Topic-specific policies
ISO/IEC 27003

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27003:2017 < Click to purchase via Amazon — Information technology — Security techniques — Information security management systems — Guidance (second edition)



“ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.”
[Source: ISO/IEC 27003:2017]


ISO/IEC 27003 provides guidance for those implementing the ISO27k standards, covering the management system aspects in particular.

Its scope is simply to “provide explanation and guidance on ISO/IEC 27001:2013.”

The standard supplements and builds upon other standards, particularly ISO/IEC 27000 and ISO/IEC 27001 plus ISO/IEC 27004, ISO/IEC 27005, ISO 31000 and ISO/IEC 27014.


Purpose of the standard

As a result of ISO’s intent to make all the Management Systems Standards consistent in structure and form, and in order for it to be usable for ISMS certification purposes, the language of ISO/IEC 27001:2013 is inevitably rather formal, curt and stilted. In contrast, ISO/IEC 27003 offers pragmatic explanation with plain-speaking advice and guidance for implementers of ‘27001.


Structure and content of the standard

For convenience, ‘27003 follows virtually the same structure as ‘27001, expanding clause-by-clause on ‘27001, hence the main sections are:

  • 4 Context of the organisation
  • 5 Leadership
  • 6 Planning
  • 7 Support
  • 8 Operation
  • 9 Performance evaluation
  • 10 Improvement
  • Annex - Policy framework [NOTE: this is not guidance on ‘27001 Annex A]

For each ‘27001 clause, this standard:

  • Re-states the requirement/s;
  • Explains the implications; and
  • Offers practical guidance and supporting information including examples, to help implementers implement.

For example, this is what ‘27001 says in section 4.1, ‘Understanding the organisation and its context’:

    “The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

    NOTE Determining these issues refers to establishing the external and internal context of the organisation considered in Clause 5.3 of ISO 31000:2009[5].”

Section 4.1 of ‘27003 first succinctly re-states the ‘required activity’:

    “The organisation determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) of the information security management system (ISMS).”

Then it expands on the reasons why it is appropriate to ‘determine external and internal issues’, providing a page of explanation to supplement the succinct and somewhat hard to understand text from ‘27001. It explains, for instance, that the ‘internal issues’ include the organisation’s culture; its policies, objectives, and the strategies to achieve them; its governance, organisational structure, roles and responsibilities; and list a further seven ‘internal issues’ to consider. It also identifies other clauses that use this information.

That alone would be a valuable expansion on ‘27001 section 4.1 but ‘27003 doesn’t stop there: it goes on to provide a further page of explanation, practical guidance and real-world examples in this area.

The end result is that the reader gains a much better understanding of the requirements from ‘27001 and a clearer idea of how to go about satisfying them.


Status of the standard

The first edition was published in 2010.

The standard was substantially revised (rewritten) and the second edition was issued in 2017.

Januarry updateA third edition is being produced primarily to reflect the 2022 versions of ISO/IEC 27001, 27002 and 27005. However, the project team has decided adopt ISO’s version of plain English with the likelihood of more substantial wording changes. Further changes have been mooted to take account of CASCO’s requirements for clarity of requirements that are to be used for certified conformity - even though ‘27003 is not formally a specification standard, and hence is not intended to be used in that way.

The revision project is at the early Preliminary Work Item stage with work in progress to confirm the direction and scope of the project and review extensive plain English and other changes offered in the initial PWI.


Personal comments

This is an excellent guide. On the ISO27k Forum, we are frequently asked how to interpret and implement ISO/IEC 27001. Along with our FAQ, ISO/IEC 27003 goes a long way towards answering questions of that nature.

Januarry update The standard revision project presents the opportunity to:

  • Offer guidance on the governance and strategic aspects of concern to senior management when initially considering, specifying and designing an ISMS;
  • Help organizations manage the spectrum risks pertaining to information (including management, personal and general business information) through the selection of more appropriate security controls i.e. controls that satisfy their requirements;
  • Give pragmatic advice regarding the critical transition of an ISMS from an implementation project to routine operations (business-as-usual).

I am intrigued at the idea that ‘27003 might perhaps, at some future point, extend beyond the ISMS design, implementation and certification part to offer pragmatic advice on the operation, management, monitoring and gradual improvement of the ISMS. The point is that certification of an ISMS is merely the start of a long process of evolution and maturity as information security becomes an integral and valuable part of normal business operations and strategies.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights