ISO/IEC 27003

ISO/IEC 27003:2017 – Information technology – Security techniques – Information security management systems – Guidance (2nd edition)

Introduction

In particular, ISO/IEC 27003 guides those implementing ISO27k standards on management systems.

“Its purpose is to provide explanations and guidance on ISO/IEC 27001:2013.”

Additionally, the standard supplements and extends the scope of other standards, particularly ISO/IEC 27000 and ISO/IEC 27001, as well as ISO/IEC 27004, ISO/IEC 27005, ISO 31000, and ISO/IEC 27014.

The Objectives

Due to the ISO’s intention to create a unified structure and format for the management system standards and to ensure it is used for ISMS certification purposes, ISO/IEC 27001:2013 is inevitably rather formal, curt, and stilted in style. For implementers of ‘27001′, ISO/IEC 27003 provides practical explanations and straightforward guidance.

The standard’s structure and content

The ‘27003 follows virtually the same structure as the ‘27001, expanding clause by clause on the ‘27001:

– Foreword
– Introduction
– 1 Scope
– 2 Normative references
– 3 Terminology and definitions
– 4 The organization’s context
– 5 Leadership
– 6 Planning
– 7 Support
– 8 Operation
– 9 Performance evaluation
– 10 Improvement
– Annexe – The policy framework
– Bibliography

For each clause in 27001, this standard:

– Reiterates the requirements;
– Describes the implications; and
– Provides practical guidance and supporting information, including examples, for implementing organizations.

Here is what the standard says in chapter 4.1, titled “Understanding the organization and its context”:

“An organization should identify which external issues and internal challenges are pertinent to its objectives and may impact its ability to accomplish the goal(s) of its information security management system.”

Note: The ISO 31000:2009[5] specifies that these issues should be determined in the context of the organization’s external and internal environment.”

First, Section 4.1 of the 27003 describes the required activity:

“The organization determines what are the external and internal obstacles to the achievement of the intended outcome(s) of its information security management system (ISMS).”

In addition, it provides a full explanation of the rationale for determining external and internal issues, supplementing the succinct and somewhat hard to understand text in 27001. It states, for example, that the organization’s ‘internal issues’ include its culture, policies, objectives, and strategies for achieving them, its governance, organizational structure, and roles, as well as listing seven other internal issues to take into account. Also included are other clauses that contain this information.

Although this extension alone would be valuable, 27003 doesn’t stop there: it goes on to provide a further page of information and examples that is both practical and realistic.

This will allow the reader to better understand the requirements from ‘27001 and be able to formulate a plan for satisfying them.

The standard’s status

It was originally published in 2010 and guides on implementing ISMSs.

Significant revisions were made to the standard in April 2017, and it was re-issued. It now includes a description of the structure and sequence of ISO/IEC 27001:2013. The report no longer anticipates any particular project structure or approach for an ISMS implementation.

Commentary

The revised 2017 standard is an excellent guide, filling in a gap in the ISO27k suite, unlike its predecessor. On the ISO27k Forum, we are regularly asked how ISO27001 should be interpreted and applied. Our FAQ and ‘27003 go a long way to answering these sorts of questions.

27003 may, in future revisions, contain more than the part that deals with ISMS design, implementation, and certification, and may offer practical advice on how to manage, monitor, and improve an ISMS in the years to come. Essentially, certification of an ISMS is simply the beginning of the evolution and maturation process. It is merely the beginning of the integration and subsequent value of information security into normal business operations.