What is ISO/IEC 27003?
ISO/IEC 27003 Information technology — Security techniques — Information security management systems — Guidance
ISO/IEC 27003:2017 more commonly referred to as ISO 27003, gives guidance for organizational information security standards and information security management practices. This includes the selection, implementation and management of controls taking into consideration the organization’s information security risks. The standard supplements and builds upon other standards, particularly ISO/IEC 27000 and ISO/IEC 27001 plus ISO/IEC 27004, ISO/IEC 27005, ISO 31000 and ISO/IEC 27014.
The standard is designed for organizations that intend to:
- select controls within the process of implementing ISO 27001:2013
- implement commonly accepted information security controls
- develop their own information security management guidelines
Purpose of the Standard
ISO creates standards that are consistent in structure to create cohesion and to use language that is understandable. The goal is to allow organizations a better understanding in order to implement the standards and to create an easier structure if organizations would like to implement multiple ISO management systems. To help organizations further understand ISO 27001, ISO/IEC 27003 offers pragmatic explanation with plain-speaking advice and guidance.
The ISO/IEC 27003 standard provides guidance for all the requirements of ISO/IEC 27001, but it does not have detailed descriptions regarding “monitoring, measurement, analysis and evaluation” and information security risk management. The standard also provides recommendations, possibilities and permissions in relation to them. It is not the intention of this standard to provide general guidance on all aspects of information security.
For each 27001 clause, this standard re-states the requirements, explains the implications, and offers guidance and supporting information including examples.
For convenience, 27003 follows the same structure as 27001:
- 1 Scope
- 2 Normative references
- 3 Terms and definitions
- 4 Context of the organization
- 5 Leadership
- 6 Planning
- 7 Support
- 8 Operation
- 9 Performance evaluation
- 10 Improvement
- Annex – Policy framework