l Ensure that the improvements achieve their intended objectives.

2.3.3 Development of an ISMS Framework

Fig. 6: The 6-step ISMS framework development process 39

Introduction to ISO 27000 The Plan-Do-Check-Act mentioned above how the organization takes information
security requirements and expectation as input produces information security
outcomes that meet the requirements and expectations. The following 6-step ISMS
framework development process describes what it is the organization needs to do
to live up to the standard.
As shown in Fig. 6, the development of an ISMS framework entails the following
6-steps:
1) Definition of Security Policy,
2) Definition of ISMS Scope,
3) Risk Assessment (as part of Risk Management),
4) Risk Management,
5) Selection of Appropriate Controls and
6) Statement of Applicability.
In order to establish, monitor, maintain and improve its ISMS an organization
needs to undertake the above mentioned steps repeatedly.
Step-1: Define an information security policy
First, you have to set the objective of your effort. An information security policy
statement expresses management's commitment to the implementation,
maintenance and improvement of its information security management system.
Step-2: Define scope of the information security management system
In this step, you define who are the players and the tools in the game that deal
with your security policy.This will define which part(s) of the organization will
be covered by the ISMS.
Step-3: Perform a security risk assessment
Once you know what you want and what the tools and players are, you need to do
some testing and find all the vulnerabilities in your system. Look at the risks that
might cause problems to your processes.
Step-4: Manage the identified risk
After finding all security breaches, threats and vulnerabilities, you have to decide
how to handle the risk. This includes defining the process owners and the values
of your processes. Develop a risk treatment plan.
Step-5: Select controls to be implemented and applied
Knowing how to handle risk factors, you have to find out what to do to eliminate
your security holes and vulnerabilities. A part of this process will be selection of
appropriate controls with respect to those outlined in the standard (and ISO27002).
Conducting of training and awareness programs should be taken into consideration.
Step-6: Prepare a Statement of Applicability (SoA)
l The Statement of Applicability describes the processes, their values and how
you avoid possible risks.
l Justification for each decision recorded in a Statement of Applicability.
l The Statement of Applicability contains:
l The selected control objectives and controls and the reasons for their
40 selection.
 l All currently implemented controls. ISO/IEC 27000 Family of
Information Security
l Any exclusion of control objectives or controls and the reason for the Management Systems
exclusion. (ISMS) Standards

Note: The ISMS is a recurring process as a whole and all the steps mentioned
above should be continuously repeated to ensure the ISMS is effectively protecting
the organization’s information assets on an ongoing basis. It should be noted that
steps 3, 4, 5 and 6 recur more frequently than steps 1 and 2. Since the establishment
of a security policy and the definition of the ISMS scopes are more often
management and strategic issues steps 1 and 2 recur on a longer cycle ( relatively
less frequent).
Check Your Progress 2
Note: a) Space is given below for writing your answers.
b) Compare your answers with the one given at the end of this Unit.
1) Define Information Security Management System.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
2) What is meant by risk management?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
3) W ith a neat diagram, explain the concepts of the Plan – Do – Check – Act
(PDCA) process.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
4) What are the steps involved in the development of an ISMS framework?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................

2.4 ISO/IEC INFORMATION SECURITY

MANAGEMENT SYSTEMS FAMILY OF
STANDARDS
A family of ISO/IEC Information Security Management System (ISMS) standards
also known as “ISO/IEC 27000 serie” is a set of policies concerned with information
security management, risks and controls within the context of an overall
Information Security Management System (ISMS). The ISMS family of standards
is intended to assist organizations of all types and sizes to implement and operate
an ISMS.
41
Introduction to ISO 27000 The ISO 27000 series on Information security management system consists of
following standards:
l ISO/IEC 27000: Information security management systems – Overview and
vocabulary
l ISO/IEC 27001: Information security management systems – Requirements
l ISO/IEC 27002: Code of practice for information security management
l ISO/IEC 27003: Information security management system implementation
guidance
l ISO/IEC 27004: Information security management – Measurement
l ISO/IEC 27005: Information security risk management
l ISO/IEC 27006: Requirements for bodies providing audit and certification of
information security management systems
l ISO/IEC 27007: Guidelines for information security management systems
auditing (focused on the management system)
l ISO/IEC 27011: Information security management guidelines for
telecommunications
l ISO 27799: Information security management in health using ISO/IEC 27002
[standard produced by the Health Infomatics group within ISO, independently
of ISO/IEC JTC1/SC27]

2.4.1 Relationship between Various ISMS Family of Standards

The above mentioned ISMS family of standards interrelated and support each other.
On this basis they are classified into the following 4-categories as shown in Fig. 7:
i
) Standards describing an overview and terminology
ii) Standards specifying requirements ISMS and for those certifying such systems
iii) Standards describing general guidelines
iv) Standards describing sector-specific guidelines

42 Fig. 7: The Relationship between various ISMS Family of Standards

2.4.2 Standards Describing an Overview and Terminology ISO/IEC 27000 Family of
Information Security
ISO/IEC 27000 Management Systems
(ISMS) Standards
ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security
Management Systems (ISMS) standards. This standard is an international standard
entitled: Information technology – Security techniques – Information security
management systems– Overview and vocabulary.
The standard was developed by sub-committee 27 (SC27) of the first Joint Technical
Committee (JTC1) of the International Organization for Standardization and the
International Electrotechnical Commission.
ISO/IEC 27000 provides:
l An overview of information security management systems, which form the
subject of the ISMS family of standards and defines related terms.
l a brief description of the Plan-Do-Check-Act (PDCA) process.
l An overview and an introduction to the entire ISO/IEC 27000 family of
Information Security Management Systems (ISMS) standards.
l A glossary or vocabulary of fundamental terms and definitions used throughout
the ISO/IEC 27000 family.
The target audience is users of the remaining ISO/IEC 27000-series information
security management standards.

2.4.3 Standards Specifying Requirements: (ISO/IEC 27001 and

ISO/IEC 27006)
ISO/IEC 27001
ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an
Information Security Management System (ISMS) standard published in October
2005 by the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC). Its full name is ISO/IEC
27001:2005 – Information technology – Security techniques – Information security
management systems – Requirements.
ISO/IEC 27000 provides:
l the requirements for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving formalized information security
management systems (ISMS) within the context of the organization’s overall
business risks.
l a set of controls for the risks associated with the information assets which the
organization seeks to protect by operating its ISMS.
This International Standard is universal for all types of organizations (e.g.
commercial enterprises, government agencies, non-profit organizations).
Organizations operating an ISMS may have its conformity audited and certified.
ISO/IEC 27006
ISO/IEC 27006, part of a growing family of ISO/IEC Information Security
Management System (ISMS) standards, the ‘ISO/IEC 27000 series’, is an
information security standard published by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC). It
is entitled Information technology – Security techniques – Requirements for bodies
providing audit and certification of information security management systems. 43
Introduction to ISO 27000 The purpose of ISO/IEC 27006 is to provide:
l Formal requirements for accredited organizations which certify other
organizations compliant with ISO/IEC 27001.
l Guidelines for the Accreditation of bodies operating certification/ registration
of Information Security Management Systems.
l Assurance that ISO/IEC 27001 certificate issued by accredited organizations
are meaningful and trustworthy, in other words it is a matter of assurance.
l General requirements – guidance on ‘impartiality’.
l Resource requirements – management competence; subcontracting etc.
l Information requirements – guidance on certification issues and
l Process requirements – guidance on ISMS audits.

2.4.4 Standards Describing General Guidelines: (ISO/IEC 27002,

27003, 27004, 27005 and 27007)
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International
Organization for Standardization (ISO) and by the International Electrotechnical
Commission (IEC), entitled Information technology – Security techniques – Code
of practice for information security management.

Risk assessment
Security policy

Organization of information security

Asset management

Human resources security

Organization of information security

Physical and environmental security
ISO/IEC 27002 Communications
Communications and operations management

Access control

Information systems acquisition, development and maintenance

maintenance

Information
Informationsecurity
securityincident
incident management
management development
development and
and

Business continuity management

Compliance
Compliance

Fig. 8: ISO/IEC 27002 consists of twelve categories of security controls

ISO/IEC 27002 provides

l best practice recommendations (information security controls) on information
security management for use by those responsible for initiating, implementing
or maintaining Information Security Management Systems (ISMS).
l twelve main sections with, information security controls and their objectives
are specified and outlined within each section.
The twelve sections are as shown in Fig. 8:
Risk assessment-describes risk analysis and risk evaluation; Security policy –
44 management direction; Organization of information security – governance of
information security; Asset management – inventory and classification of ISO/IEC 27000 Family of
information assets; Human resources security – security aspects for employees Information Security
Management Systems
joining, moving and leaving an organization; Physical and environmental security (ISMS) Standards
– protection of the computer facilities; Communications and operations
management – management of technical security controls in systems and networks;
Access control – restriction of access rights to networks, systems, applications,
functions and data; Information systems acquisition, development and
maintenance – building security into applications; Business continuity
management – protecting, maintaining and recovering business-critical processes
and systems; Compliance – ensuring conformance with information security
policies, standards, laws and regulations.
Note: For each of the controls, implementation guidance is provided. It is not
mandatory to implement all the controls.
ISO/IEC 27003
ISO/IEC 27003, part of a growing family of ISO/IEC ISMS standards, the ‘ISO/
IEC 27000 series’, is an information security standard published by the International
Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC). Its title is Information Technology – Security techniques –
Information security management system implementation guidance.
The purpose of ISO/IEC 27003 is to provide:
l help and guidance in implementing an ISMS.
l Implementation details of PDCA
l Identification of assets
l Threat identification
l Risk assessment/risk treatment
l Analysis and improvement of controls
l detailed descriptions of each process
l Contains an annex with real world examples.
The standard contains the following sections:
l Introduction
l Scope
l Terms & Definitions
l Structure of this Standard
l Obtaining Management Approval for Initiating the Project to Implement an
ISMS
l Defining ISMS Scope and ISMS Policy
l Conducting Organization Analysis
l Conducting Risk Assessment and Risk Treatment Planning
l Designing the ISMS
ISO/IEC 27004
ISO/IEC 27004:2009, part of a growing family of ISO/IEC ISMS standards, the
‘ISO/IEC 27000 series’, is an information security standard developed by the 45
Introduction to ISO 27000 International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). Its full name is Information technology –
Security techniques – Information security management – Measurement.
The purpose of ISO/IEC 27004 is to:
l help organizations measure, report and hence systematically improve the
effectiveness of their ISMS.
l i.e. how to measure the processes & controls (performance targets; what to
measure; how to measure; when to measure).
The objectives are:
l evaluate effectiveness of IS controls & objectives
l evaluate effectiveness of ISMS (sustainability)
l provide IS indicators to assist management review
l facilitate improvement of IS
l provide input for IS audits;
l communicate effectiveness of ISM
l input into risk management process
l output for internal comparison & benchmarking
The standard includes the following main sections:
l Information security measurement overview;
l Management responsibilities;
l Measures and measurement development;
l Measurement operation;
l Data analysis and measurement results reporting;
l Information Security Measurement Program evaluation and improvement.
ISO/IEC 27005
ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the ‘ISO/
IEC 27000 series’, is an information security standard published by the International
Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC). Its full title is ISO/IEC 27005:2008 Information technology –
Security techniques – Information security risk management.
The purpose of ISO/IEC 27005 is:
l to provide guidelines for information security risk management.
l It supports the general concepts specified in ISO/IEC 27001 and is designed
to assist the satisfactory implementation of information security based on a
risk management approach.
l It does not specify, recommend or even name any specific risk analysis method,
although it does specify a structured, systematic and rigorous process from
analyzing risks to creating the risk treatment plan.
l Information Security Risk Assessment.
46
l Risk analysis (identification of assets; threats; vulnerabilities). ISO/IEC 27000 Family of
Information Security
l Information Security Risk Treatment. Management Systems
(ISMS) Standards
ISO/IEC 27007
Information technology – Security techniques – Guidelines for information security
management systems auditing
The purpose of ISO/IEC 27007 is to provide:
l Provide guidance on conducting ISMS audits.
l Guidance on the competence of information security management system
auditors.
l Guidance to organizations needing to conduct internal or external audits of an
ISMS or to manage an ISMS audit programme against the requirements
specified in ISO/IEC 27001.

2.4.5 Standards Describing Sector-specific Guidelines: (ISO/IEC

27011 and ISO 27799)
ISO/IEC 27011
ISO/IEC 27011: Information technology – Security techniques – Information
security management guidelines for telecommunications organizations based on
ISO/IEC 27002
The purpose of ISO/IEC 27011 is to provide:
l guidelines supporting the implementation of Information Security Management
(ISM) in telecommunications organizations.
l guidelines unique to Telecommunications organisations industry sector with
an adaptation of the ISO/IEC 27002.
l Guidance towards fulfilling the requirements of ISO/IEC 27001, Annex A.
ISO 27799
ISO 27799: Health informatics – Information security management in health using
ISO/IEC 27002
The purpose of ISO/IEC 27011 is to provide:
l guidelines supporting the implementation of Information Security Management
(ISM) in health organizations.
l Guidelines unique to health organisations with an adaptation of the ISO/IEC
27002
l Guidance provided towards fulfilling the requirements of ISO/IEC 27001,
Annex A.

2.4.6 Summary and Conclusion of the ISMS Family of Standards

The PDCA process based international standards mentioned in the previous section
help organizations to develop, implement, operate and certify an ISMS. ISMS
requirements are specified in ISO/IEC 27001 which forms the core standard while
all other standards directly or indirectly support this standard. This standard-ISO/
IEC 27001 provides details needed for all the 4-phases of the PDCA process namely:
Plan (establishing and implementing), Do (implementing and operating), Check
(monitoring and reviewing) and Act (maintaining and improving). The details 47
Introduction to ISO 27000 needed for Risk Management like an understanding of information asset protection
requirements achieved through the application of ISO/IEC 27005 which is
concerned with information security risk management. The controls specified in
ISO/IEC 27002 are acknowledged as best practices applicable to most organizations
and readily tailored to accommodate organizations of various sizes and complexities.
Controls may be selected from ISO/IEC 27002, from other relevant control sets or
new controls designed to meet specific needs as appropriate. Other standards in
the ISMS family of standards provide guidance on the selection and application of
ISO/IEC 27002 information security controls for the management system (ISO/
IEC 27001). The standards ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002 and
ISO/IEC 27005 provide details needed for all the 6-steps of the development of an
ISMS framework shown in Fig. 6. Apart from these ISO/IEC 27003 helps in
implementation of ISMS. ISO/IEC 27006 provides auditing guidelines while ISO/
IEC 27006 provides requirements of certification body who certify ISMS systems.

2.4.7 Benefits of the ISMS family of standards

Reduction in information security risks is the major benefit of implementing an
ISMS and this will result in many other derived benefits. A list of benefits realised
from the adoption of the ISMS family of standards include:
l support for the process of specifying, implementing, operating and maintaining
ISMS that meets the organization’s needs across different operations and sites.
l assistance for management in structuring their approach towards information
security management.
l promotion of globally-accepted good information security practices in a non-
prescriptive manner.
l provision of a common language and conceptual basis for information security,
making it easier to place confidence in business partners with a compliant
ISMS.
Check Your Progress 3
Note: a) Space is given below for writing your answers.
b) Compare your answers with the one given at the end of this Unit.
1) List the standards in ISO 27000 series on Information security management
systems.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
2) What are the 4-categories of ISMS family of standards?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................

48 .............................................................................................................................
3) Explain the Relationship between various ISMS Family of Standards with a ISO/IEC 27000 Family of
suitable diagram. Information Security
Management Systems
............................................................................................................................. (ISMS) Standards

.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
4) What are the various benefits of the ISMS family of standards?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................

2.5 LET US SUM UP

There is need for organizations (e.g. commercial enterprises, government agencies,
non-profit organizations) for protection of information assets, such as financial
information, intellectual property and employee details or information entrusted to
them by customers or third parties. Therefore, the organizations have to develop
and implement a framework for managing the security of their information assets.
This unit focus on ISO and IEC which are the specialized system for worldwide
standardization in the field of information technology.

2.6 CHECK YOUR PROGRESS: THE KEY

Check Your Progress 1
1) Refer to Section 2.0 and explain Fig. 1: International standards organizations,
their relationship and their responsibilities.
2) Refer to Section 2.0 and explain Fig. 2: Usefulness of ISMS Family of
Standards to the Organizations
3) Information is one from an asset.
4) Refer to Fig. 3: Security Layer protects Information from attacks, in Section
2.2
5) An organization needs security to achieve its objectives and maintain and
enhance its legal compliance and image.
6) Refer to the definitions in the last part of Section 2.2
Check Your Progress 2
1) Refer to the definitions in the first part of Section 2.3
2) Refer to Sub-section 2.3.1
3) Refer to Sub-section 2.3.2
4) Refer to Sub-section 2.3.3

49
Introduction to ISO 27000 Check Your Progress 3
1) Refer to Section 2.4
2) Refer to Sub-section 2.4.1
3) Refer to Fig. 7 in Sub-section 2.4.1
4) Refer to Sub-section 2.4.7

50