ISO 27000
Information technology – Security techniques – Information security management systems – Overview and vocabulary (Edition 5 – 2018)
Table of Contents
Abstract
“ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. [ISO/IEC 27000] is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations). The terms and definitions provided in [ISO/IEC 27000]: cover commonly used terms and definitions in the ISMS family of standards; do not cover all terms and definitions applied within the ISMS family of standards; and do not limit the ISMS family of standards in defining new terms for use.”
Introduction
The ISO 27000 series is a set of standards that is known around the world and helps businesses set up, keep up, and keep improving their Information Security Management System (ISMS). These standards protect sensitive information and help businesses manage risks, make sure they follow the rules, and build trust with clients and stakeholders. Organizations that follow ISO/IEC 27000 show that they have a structured approach to information security that is in line with best practices around the world.
Scope of ISO 27000
The ISO/IEC 27000 family includes all parts of managing information security. It gives organizations of all sizes and industries rules for managing security risks, protecting information assets, and putting in place controls that work. The standards cover the privacy, integrity, and availability of information and make sure that data handling, storage, and processing all meet the same security standards. Companies that use ISO/IEC 27000 get a complete set of tools to find weaknesses and deal with threats in a smart way.
Structure of the Standard
The ISO/IEC 27000 series is structured to support organizations at every stage of information security management. Key standards include:
- ISO/IEC 27001 – Requirements for establishing, implementing, maintaining, and continually improving an ISMS.
- ISO/IEC 27002 – Code of practice for information security controls.
- ISO/IEC 27005 – Guidelines for information security risk management.
- Other specialized standards covering cloud security, privacy protection, and auditing.
This layered structure ensures that organizations can adopt the standards according to their specific needs while maintaining a unified approach to information security.
Status
The first edition of ISO/IEC 27000 was published in 2009.
It was updated in 2012, 2014, 2016, and 2018.
The current 2018 fifth edition is available legitimately from ISO. This minor revision of the 2016 fourth edition included a section on abbreviations and a rationalization of the metrics-related definitions following the 2016 rewrite of ISO/IEC 27004.
The sixth edition of ISO/IEC 27000 is currently a work-in-progress. In accordance with ISO directives, the current edition’s vocabulary will be moved to an annex containing a “definition and explanation of commonly used terms in the ISO/IEC 27000 family of standards”—specifically, the glossary will apply to ISO27k standards under ISO/IEC JTC 1/SC 27/WG 1 (ISO/IEC 27001 to ISO/IEC 27011, ISO/IEC 27013, ISO/IEC 27014, ISO/IEC 27016, ISO/IEC 27017, ISO/IEC 27019, ISO/IEC 27021 to ISO/IEC 27024, ISO/IEC 27028, and ISO/IEC 27029). Terms will be grouped conceptually in the annex rather than alphabetically, while specialist terms used in ISO/IEC 27000 itself are still defined in clause 3.
The upcoming sixth edition will be significantly shorter, reducing the page count by approximately half.
Publication of the sixth edition is expected by 2026, possibly later this year. It is currently at the Draft International Standard stage and has been submitted to the ISO secretariat for processing. The title will become: “Information security, cybersecurity and privacy protection — Information security management systems — Overview.”
Insights
Adopting ISO/IEC 27000 standards has many benefits, such as better risk management, compliance with regulations, and a better reputation. But businesses should think about problems like how to use their resources, how to train their staff, and how to fit new processes into their current ones. To get the most out of the standards and make sure the ISMS is strong, you need expert advice, internal audits, and constant monitoring.