This page illustrates the point within the ISO organisation where the ISMS standards are developed and shows graphically the individual ISMS standards, their normative status, their stage of development and the inter-relationships between them.
The ISMS standards are developed jointly by the International Organization for Standardization (ISO) and the International Electron-technical Committee (IEC), hence the formal "ISO/IEC ..." identification of these publications. Click on the logo below to open ISO's English-language home page.
The structure of ISO looks like this (click on the figure to open the source ISO web page):
In the lower right part of this figure you'll see 'Technical committees' which, as far as we're concerned, is where the work gets done.
Follow this link to a further , which will show you all of the current ISO Technical Committees (TC) and Joint Technical Committees (JTC - 'joint' is where the connection with IEC comes in). Joint Technical Committees number 1 (JTC1) "Information Technology" is the committee which oversees development of the ISMS standards.
Within JTC1 there are a number of Sub-Committees assigned specific areas of responsibility ( will take you to that ISO web page). Sub-Committee number 27 (SC27) "IT Security techniques" has the responsibility for the ISMS standards, amongst other IT Security standards ( will take you to that ISO web page). A list of SC27's current projects can be found .
Various bodies contribute to the development of these standards. The US national body is the Inter-National Committee for Information Technology Standards (INCITS) Technical Committee for Cyber Security, .
Click the PDF logo to download a figure which puts into context the whole set of ISMS standards.
Two normative standards set actual REQUIREMENTS. Implementers of ISMSs should conform to the requirements of ISO/IEC 27001(:2005); those wishing to become accredited as Certification Bodies need to fulfill the requirements of ISO/IEC 27006(:2007). All other documents in the '2700x' series are 'informative' and are intended to support conformity to one or other of the normative publications, with the exception of '27000' which, when published, will be a bird's-eye view of the series. An organisation seeking ISMS Certification must be conformant to ISO/IEC 27001:2005, not against any other of these standards.
In addition to these documents there are others being developed which provide sector-specific implementation guidance, e.g. in the aerospace, health and telecommunications sectors.