ISO 27003 – The further into the forest, the more trees…

In the previous article, we described how ISO 27001 defines the requirements for planning ISMS – Information Security Management System. 27001 also includes implementation tips and guidelines for maintaining and improving the quality of the system. In turn, ISO 27002 is a standard that documents guidelines and principles for initiating, implementing, maintaining and improving information technology security mechanisms. So what else is ISO27003 for? 

ISO 27003: 2017 gives guidelines for the implementation of an information security management system – it is the “bridge” between 27001 and 27002. Standard 27002 described in the previous article provides detailed guidance on the development of security management techniques. Standard 27002 does this by identifying over one hundred potential controls and controls. It can be said that without the proper organizational tools, ISO 27002 is an isolated ISO reference with best practices for implementing security mechanisms – making it a useful set of good practices. ISO 27001 allows you to gain perspective on which practices and ISO 27002 to apply through skillful risk management. The relation between ISO 27003 and ISO 27002 is that any controls implemented since 27002 must be related to the requirements of ISO 27001. The guidance in 27003 will help to achieve this. 

For convenience, ‘27003 has practically the same structure as’ 27001, extending the clause after the clause to’ 27001, hence the main sections are: 

4. The context of the organization 
5. Leadership 
6. Planning 
7. Support 
8. Operations 
9. Performance evaluation 
10. Opportunities for improvement 
    

This support for the implementation of the 27001 standard can be summarized as follows – the 27003 standard explains the implications; and provides practical tips and support information, including examples, to help implementers with implementation. For example… 
   

what 27001 describes in section 4.1, “Understanding the organization and its context”:”The organization shall determine external and internal matters that are relevant to its purpose and that affect its ability to achieve the intended result (s) of its information security management system.”  

Section 4.1 of document 27003 first specifies the “action required”:”An organization shall determine the external and internal matters relevant to its purpose and that affect its ability to achieve the intended outcome (s) of the information security management system (ISMS).” 

 The example above illustrates how ISO 27003 translates the provisions of 27001 into action – while the 27002 gives specific technical measures. Using these three standards, we can successfully define a plan and implement an information security management system. It is also worth adding that ISO27003 complements two other ISO guideline standards. ISO / IEC 27004 covers the monitoring, measurement, analysis and evaluation of information technology security. ISO / IEC 27005 provides guidance on information security risk management.