The ISO/IEC 27000 series is a broad collection of standards related to information security, cybersecurity, and privacy protection. Together, these standards help organizations establish, implement, maintain, and improve an Information Security Management System, or ISMS.
For many people, ISO/IEC 27001, also known as ISO 27001, is the best-known standard in the series because it is the one used for certification. However, ISO/IEC 27001 is only one part of a much larger structure. The ISO 27000 series also includes standards on information security controls, implementation guidance, risk management, auditing, governance, cloud security, privacy, digital evidence, network security, supplier relationships, and many other related subjects.
We will not be covering every published document in the series, but instead we will focus our attention on the more well known, and more commonly used standards that most organizations, consultants, auditors, and information security professionals are most likely to encounter.
The Major and Most Common Standards in the ISO/IEC 27000 Series
ISO/IEC 27000 — Information security management systems — Overview and vocabulary
ISO/IEC 27000 provides the overview and vocabulary for the series. This makes it a natural starting point for anyone trying to understand how the standards fit together. It explains the concept of the Information Security Management System and defines many of the terms used across the series.
This is more important than it may first appear. Information security work depends on clear language. Terms such as risk, control, vulnerability, asset, interested party, and information security incident need to be understood consistently if an ISMS is to function properly. ISO/IEC 27000 helps create that common foundation.
ISO/IEC 27001 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements
ISO/IEC 27001 is the central standard in the series. It specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System. It is also the standard against which organizations can be audited and certified. In practice, ISO 27001 requires an organization to understand its context, identify the needs and expectations of interested parties, define the scope of the ISMS, assess risks, treat those risks appropriately, and monitor and improve the system over time. It also places clear responsibility on leadership and requires information security to be managed systematically rather than informally. For most organizations, ISO 27001 is the main anchor point in the series. For more information on the history of ISO/IEC 27001 see our in depth article here.
ISO/IEC 27002 — Information security, cybersecurity and privacy protection — Information security controls
ISO/IEC 27002 provides guidance on information security controls. If ISO 27001 explains what the management system must achieve, ISO 27002 helps organizations understand how controls can be selected, interpreted, and implemented in practice. This standard is often used during risk treatment, Statement of Applicability development, control design, and control improvement. It covers organizational controls, people controls, physical controls, and technological controls. Because of that, it is one of the most frequently used supporting standards in the entire series. Organizations regularly turn to ISO 27002 for guidance on issues such as access control, supplier relationships, incident response, asset management, secure development, logging, backup, and vulnerability management.
ISO/IEC 27003 — Information security management system - Guidance
ISO/IEC 27003 provides guidance on implementing an ISMS in line with ISO 27001. This is especially useful because reading a requirement and applying it effectively are not the same thing. Many organizations understand what ISO 27001 requires in theory, but need help translating those requirements into practical implementation steps. ISO 27003 supports that process by giving explanation and guidance across the core clauses of ISO 27001, including context, leadership, planning, support, operation, performance evaluation, and improvement. For internal project leads, consultants, and organizations building an ISMS for the first time, ISO 27003 is often one of the most useful standards in the series.
ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation
ISO/IEC 27004 focuses on monitoring, measurement, analysis, and evaluation. In other words, it helps organizations determine whether the ISMS and its controls are actually performing as intended. This matters because a management system should not exist only as a set of policies and procedures. It also needs to produce evidence of effectiveness. ISO 27004 supports organizations in developing meaningful ways to monitor performance, measure control effectiveness, analyse results, and evaluate what those results mean. It is particularly relevant for management reporting, internal audits, management reviews, and continual improvement.
ISO/IEC 27005 — Guidance on managing information security risks
ISO/IEC 27005 provides guidance on managing information security risks. Since risk management is one of the core elements of ISO 27001, this standard plays an important supporting role within the series. It helps organizations identify, analyse, evaluate, and treat risks to information security in a more structured and defensible way. This is important because poor risk management tends to weaken the entire ISMS. If risks are identified poorly, control selection may become arbitrary. If risk analysis is inconsistent, treatment decisions become difficult to justify. For organizations working directly with risk criteria, risk registers, treatment plans, and residual risk acceptance, ISO 27005 is often one of the most valuable supporting standards.
ISO/IEC 27006-1 — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27006-1 is primarily aimed at certification bodies rather than organizations implementing an ISMS. It specifies how certification bodies should audit an ISMS for conformity with ISO 27001. Although many organizations will not apply this standard directly, it still matters because it supports the credibility and consistency of the certification process. It helps ensure that those conducting certification audits are competent and that certification is based on an appropriate level of rigor.
ISO/IEC 27007 — Guidelines for information security management systems auditing
ISO/IEC 27007 provides guidance on auditing Information Security Management Systems. It is relevant for organizations with internal audit programmes, for consultants helping clients prepare for certification, and for auditors who need a more focused information security perspective. This standard concentrates on auditing the management system elements of the ISMS. It therefore helps organizations look beyond individual technical checks and examine whether the system as a whole is functioning as required.
ISO/IEC TS 27008 — Guidance for the assessment of information security controls
ISO/IEC TS 27008 complements ISO/IEC 27007 by focusing more specifically on the assessment of information security controls. Where ISO 27007 looks more at the ISMS as a management system, ISO/IEC TS 27008 focuses more on technical and control level checks. This makes it particularly useful for assurance activities, control testing, audit preparation, and organizations that want a more detailed view of whether their controls are actually implemented and operating as intended.
ISO/IEC 27009 — Sector-specific application of ISO/IEC 27001 — Requirements
ISO/IEC 27009 is not normally a first stop for organizations building a basic ISMS, but it is important in the wider structure of the series. It provides guidance for those developing sector specific standards based on or related to ISO 27001. Its relevance lies in showing how the ISO 27000 series can be adapted and extended into more specialized environments while still maintaining a consistent relationship to the main ISMS requirements.
ISO/IEC 27010 — Information security management for inter-sector and inter-organizational communications
ISO/IEC 27010 provides guidance on sharing information relating to information risks, security controls, issues, and incidents across sectors and organizations. This makes it especially relevant where communication and coordination extend beyond a single legal entity or business unit. It is often associated with environments involving collaboration, critical infrastructure, or complex networks of stakeholders where secure and trusted information exchange is essential.
ISO/IEC 27011 — Information security controls based on ISO/IEC 27002 for telecommunications organizations
ISO/IEC 27011 is an implementation guide for telecommunications organizations. It applies the broader logic of the ISO 27000 series to a telecoms context and helps those organizations implement information security controls with reference to ISO 27002. This is one example of how the series expands beyond general use into sector specific application.
ISO/IEC 27013 — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO/IEC 27013 is relevant for organizations that want to integrate information security management and IT service management. It brings together ISO/IEC 27001 and ISO/IEC 20000-1 and helps organizations understand how the two management systems can be implemented in a coordinated way. Used well, this can reduce duplication, improve consistency, and support a more efficient management system structure across related disciplines.
ISO/IEC 27014 — Governance of information security
ISO/IEC 27014 focuses on governance. This makes it especially relevant for governing bodies, top management, and those responsible for directing and overseeing information security rather than only operating controls. Its importance lies in the fact that information security should not be treated as a purely technical issue. It needs direction, accountability, oversight, and alignment with organizational objectives. ISO/IEC 27014 supports that broader governance perspective.
ISO/IEC TR 27016 — Organisational economics
ISO/IEC TR 27016 deals with the financial and resourcing aspects of managing information risks and security controls. This makes it particularly interesting for executive management, budget owners, and anyone trying to connect information security decisions with business and economic realities. In practice, many organizations struggle not only with what to implement, but also with how to justify investments, allocate resources, and explain the financial value of security measures. This standard supports that discussion.
ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27017 provides guidance on information security for cloud services. It builds on ISO/IEC 27002 and is relevant both for cloud service providers and cloud service customers. As cloud adoption has become more widespread, ISO 27017 has become increasingly important. It helps clarify cloud related control issues and supports a more structured approach to responsibilities and safeguards in cloud environments.
ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC 27018 is closely related to privacy in cloud environments. It is aimed at public cloud providers acting as PII processors and suggests information security controls to help protect personal data. This standard is especially relevant where customer trust, contractual accountability, and privacy obligations play a major role. It is often discussed alongside cloud governance and privacy management.
ISO/IEC 27019 — Information security controls for the energy utility industry
ISO/IEC 27019 applies to the energy utility industry and focuses on securing industrial process control and operational technology systems. Not every organization will need it, but it is an important example of how the ISO/IEC 27000 series extends into specialist sectors. It shows that the series is not only broad, but also adaptable to environments where sector specific technologies and risks require more tailored guidance.
ISO/IEC 27021 — Competence requirements for information security management systems professionals
ISO/IEC 27021 focuses on the knowledge and expertise required of information security professionals working with an ISMS. This makes it useful for employers, training bodies, certification bodies, and practitioners themselves. An effective ISMS depends not only on documentation and controls, but also on competent people. ISO/IEC 27021 supports that human side of information security management.
ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27031 provides guidance on the use of Information and Communication Technology to ensure business continuity. This makes it especially relevant where resilience, disruption planning, and recovery capability are important concerns. Organizations that need stronger alignment between information security and continuity planning often find this standard useful.
ISO/IEC 27032 — Guideline for Internet security
ISO/IEC 27032 addresses Internet security and the application of network security controls to protect Internet related services and systems. It reflects the fact that modern information security extends well beyond internal environments and increasingly depends on secure use of Internet facing technologies.
ISO/IEC 27701 — Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy Information management — Requirements and guidelines
ISO/IEC 27701 extends ISO/IEC 27001 and ISO/IEC 27002 into privacy information management. It provides requirements and guidelines for a Privacy Information Management System, often referred to as a PIMS. This makes it especially relevant for organizations with significant privacy obligations or those processing personally identifiable information as controllers or processors. For many organizations, ISO/IEC 27701 has become one of the most important privacy related extensions associated with the series.
Why the ISO/IEC 27000 Series Matters as a Whole
One of the major strengths of the ISO/IEC 27000 series is that the standards support one another. ISO/IEC 27000 explains the vocabulary. ISO/IEC 27001 defines the ISMS requirements. ISO/IEC 27002 provides information security controls guidance. ISO/IEC 27003 helps with implementation. ISO/IEC 27004 strengthens monitoring and evaluation. ISO/IEC 27005 supports risk management. Other standards then expand into auditing, governance, cloud services, privacy, continuity, sector specific guidance, and professional competence. This interconnected structure is one of the reasons the series is so widely respected. Organizations can start with the core standards and then use additional standards depending on their size, sector, complexity, and objectives.
Conclusion
The ISO/IEC 27000 series is much more than a single certification standard. It is a broad and structured collection of standards related to information security, cybersecurity, and privacy protection. For most organizations, the standards most commonly encountered will be ISOs 27000, 27001, 27002, 27003, 27004, and ISO 27005. Beyond those, standards such as ISOs 27007, 27014, 27017, 27018, 27021, 27031, 27701 and ISO/IEC TS 27008 become relevant depending on the organization’s specific needs. Understanding these major standards helps make clear that ISO 27001 does not stand alone. It sits within a wider series of mutually supporting standards that, when used well, can significantly strengthen the design, operation, and long-term effectiveness of an Information Security Management System.