Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021
  • (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Knowledge base

    Information security & business continuity standards

    ISO/IEC 27001

    The ISO 27001 Standard is considered to be the fundamental information security standard because it defines the basics of “building” and controlling an ISMS; this is the only certifiable information security standard.

    ISO/IEC 27002

    ISO/IEC 27002 (formerly ISO/IEC 17799) – this standard gives a more detailed description of implementation of controls, and is mostly applied in the Do Phase (Implementation) of ISO 27001.

    ISO/IEC 27003

    ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.

    ISO/IEC 27004

    ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.


    ISO/IEC 27005

    ISO/IEC 27005 specifies methods for information risk assessment and treatment, and is useful in the Plan Phase according to ISO 27001.

    ISO/IEC TR 27008:2011

    ISO/IEC TR 27008:2011 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking of information system controls, in compliance with an organization’s established information security standards.

    ISO/IEC 24762:2008

    ISO/IEC 24762:2008 Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services is the international standard that offers guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management (BCM).

    ISO/IEC 27031:2011

    ISO/IEC 27031 – Guidelines for ICT readiness for Business Continuity. This standard has replaced BS 25777 and describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects for improving an organization’s ICT readiness to ensure business continuity.

    ISO/IEC 27035

    ISO/IEC 27035 Management Systems Standards – Information Security – Information Security Incident Management

    ISO 31000:2009

    ISO 31000:2009 Risk Management Standard – ISO 31000 provides high level principles and generic guidelines for Risk Management.

    ISO/IEC 38500:2008

    ISO/IEC 38500:2008 Corporate governance of information technology – this standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. It applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.

    BS 7858:2006+A2:2009

    BS 7858:2006 + Amendment 2:2009 Security screening of individuals employed in a security environment – Code of practice. BS 7858 is a key security standard that tells you how to screen staff before you employ them. BS 7858 gives recommendations for the security screening of individuals to be employed in an environment where the security and safety of people, goods or property is of extreme importance. It also applies when there is a requirement of the employing organization’s operations and/or where such security screening is in the public interest.

    BS 25999-1

    BS 25999-1 gives guidelines for the implementation of each business continuity element.

    ISO 22301

    ISO 22301 standard has replaced BS 25999-2, and is considered the fundamental business continuity standard because it defines the basics of developing and managing the BCMS; this is the only certifiable business continuity standard. It is useful in the Do Phase according to ISO 27001 for the implementation of requirements given in its Annex A Chapter 14 (business continuity management).

    BS 25999-2

    This standard was superseded by ISO 22301.

    BS 25777:2008

    BS 25777:2008 Information and communications technology continuity management – Code of practice. This standard is superseeded by ISO 27031.

    PD 25111:2010

    PD 25111:2010 Business continuity management – Guidance on human aspects of business continuity gives guidance on the planning and development of human resource strategies and policies for the key phases following a disruption: Coping with the immediate effects of the incident, Managing people during the period of disruption (the continuity stage), and Supporting staff after recovery of normal operations.

    PD 25666:2010

    PD 25666:2010 Business continuity management – Guidance on exercising and testing for continuity and contingency programmes gives appropriate guidance to all organizations on performing exercising, including testing activities, for continuity and contingency programmes. Arrangements for information technology (IT) systems also fall under this general guidance.

    NIST SP 800-55

    NIST SP 800-55 describes how to measure the effectiveness of controls.

    NIST SP 800-61

    NIST SP 800-61 specifies incident management as a part of information security management.

    COBIT

    COBIT – Control Objectives for information & related technology – Generally accepted information technology control objectives for information technology.

    ITIL v.3 (international)

    ITIL v.3 (international) – IT Infrastructure Library – Global standard in the area of service management. Contains comprehensive publicly accessible specialist documentation on the planning provision and support of IT services.

    NFPA 1600

    NFPA 1600 – Standard on disaster/emergency management and business continuity programs.

    PAS 200:2011

    PAS 200:2011 is a standard designed to help organizations take practical steps to improve their ability to deal with crises. It does this by giving organizations an operational structure to detect and prepare for such crises and hence prevent or survive them.

    Useful links

    International Organization for Standardization
    The British Standards Institution
    National Institute of Standards and Technology – Special Publications (800 Series)

    Advisera Dejan Kosutic
    Author
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.