ISO/IEC 27000

From Wikipedia, the free encyclopedia

ISO/IEC 27000 is the number reserved for a new international standard, which currently has the provisional title: "Information technology - Security techniques - Information security management systems - Fundamentals and vocabulary" The standard is known informally as "ISO 27000".

The standard is being developed by the International Organization for Standardization.

ISO 27000 will contain fundamental concepts and vocabulary for Information Security Management Systems (ISMS), defining and explaining the specialist terms used throughout the ISO 27000 series of ISMS standards. The scope is “to specify the fundamental principles, concepts and vocabulary for the ISO/IEC 27000 (information security management system) series of documents.”

Information security, like many technical subjects, is evolving a complex web of terminology. Relatively few authors take the trouble to define precisely what they mean, an approach which is unacceptable in the standards arena as it potentially leads to confusion and devalues formal assessment and certification. As with ISO 9000 and ISO 14000, the base '000' standard is intended to address this.

ISO 27000 itself one of a family of ISO ISMS standards, the 'ISO 27000 series'. The others, whether already published or anticipated, are:

ISO/IEC 27001 - the certification standard against which organizations' ISMS may be certified (published in 2005)
ISO/IEC 27002 - the proposed re-naming of existing standard ISO 17799 (last revised in 2005, due to be renumbered in 2007)
ISO/IEC 27003 - a new ISMS implementation guide (in preparation)
ISO/IEC 27004 - a new standard for information security measurement and metrics (in preparation)
ISO/IEC 27005 - a proposed standard for risk management, potentially related to the current British Standard BS 7799 part 3
ISO/IEC 27006 - a guide to the certification/registration process (awaiting publication)