This section of the ISO27k FAQ addresses the following general/basic questions relating to the ISO/IEC standards:
FAQ: “The titles of the ISO27k standards mention ‘Information Technology -- Security Techniques’. Does this mean they are IT-specific?”
A: No, certainly not! The formal titles simply reflect the name of the joint ISO + IEC committee that oversees their production, namely SC 27 “Information Technology -- Security Techniques”, itself a subcommittee of JTC1 “Information Technology”.
The scope of the ISO27k standards naturally includes many aspects of IT but does not stop there. The introduction to ISO/IEC 27002:2013 states explicitly:
”The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, network and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable to an organization’s business and consequently deserve or require protection against various hazards.”
Generally speaking, an organization’s most valuable information assets belong to business units, departments or functions other than IT Department. IT typically owns, manages and is accountable for protecting the shared IT infrastructure (i.e. the main corporate IT systems and networks providing shared IT services to the business) which is a substantial information asset in its own right. However, in information security terms IT typically acts as a custodian (but not owner) for most business data on the systems and networks, including content belonging to other parts of the organization or to suppliers, customers, business partners, sales prospects, stakeholders and other third parties.
This distinction has important implications. Information asset owners are accountable for ensuring that their information assets are adequately protected, just like other corporate assets. While information asset owners generally delegate key responsibilities for information security to Information Security and/or IT, they remain accountable and must ensure that information security is adequately funded, directed and supported to achieve the necessary level of protection. Likewise, Information Security and IT generally act as advisors and custodians with a duty to protect the information/data placed in their care, but they are not ultimately accountable for most information security incidents, breaches and impacts that occur as a result of unwise risk management decisions (such as under-funding security or accepting risks) made by the actual information asset owners.
Implementation tip: when assessing and treating information risks, focus primarily on critical business processes and valuable business information rather than the supporting IT systems and data. The modern approach to corporate governance means that naive or duplicitous business managers can no longer blame and cower behind IT if they make inappropriate decisions or fail to act in order to identify and protect vital information assets. However, they often need help to appreciate and fulfil their security obligations.
FAQ: “Where can I obtain [insert name of ISO27k standard here]?”
A: ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002 and all the other published ISO27k standards may be purchased directly from the ISO store or from the various national standards bodies and commercial organizations. Shop around for the best deal.
It is worth checking for localized/national versions of the standards. Several national standards bodies release translated versions of the standards in their local languages. They go to great lengths to ensure that the translations remain true to the originals, although naturally this takes time.
ISO27k standards can be purchased as electronic documents or printed hardcopies. In addition to single-user PDFs, standards bodies may license electronic versions of the standards for multi-user internal corporate use - handy to make the definitive standards available on your intranet.
Implementation tip: Google!
FAQ: “I want to become an ISO27k consultant. I’m looking for books or courses that teach ISO27k. Is there an exam? ... ”
A: The best reference sources on the ISO27k standards are the standards themselves - in other words, you should buy and read the standards (see above). Being standards, they are quite formal in style but readable and useful. If you are going to implement them, write policies based upon them, consult around them etc. you will inevitably have to become very familiar with them so buy your copies and start reading!
The following ISO27k standards well worth studying:
- ISO/IEC 27000 introduces and gives an overview of the whole set of ISO27k standards, and provides a glossary defining various information security terms specifically as they are used in the context of the standards.
- ISO/IEC 27001 formally specifies the system for managing information security. Along with ISO/IEC 27006, it is essential if you intend to become an ISMS certification auditor by taking a “ISO/IEC 27001 Lead Auditor” training course offered by various training, consultancy and certification companies, and completing the requisite number of compliance audits under the wing of a fully-qualified ISMS certification auditor. If you are looking to implement rather than certify compliance with the standard, you should also study ISO/IEC 27002 (see below) and others.
- ISO/IEC 27002 is the ‘Code of Practice’, a practical standard offering oodles of advice for those choosing/designing and implementing information security controls. The best way to learn ISO/IEC 27002 inside-out is to use it for real, which means going all the way through one or more ISMS implementations from planning to operations, auditing and maintenance. If you have no prior experience in information security, you should try to find an experienced mentor or guide, or take an “ISO/IEC 27001 Lead Implementer” course. Professional organizations such as ISSA, ISF and ISACA can help, along with the ISO27k Forum.
- ISO/IEC 27005 concerns the analysis and treatment of information risks and as such underpins all the ISO27k standards.
You should also be aware of the remaining ISO27k standards and have some familiarity with other similar/related standards, methods, laws etc. (such as PCI DSS, COBIT and various privacy laws).
As to becoming a consultant, you are well advised to start by building a solid technical understanding of governance, risk and control concepts, and establishing your own expertise, experience, competence and hence credibility.
Implementation tip: see the resources page and don’t forget to join the ISO27k Forum. If you are struggling with particular ISMS-related issues, the archive of Forum messages well worth browsing or searching (it’s a Google group so the search function works well), and members can always seek fresh answers to unique, current issues or challenges.
FAQ: “Are there any qualifications for ISO27k professionals?”
A: Kind of. Other than the ISO and national standards bodies’ processes for checking and accrediting organizations who wish to offer ‘official’ compliance certification services, there is currently no equivalent of, say, ISACA or (ISC)2 overseeing the ISO27k courses and qualifications in order to set and maintain professional standards, insist on continuous professional development and so forth. At present there is nothing to stop anyone offering “ISO27k Lead Implementer”-type training courses and issuing certificates like confetti. This unfortunate situation casts doubt on the validity of Lead Implementer certificates in particular, and potentially discredits both the organizations currently offering them and the candidates who obtain them, even though they may be truly excellent. It’s a question of assurance not quality.
There are a number of ISMS-related training courses that hand out certificates of completion but I would not necessarily call them ‘qualifications’ on that basis alone. ‘Designations’ may be a better term. This is still a relatively new field so it will inevitably take time for the training and qualification practices to settle down and for the most worthwhile and meaningful certification schemes to become universally accepted. Meanwhile, read on.
The two most common types of ISMS-related designations are as follows.
ISO/IEC 27001 Lead Auditor (LA)
The term “Lead Auditor” was coined by training schemes that were initially designed and run internally by accredited ISO/IEC 27001 certification bodies in order to train up their own staff to perform certification audits. Subsequently, various public/commercial LA training courses have emerged. There are at least four possible routes to someone calling themselves an ISO/IEC 27001 LA:
- The highway: spend 5 straight days on a suitable officially-recognised training course run by an officially-recognised training body, pass the end of course exam, then undertake a further 35 days of third party certification audits under the guidance of a registered ISO/IEC 27001 LA. This route is preferred by the International Register of Certification Auditors and, in Japan, JRCA. The highway naturally suits students who are employed by the accredited certification bodies, since they can get both the classroom training and on-site experience from their employers.
- The country route: complete some other form of ISMS/audit related training (for example modular courses comprising a day or two’s training on ISMS plus 3 days on auditing), then undertake further ISMS assignments such as internal ISMS audits, ISMS-related consultancy gigs or third party certification audits, and finally pass some form of “on-site skills examination”. The country route may be the best option for students not working for accredited certification bodies, but may not deliver as much assurance.
- The cross-country 4x4 route: become a qualified and experienced information security professional and a qualified and experienced IT audit professional and gain lots of real-world experience of designing, building, implementing, managing, maintaining and advising on ISO27k ISMSs. Most professionals with more than, say, a decade or two’s work experience crossing these three areas have amassed valuable expertise, knowledge and battle scars, having faced many situations in the field. Some of them go on to take the highway or the country route, while others are too busy working for their clients or sharing their expertise with their employers to worry about certificates per se.
- The back alleys: a few students and consultants allegedly don’t bother with the hardship of actual training, exams and/or on-the-job experience, simply adding “ISO/IEC 27001 LA” (or similar) to their CVs and email signatures and carrying on regardless ...
ISO/IEC 27001 or ISO/IEC 27002 Lead Implementer (LI)
In response to market demand for help with implementing the ISO27k standards rather than just auditing ISMSs against ’27001, a number of IT training companies are now offering commercial ISO27k LI courses. These aim to give students some familiarity with the ISO27k standards, and then presumably provide pragmatic guidance on how to apply them to the design and implementation of an ISMS.
As with ISO27k LAs, do not rely on a candidate’s claimed ISO27k LI qualification alone if information security is important to you - and why else would you be employing them? Skills (both technical and social), expertise, competencies and experience all vary from person to person, as does trustworthiness.
Caveat emptor! If you are employing information security professionals on the basis of their competence and integrity, it pays to check carefully into their backgrounds. Verify their claims. See ISO/IEC 27002 section 7.1.1 (screening) for sage advice on this very point.
Note: ISO/IEC 27021 will, when published, lay out the skills and competencies expected of professionals in this field. Subsequently, training providers will hopefully align their course curricula with the standard, hence the course-completion certificates will have more meaning and value.
Implementation tip: in our considered opinion, demonstrable hands-on ISO27k ISMS implementation and audit experience, ideally with more than one organization, is by far the best “qualification” in the field today. Next best would be demonstrable consultancy experience, helping a number of clients design, install and run their ISMSs, preferably again with a considerable amount of hands-on work and not merely advising at a distance. The LA and particularly the LI certifications vary in credibility but nevertheless the courses are a valuable introduction for beginners, although students who already have a reasonable understanding of information security management concepts are more likely to benefit from ISO27k-specific training, general information security and IT audit qualifications such as CISSP, CISM and CISA, and general business management qualifications such as MBAs.
Advice for people who want to become IT auditors in our IT audit FAQ is useful for those planning to become lead auditors and is also relevant to becoming an information security management specialist since the fields are very closely related. Another excellent resource is cccure.org, especially if you are considering becoming CISSP, SSCP or CISM qualified in information security management - these are not specific to ISO27k but give you a sound basis for ISO27k work, particularly the management and implementation of appropriate/good practice information security controls.
FAQ: “Where else can I find answers on ISO27k and information security?”
A: Besides this FAQ and the ISO27k standards themselves, there are several professional/special interest groups and forums (fora?) worth considering, most of which are free or cheap to join:
- ACM SIGSAC (Association for Computing Machinery - Special Interest Group - Security, Audit and Control). Mission: “to develop the information security profession by sponsoring high-quality research conferences and workshops. SIGSAC conferences address all aspects of information and system security, encompassing security technologies, secure systems, security applications, and security policies. Security technologies include access control, assurance, authentication, cryptography, intrusion detection, penetration techniques, risk analysis, and secure protocols. Security systems include security in operating systems, database systems, networks and distributed systems, and middleware. Representative security applications areas are information systems, workflow systems, electronic commerce, electronic cash, copyright and intellectual property protection, telecommunications systems, and healthcare. Security polices encompass confidentiality, integrity, availability, privacy, and survivability policies, including tradeoff and conflicts amongst these.”
- InfraGard. “InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters.”
- ISACA (originally the Information Systems Audit and Control Association). “As a nonprofit, global membership association for IT and information systems professionals, ISACA is committed to providing its diverse constituency of more than 95,000 worldwide with the tools they need to achieve individual and organizational success. The benefits offered through our globally accepted research, certifications and community collaboration result in greater trust in, and value from, information systems. Through the more than 190 chapters established in over 75 countries worldwide, ISACA provides its members with education, resource sharing, advocacy, professional networking, and a host of other benefits on a local level.”
- (ISC)² (International Information Systems Security Certification Consortium). “... the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. We are recognized for Gold Standard certifications (CISSP, SSCP, etc.) and world class education programs. We provide vendor-neutral education products, career services, and Gold Standard credentials to professionals in more than 135 countries. We take pride in our reputation built on trust, integrity, and professionalism. And we’re proud of our membership – an elite network of nearly 75,000 certified industry professionals worldwide. Mission: we make society safer by improving productivity, efficiency and resilience of information-dependent economies through information security education and certification.” [The CISSP Forum is particularly recommended.]
- ISO27k Forum (ISO/IEC 27000-series standards discussion forum). “This is a practitioner’s group with a pragmatic rather than theoretical focus, where every contribution is treasured and every member valued. We mostly discuss practical matters of interest to those interpreting and applying the standards in real world situations. Forum members are encouraged both to ask questions and to offer answers, tips, suggestions, case studies, example materials and so forth. This is a self-help user community that thrives on proactive involvement in a supportive atmosphere.”
- ISSA (Information Security Systems Association). “... a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government.”
- OWASP (Open Web Application Security Project). “OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.”
Implementation tip: Questions are good. I learn a lot from questions. I also learn a lot from answering questions and from considering other people’s answers, further responses, corrections, clarifications, retrenchments and counterpoints. Despite the popular mantra, there are dumb questions ... but there are also deceptively simple questions that turn out to be extremely eloquent and deep once we peel back the layers and try to respond. Whatever your initial state of knowledge, expertise and experience, actively engaging in the debate puts you on the fast track to further personal and professional development. Do join in. Remember: life is not a spectator sport.
FAQ: “What does ‘ISO’ mean? And what about ‘ISO/IEC’?”
A: ISO is the short or common name of the global standards body known in English as the International Organization for Standardization. “ISO” is not strictly an abbreviation since the long name varies in different languages - it is in fact derived from the Greek word isos meaning equal. At least, that’s what we’re told.
IEC is the International Electrotechnical Commission, another international standards body that cooperates closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC” although in practice most users [incorrectly] shorten it to “ISO”.
ISO/IEC also collaborate on some standards with other international organisations (both governmental and private sector) such as the ITU, the International Telecommunication Union. The ITU is primarily a trade body coordinating telecomms organizations and practices to enable worldwide communications. It allocates radio frequencies, for example, to minimize co-channel interference and encourage the manufacture of radio equipment that can be sold and used internationally.
Implementation tip: we have tried to use “ISO/IEC” consistently throughout this site when referring to applicable standards, but we know it’s a mouthful. In casual conversation, management reports, security awareness materials, social media etc. “ISO” is good enough for most purposes. Don’t sweat the small stuff.
FAQ: “What do ‘WD’, ‘CD’, ‘FDIS’ and those other acronyms prepended to draft ISO standards really mean?”
A: The acronyms indicate the progress of International Standards sequentially through the drafting and approval stages:
- PWI = Preliminary Work Item - initial feasibility and outline scoping activities
- SP = Study Period - preparing the NWIP
- NP = New Proposal or NWIP New Work Item Proposal - the formal scoping phase, clarifying the proposal *
- WD = Working Draft (1st WD, 2nd WD etc.) - standard content development (“preparatory”) phase
- CD = Committee Draft (1st CD, 2nd CD etc.)- quality control phase, addressing editorial matters and typoos *
- FCD = Final Committee Draft - ready for final approval (voting) *
- DIS = Draft International Standard - nearly there, hold your breath *
- FDIS = Final Draft/Distribution International Standard - just about ready to publish, pinch your nose and count to 100 *
- IS = International Standard - published! Yay!
- TR = Technical Report - published!
- TS = Technical Specification - published!
* At several stages during the standards development process, national standards bodies that belong fully to ISO/IEC JTC1/SC 27 are invited to vote formally on the standards and submit comments, particularly to explain why they disapprove of anything.
A similar sequence applies to Technical Reports and other forms of output (see next Q&A).
The process from PWI to IS normally takes between 2 and 4 years (average 2.8 years), given the attention to detail at every stage and the need for collaboration and consensus on a global scale e.g. when a WD is issued for comments, representatives of the national standards bodies that belong to ISO or IEC (known as “Member Bodies” MBs within ISO but “National Committees” NCs in IEC) typically have ~3 months to review the document, discuss it amongst themselves and submit formal votes and comments. If the comments are unfavourable or complex, an updated WD is normally released for a further round of comments. When documents have stabilised, they are circulated for voting. Any of you with experience of getting formal documents such as security policies prepared, reviewed and approved by your management will surely appreciate the ‘fun’ involved in doing this in an international arena!
A fast-track process is sometimes used to adopt an existing national standard as an ISO standard. Some 6 months is allowed for comments and no more than a quarter of the votes may be negative if the standard is to be approved. “Fast” is of course a relative term.
Published standards are reviewed every five years, or earlier if defect reports are submitted.
Lately the committee has taken to using CRM to mean not the obvious Customer Relationship Management, oh no, but Comment Resolution Meeting.
FAQ: “Aside from International Standards, what are TRs and PASs and ... ?”
A: ISO/IEC publishes a range of different types of standards, as well as covering a number of different subjects:
- An International Standard (IS) is the most common form of ISO/IEC standard, including product/technical standards, test methods, ‘codes of practice’ (good practices) and management standards. An IS “provides rules, guidelines or characteristics for activities or for their results, aimed at the achievement of the optimum degree of order in a given context”. Most aim to describe the final objective without prescribing the method of getting there (although they don’t all meet that aim!). The review cycle is 5 years (maximum).
- A Technical Specification (TS) is a standard on a immature subject that is still being developed, and is not quite ready to become a full IS. Feedback is encouraged in order to drive further development and lead, eventually, to the release of an IS. Internally within the committee, final drafts are called PDTS Proposed Draft Technical Specifications.
- A Technical Report (TR) is informational in style rather than providing firm guidance. It may draw on surveys and ‘informative reports’, and may attempt to describe the ‘state of the art’. Internally within the committee, final drafts are called PDTR Proposed Draft Technical Reports.
- A Publicly Available Specification (PAS) responds to an urgent need to drive consensus on some emerging topic. Alternative and perhaps incompatible views may be expressed by parallel PASs from different expert streams. A PAS is supposed to be replaced by a TS or IS, or withdrawn, within 6 years.
- An International Workshop Agreement (IWA) is essentially an alien PAS produced outside of the ISO/IEC world - for example by some technical or industry body. It too has a maximum life of 6 years.
FAQ: “What is meant by ‘JTC/1 SC 27’ and what are ‘WG’s’?”
A: As you might expect, an international body developing and coordinating a vast range of technical standards on a global basis has evolved a correspondingly vast bureaucracy to manage and share the work. Member Bodies (that is, members of ISO, in other words national standards bodies) normally participate in the development of standards through Technical Committees established by the respective organisation to deal with particular fields of technical activity. The ISO and IEC Technical Committees often collaborate in fields of mutual interest. IT standardisation presents unique requirements and challenges given the pace of innovation therefore, in 1987, ISO and IEC established a Joint Technical Committee ISO/IEC JTC 1 with responsibility for IT standards.
JTC1’s purpose is “Standardization in the field of Information Technology” which “includes the specification, design and development of systems and tools dealing with the capture, representation, processing, security, transfer, interchange, presentation, management, organization, storage and retrieval of information.” While there is general agreement that information security is a superset of IT security, the unfortunate fact that the ISO/IEC committee is IT specific means that the ISO27k information security standards are in fact labelled IT standards.
In ISO-speak, “SC” is a “Sub-Committee”. SC 27 is the main (but not the only!) ISO Sub-Committee responsible for numerous information security standards. SC 27 is a Sub-Committee of ISO/JTC1. SC 27’s “Standing Document 1” (SD1 - one of several) lays out its key processes in 50 pages of excruciating detail.
SC 27 owns and maintains more than 200 standards of which around a quarter are actively progressing at any one time. SC 27, in turn, has carved-up its workload across five WGs (Working Groups):
- SC 27/WG1 - Information Security Management Systems: responsible for developing and maintaining ISMS standards and guidelines, identifying requirements for future ISMS standards and guidelines, maintaining the WG1 roadmap and liaising/collaborating with other organizations and committees in relation to ISMS;
- SC 27/WG2 - Cryptography and Security Mechanisms: cryptography, cryptographic algorithms, encryption, authentication, key management, digital signatures and all that;
- SC 27/WG3 - Security Evaluation, Testing and Specification: Common Criteria, evaluation methods, protection profiles, security capability maturity models etc.;
- SC 27/WG4 - Security Controls and Services: responsible for a variety of standards covering intrusion detection, IT network security, incident management, ICT disaster recovery, use of trusted third parties, business continuity, application security, cybersecurity and outsourcing. Some of these also fall into ISO27k;
- SC 27/WG5 - Identity Management and Privacy Technologies: does pretty much exactly ‘what it says on the tin’ (the title is self-explanatory). Includes biometrics.
Find out more about the inner workings of SC27 in the welcome guide.
As if that wasn’t complicated enough, there are also “Other Working Groups” (OWGs), “Special Working Groups” (SWGs), “Rapporteur Groups” (RGs, advisors), “Joint Working Groups” (JWGs), Workshops and the IT Task Force (ITTF). [There is presumably also a secret CFA (Committee For Acronyms) somewhere in ISO/IEC land!].
Aside from SC 27, various other subcommittees are working on security-related matters, such as:
- SC 6 - Telecommunications and information exchange between systems
- SC 7 - Software and systems engineering
- SC 17 - Cards and personal identification
- SC 25 - Interconnection of information technology equipment
- SC 29 - Coding of audio, picture, multimedia and hypermedia information
- SC 31 - Automatic identification and data capture techniques
- SC 32 - Data management and interchange
- SC 36 - Information technology for learning, education and training
- SC 37 - Biometrics
Implementation tip: once you have gained ISMS implementation experience, consider helping the continued development of the ISO27k standards by contacting your national standards body and volunteering your assistance (more advice follows ...).
Please note: this website is privately owned and is NOT an official organ of ISO/IEC. Please read our disclaimer for more.
FAQ: “How can I keep up with developments in ISO27k?”
A: An easy way to keep in touch with developments is to join the ISO27k Forum. Don’t forget to bookmark this website and call back every so often to check the news.
Another option is to Google ISO/IEC 27000 or related terms. Professional information security-related organizations such as ISSA and ISACA, and journals such as EDPACS, are increasingly discussing or publishing articles on ISO27k. The CISSPs over at CISSPforum discuss ISO27k related matters quite often, and there are a few ISO/IEC 27000 groups on Linkedin and other social media, of variable quality.
Implementation tip: if you discover some ISO27k news before it is published here, please tell us so we can share it with the user community via this website and/or via the ISO27k Forum.
FAQ: “How can I get involved in the development of security standards?”
A: Contact your local national standards body (e.g. BSI, NIST, SNZ) to find out about any special interest groups and committees working in the information security arena. If you can spare the time to get involved with standards specification, development and/or review, contact your local ISO/IEC JTC1/SC 27 representative/s to volunteer your services.
There is a genuine chance for experienced professionals to influence the future directions of ISO27k if they are prepared to put in the effort and collaborate with colleagues around the world. Don’t wait for the published standard to raise your criticisms and improvement suggestions: get involved in the drafting and review process!
Implementation tip: The ISO/IEC security Sub-Committees and Working Groups are extremely busy and produce lots of paperwork. Committee work drafting and reviewing standards plus responding to queries from other interested parties has to be slotted-in with other duties including the day-job. If you get involved, be prepared to lose a substantial chunk of your free time reading, reviewing and contributing to draft standards. It’s fun though, a privilege to be able to collaborate with professional peers who are committed to ISO27k.
FAQ index Next FAQ section >