Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27000:2018 — Information Security Management Systems — Overview and Vocabulary
Information technology — Security techniques — Information security management systems — Overview and vocabulary
Understanding the ISMS Framework
ISO/IEC 27000:2018 serves as the foundational standard for the entire ISO/IEC 27000 family of information security management system (ISMS) standards. It provides a comprehensive overview of ISMS fundamentals, defines the core vocabulary used across the family, and introduces the Plan-Do-Check-Act (PDCA) cycle that underpins all ISMS implementation and operation. Understanding this standard is essential for anyone involved in information security management, as it establishes the conceptual framework upon which all other standards in the family are built.
Think of ISO/IEC 27000 as the dictionary and roadmap for the entire 27000 family. Without a solid grasp of the terms and concepts defined here, navigating the more detailed requirements in 27001, 27002, and other family standards becomes significantly more difficult.
The standard defines an ISMS as “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s information security to achieve business objectives.” This definition emphasizes that information security is not merely a technical concern but a business governance issue that requires systematic management, just like financial management, quality management, or environmental management. The ISMS approach is based on a risk management methodology that identifies, analyses, evaluates, and treats information security risks in a structured and repeatable manner.
| ISMS Component | Description | Key Outputs |
|---|---|---|
| ISMS policy | Overall intentions and direction for information security | Policy document approved by top management |
| Risk assessment | Systematic identification and evaluation of information security risks | Risk assessment report, risk treatment plan |
| Controls and treatment | Selected measures to modify, avoid, or accept risks | Statement of applicability (SoA), control implementation |
| Monitoring and review | Ongoing evaluation of ISMS performance and effectiveness | Internal audit reports, management review minutes |
| Improvement | Corrective and preventive actions based on findings | Corrective action records, improvement plans |
The process approach embodied in the ISMS framework aligns with other management system standards such as ISO 9001 (quality) and ISO 14001 (environmental), enabling organizations to integrate their management systems efficiently. This reduces duplication of effort and provides a unified approach to organizational governance.
Key Terminology and Concepts
ISO/IEC 27000:2018 defines over 100 terms essential for understanding and implementing information security management systems. These terms establish a common language that transcends organizational boundaries, national borders, and language differences, ensuring consistent interpretation of security concepts across the global community. Key terms include “information security” (preservation of confidentiality, integrity, and availability of information), “risk” (effect of uncertainty on objectives), “risk assessment” (overall process of risk identification, risk analysis, and risk evaluation), and “statement of applicability” (document describing the controls relevant to the ISMS).
| Term | Definition | Practical Significance |
|---|---|---|
| Confidentiality | Property that information is not made available to unauthorized individuals | Access control, encryption, non-disclosure agreements |
| Integrity | Property of accuracy and completeness of information and processing methods | Change management, version control, hash verification |
| Availability | Property of being accessible and usable upon demand by an authorized entity | Redundancy, backup, disaster recovery, SLA management |
| Risk owner | Person or entity accountable for risk management decisions | Clear ownership of security risks at management level |
| Control | Measure that modifies risk | Policies, procedures, technical measures, organizational structures |
| Information security incident | Single or series of unwanted events that compromise information security | Incident response, forensic analysis, lessons learned |
A common misunderstanding is equating “information security” with “IT security” or “cybersecurity.” ISO/IEC 27000 makes clear that information security encompasses all forms of information — digital, physical, and verbal — and protects confidentiality, integrity, AND availability. Cybersecurity, by contrast, is specifically concerned with cyber threats in the digital domain. The ISMS scope is therefore broader than a purely technical security program.
The standard also introduces the concept of the “information security management system” itself as a systematic framework. It explains the relationship between the ISMS and the broader organizational context, emphasizing that information security requirements must be derived from business needs, legal and regulatory obligations, and stakeholder expectations. This contextual approach ensures that security investments are aligned with business strategy and deliver measurable value rather than being driven by fear, compliance checklists, or technology trends.
The ISO/IEC 27000 Family of Standards
ISO/IEC 27000:2018 provides an overview of the entire 27000 family, situating each standard within the comprehensive framework. The family has grown significantly since the first edition in 2005 and now includes standards covering requirements (27001), code of practice (27002), sector-specific guidelines (27003 for financial services, 27011 for telecom, 27019 for energy), cloud security (27017), and many other specialized topics. Understanding the landscape of the 27000 family helps organizations identify which standards are relevant to their specific needs and how they relate to one another.
| Standard | Focus | Relationship to 27000 |
|---|---|---|
| ISO/IEC 27001 | ISMS requirements (certifiable) | Specifies mandatory requirements for an ISMS |
| ISO/IEC 27002 | Code of practice for security controls | Provides implementation guidance for controls in 27001 |
| ISO/IEC 27003 | ISMS implementation guidance | Practical guidance for implementing the 27001 requirements |
| ISO/IEC 27004 | ISMS monitoring and measurement | Metrics and measurement techniques for ISMS effectiveness |
| ISO/IEC 27005 | Information security risk management | Risk management methodology aligned with the ISMS framework |
| ISO/IEC 27007 | ISMS auditing guidelines | Guidance for conducting ISMS audits |
| ISO/IEC 27017 | Cloud security controls | Cloud-specific controls based on 27002 |
| ISO/IEC 27018 | Cloud privacy — PII protection | Protection of personal data in public cloud services |
As of the 2018 edition, the 27000 family comprises over 60 published standards and technical reports, making it the most comprehensive information security standardization framework available. Organizations can select from this extensive toolkit to build a tailored information security program that addresses their specific risk profile, regulatory environment, and business objectives.
The 2018 edition of ISO/IEC 27000 introduced several important updates compared to earlier versions. The terminology was refined to improve consistency with other management system standards following the Annex SL framework (now ISO/IEC Directives Part 1 Consolidated ISO Supplement). This alignment means that organizations implementing multiple management system standards can adopt a unified high-level structure with common text, terms, and definitions, significantly reducing integration effort.
Frequently Asked Questions
Q1: Is ISO/IEC 27000 certifiable like ISO/IEC 27001?
No, ISO/IEC 27000 is not a certifiable standard. It is a foundational standard that provides overview, concepts, and vocabulary. Organizations seeking certification must implement the requirements in ISO/IEC 27001 and undergo a formal audit by an accredited certification body. ISO/IEC 27000 serves as the essential reference document for understanding the entire family.
No, ISO/IEC 27000 is not a certifiable standard. It is a foundational standard that provides overview, concepts, and vocabulary. Organizations seeking certification must implement the requirements in ISO/IEC 27001 and undergo a formal audit by an accredited certification body. ISO/IEC 27000 serves as the essential reference document for understanding the entire family.
Q2: What is the difference between the 2016 and 2018 editions of ISO/IEC 27000?
The 2018 edition updated terminology to align with the Annex SL management system standard framework, improving consistency with ISO 9001, ISO 14001, and other management system standards. Key changes include refined definitions for terms such as “risk,” “top management,” and “interested party,” ensuring common terminology across all ISO management system standards. The standard also updated the overview of the 27000 family to reflect newly published standards.
The 2018 edition updated terminology to align with the Annex SL management system standard framework, improving consistency with ISO 9001, ISO 14001, and other management system standards. Key changes include refined definitions for terms such as “risk,” “top management,” and “interested party,” ensuring common terminology across all ISO management system standards. The standard also updated the overview of the 27000 family to reflect newly published standards.
Q3: Do I need to read ISO/IEC 27000 before implementing ISO/IEC 27001?
While it is technically possible to implement ISO/IEC 27001 without reading 27000, it is strongly recommended that you review 27000 first. The vocabulary and concepts defined in 27000 are used throughout 27001 and other family standards, and a clear understanding of these foundational elements will significantly streamline your implementation effort. Many auditors expect ISMS implementers to be familiar with the terminology defined in 27000.
While it is technically possible to implement ISO/IEC 27001 without reading 27000, it is strongly recommended that you review 27000 first. The vocabulary and concepts defined in 27000 are used throughout 27001 and other family standards, and a clear understanding of these foundational elements will significantly streamline your implementation effort. Many auditors expect ISMS implementers to be familiar with the terminology defined in 27000.
Q4: How does ISO/IEC 27000 relate to the EU GDPR or other privacy regulations?
ISO/IEC 27000 does not directly address privacy or personal data protection — that is covered by dedicated standards such as ISO/IEC 27701 (privacy information management) and ISO/IEC 27018 (cloud privacy). However, the ISMS framework defined in 27000 provides the foundational management system structure upon which privacy-specific management systems can be built. The risk-based approach of the ISMS aligns well with the accountability principle of the GDPR.
ISO/IEC 27000 does not directly address privacy or personal data protection — that is covered by dedicated standards such as ISO/IEC 27701 (privacy information management) and ISO/IEC 27018 (cloud privacy). However, the ISMS framework defined in 27000 provides the foundational management system structure upon which privacy-specific management systems can be built. The risk-based approach of the ISMS aligns well with the accountability principle of the GDPR.
