This page illustrates the point within the ISO organisation where the ISMS standards are developed and shows graphically the individual ISMS standards, their normative status, their stage of development and the inter-relationships between them.
The ISMS standards are developed jointly by the International Organization for Standardization (ISO) and the International Electron-technical Committee (IEC), hence the formal “ISO/IEC …” identification of these publications. Click on the logo below to open ISO’s English-language home page.
The structure of ISO looks like this:
In the lower right part of this figure you’ll see ‘Technical committees’ which, as far as we’re concerned, is where the work gets done.
Follow this link to a further ISO web page, which will show you all of the current ISO Technical Committees (TC) and Joint Technical Committees (JTC – ‘joint’ is where the connection with IEC comes in). Joint Technical Committees number 1 (JTC1) “Information Technology” is the committee which oversees development of the ISMS standards.
Within JTC1 there are a number of Sub-Committees assigned specific areas of responsibility (this link will take you to that ISO web page).Sub-Committee number 27 (SC27) “IT Security techniques” has the responsibility for the ISMS standards, amongst other IT Security standards (this link will take you to that ISO web page). A list of SC27’s current projects can be found here.
Various bodies contribute to the development of these standards. The US national body is the Inter-National Committee for Information Technology Standards (INCITS) Technical Committee for Cyber Security, CS1.
Two normative standards set the most significant REQUIREMENTS. Implementers of ISMSs should conform to the requirements of ISO/IEC 27001; those wishing to become accredited as Certification Bodies need to fulfill the requirements of ISO/IEC 27006. Additionally, ISO/IEC 27009 sets REQUIREMENTS, but these apply more to authors/editors of International Standards which derive requirements from ISO/IEC 27001, for application in specific sectors.
Most other documents in the ‘2700x’ series are ‘informative’ and are intended to support conformity to one or other of the normative publications, with the exception of ‘27000’ which is a bird’s-eye view of the series. An organisation seeking ISMS Certification must be conformant to the requirements of ISO/IEC 27001, not against any other of these standards.
In addition to these documents there are others being developed which provide sector-specific implementation guidance, e.g. in the aerospace, health and telecommunications sectors.