Information security & business continuity standards

ISO/IEC 27001

The ISO 27001 Standard is considered to be the fundamental information security standard because it defines the basics of “building” and controlling an ISMS; this is the only certifiable information security standard.

ISO/IEC 27002

ISO/IEC 27002 (formerly ISO/IEC 17799) – this standard gives a more detailed description of implementation of controls, and is mostly applied in the Do Phase (Implementation) of ISO 27001.

ISO/IEC 27003

ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.

ISO/IEC 27004

ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.

ISO/IEC 27005

ISO/IEC 27005 specifies methods for information risk assessment and treatment, and is useful in the Plan Phase according to ISO 27001.

ISO/IEC TR 27008:2011

ISO/IEC TR 27008:2011 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking of information system controls, in compliance with an organization’s established information security standards.

ISO/IEC 24762:2008

ISO/IEC 24762:2008 Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services is the international standard that offers guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management (BCM).

ISO/IEC 27031:2011

ISO/IEC 27031 – Guidelines for ICT readiness for Business Continuity. This standard has replaced BS 25777 and describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects for improving an organization’s ICT readiness to ensure business continuity.

ISO/IEC 27035

ISO/IEC 27035 Management Systems Standards – Information Security – Information Security Incident Management

ISO 31000:2009

ISO 31000:2009 Risk Management Standard – ISO 31000 provides high level principles and generic guidelines for Risk Management.

ISO/IEC 38500:2008

ISO/IEC 38500:2008 Corporate governance of information technology – this standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. It applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.

BS 7858:2006+A2:2009

BS 7858:2006 + Amendment 2:2009 Security screening of individuals employed in a security environment – Code of practice. BS 7858 is a key security standard that tells you how to screen staff before you employ them. BS 7858 gives recommendations for the security screening of individuals to be employed in an environment where the security and safety of people, goods or property is of extreme importance. It also applies when there is a requirement of the employing organization’s operations and/or where such security screening is in the public interest.

BS 25999-1

BS 25999-1 gives guidelines for the implementation of each business continuity element.

ISO 22301

ISO 22301 standard has replaced BS 25999-2, and is considered the fundamental business continuity standard because it defines the basics of developing and managing the BCMS; this is the only certifiable business continuity standard. It is useful in the Do Phase according to ISO 27001 for the implementation of requirements given in its Annex A Chapter 14 (business continuity management).

BS 25999-2

This standard was superseded by ISO 22301.

BS 25777:2008

BS 25777:2008 Information and communications technology continuity management – Code of practice. This standard is superseeded by ISO 27031.

PD 25111:2010

PD 25111:2010 Business continuity management – Guidance on human aspects of business continuity gives guidance on the planning and development of human resource strategies and policies for the key phases following a disruption: Coping with the immediate effects of the incident, Managing people during the period of disruption (the continuity stage), and Supporting staff after recovery of normal operations.

PD 25666:2010

PD 25666:2010 Business continuity management – Guidance on exercising and testing for continuity and contingency programmes gives appropriate guidance to all organizations on performing exercising, including testing activities, for continuity and contingency programmes. Arrangements for information technology (IT) systems also fall under this general guidance.

NIST SP 800-55

NIST SP 800-55 describes how to measure the effectiveness of controls.

NIST SP 800-61

NIST SP 800-61 specifies incident management as a part of information security management.


COBIT – Control Objectives for information & related technology – Generally accepted information technology control objectives for information technology.

ITIL v.3 (international)

ITIL v.3 (international) – IT Infrastructure Library – Global standard in the area of service management. Contains comprehensive publicly accessible specialist documentation on the planning provision and support of IT services.

NFPA 1600

NFPA 1600 – Standard on disaster/emergency management and business continuity programs.

PAS 200:2011

PAS 200:2011 is a standard designed to help organizations take practical steps to improve their ability to deal with crises. It does this by giving organizations an operational structure to detect and prepare for such crises and hence prevent or survive them.

Useful links

International Organization for Standardization
The British Standards Institution
National Institute of Standards and Technology – Special Publications (800 Series)

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan: