ISO/IEC 27001 Information Security Management System Family

The ISO/IEC 27000 series covers a wide range of cyber security requirements and guidelines, including those supporting the setting up of the ISO/IEC 27001 ISMS (Information Security Management System) which is covered in this Annex. This ISO/IEC 27001 family of standards has grown quickly over the last years as depicted in the figure below and further detailed in the table following.

ISO/IEC 27001 (with other standards in the family 27XXX) also provides the framework for 3rd party audits and certification of an organisation’s ISMS. Organisations can have their information security management system certified against ISO/IEC 27001 by independent certification bodies that have to be accredited by a national accreditation body.

The ISMS family of standards consists of inter-related standards, already published or under development, and contains a number of significant structural components. These components are focused on:

  • Standards describing ISMS requirements (ISO/IEC 27001);
  • Certification body requirements (ISO/IEC 27006) for those certifying conformity with ISO/IEC 27001;
  • Additional requirement framework for sector-specific implementations of the ISMS (ISO/IEC 27009).

Other documents provide guidance for various aspects of an ISMS implementation, addressing a generic process as well as sector-specific guidance.

Relationships between the ISMS family of standards are illustrated in the following figure :

ISMS family of standards relationships

NOTE : This page may reference each standard only by its number, while understanding that some requirements in a standard may change over time as it is revised and republished. Actual revision dates may be found by going to the source organization

ISO/IEC 27001

ISO/IEC 27001 is a worldwide recognized standard providing requirements for the setting up of an information security management system (ISMS). An ISMS is described as “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based on a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks”.

The following steps needs to be applied and continually repeated to establish, monitor, maintain and improve an ISMS:

  • a) identify information assets and their associated information security requirements, while considering legal, regulatory, and contractual requirements
  • b) assess information security risks and treat information security risks including:
    – a risk analysis and risks evaluation ;
    – the application of appropriate controls and risks acceptance
  • c) Select and implement relevant controls to manage unacceptable risks.
    – Controls can be selected from ISO/IEC 27002 and all ISO/IEC 27002 sector-specific standards, e.g. ISO/IEC 27019 for the energy sector
  • d) Monitor, maintain and improve the effectiveness of controls associated with the organization’s information assets.

ISO/IEC 27002:2013

ISO/IEC 27002 is a code of practice – a generic set of controls addressing information security control objectives to mitigate security risks impacting for example the confidentiality, integrity and availability of information.

ISO/IEC 27002 security controls are organized within the following main clauses:

  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Compliance

ISO/IEC 27019:2017

ISO/IEC 27019 provides guiding principles based on ISO/IEC 27002 for information security management applied to process control systems as used in the energy utility industry. The aim of ISO/IEC 27019 is to extend the ISO/IEC 27000 set of standards to the domain of process control systems and automation technology. This allows the energy utility industry to implement a standardised information security management system (ISMS) in accordance with ISO/IEC 27001 that extends from the business to the process control level.

The scope of ISO/IEC 27019 covers process control systems used by the energy utility industry for controlling and monitoring the generation, transmission, storage and distribution of electric power, gas and heat in combination with the control of supporting processes. This includes in particular the following systems, applications and components:

  • The overall IT-supported central and distributed process control, monitoring and automation technology as well as it systems used for their operation, such as programming and parameterisation devices
  • Digital controllers and automation components such as control and field devices or PLCs, including digital sensor and actuator elements
  • All further supporting it systems used in the process control domain, e.g. for supplementary data visualisation tasks and for controlling, monitoring, data archiving and documentation purposes
  • The overall communications technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
  • Digital metering and measurement devices, e.g. For measuring energy consumption, generation or emission values
  • Digital protection and safety systems, e.g. protection relays or safety PLCs
  • Distributed components of future smart grid environments
  • All software, firmware and applications installed on above mentioned systems.