Most organizations today have no choice but to maintain a digital presence, utilizing services that, for the most part, capture the benefits of their activities through numerous tech-based enhancements. However, these advantages also create a means by which the organizations’ data may be susceptible to breach. For this purpose, there exists information security. As the ever-growing frequency and sophistication of cyberattacks fuels the needs for an abundance of tech jobs, many of which involve efforts to oppose the threatening forces of cybercrime, ISO’s approach to aiding organizations in limiting their susceptibility to cyberattacks is through an information security management system (ISMS), the base requirements for which are detailed in ISO/IEC 27001:2022 – Information technology – Security techniques – Information security management systems – Requirements.
The ISO/IEC 27000 series of standards has adopted the shared Annex SL format, which presents the non-prescriptive specifications of the documents in a manner that simplifies compliance for the user. As an ISO management system standard, the ISO/IEC 27000 series comprises several parts, with ISO/IEC 27001:2022 giving the core requirements and the other documents supplementing that information. One such document is ISO/IEC 27003:2017 – Information technology – Security techniques – Information security management systems – Guidance.
ISO/IEC 27003:2017 adds to the requirements covered in the ISO/IEC 27001 standard, offering guidance on each requirement and providing recommendations (“should”), possibilities (“can”) and permissions (“may”) in relation to them.
The presentation of this guidance gives the user the ability to follow the information it provides with ease. The sections of ISO/IEC 27003:2017 mirror those of the requirements standard, breaking down each section into three main parts – Required Activity, Explanation, and Guidance – as well as an area for any additional information that the standard user should know. Required Activity is the content from ISO/IEC 27001.
For example, Section 4.2 of ISO/IEC 27003:2017, “Understanding the needs and expectations of interested parties”, includes the following Required Activity:
“The organization determines interested parties relevant to the ISMS and their requirements relevant to information security.”
And gives the following Explanation, as well as providing specific examples:
“Interested party is a defined term (see ISO/IEC 27000:2016, 2.41) that refers to persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the organization. Interested parties can be found both outside and inside the organization and can have specific needs, expectations and requirements for the organization’s information security.”
And lastly, the document states that the following steps should be taken for fulfilling this requirement in its Guidance:
“identify external interested parties; identify internal interested parties; and identify requirements of interested parties”
This is simply one example of the guidance provided by ISO/IEC 27003:2017. Beyond this the standard addresses the step-by-step approach for carrying out an ISMS, the role that leadership should play in the system, and related concerns.
Please note that ISO/IEC 27003:2017 is applicable to more than just large organizations that are particularly susceptible to data breach. In fact, cyber criminals are known to target smaller organizations as a sort of practice run before they move onto a larger attack they have planned. Due to this, there is a clear need for cybersecurity professionals at all levels, and in turn, information security management systems at most organizations.
ISO/IEC 27003:2017 – Information technology – Security techniques – Information security management systems – Guidance is available on the ANSI Webstore.