Search - National Standard Microsite
ISO/IEC 27003:2017 Preview
ISO/IEC 27003:2017 Preview
ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
This document provides guidance on the requirements for an information security management system (ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’) and permissions (‘may’) in relation to them. It is not the intention of this document to provide general guidance on all aspects of information security.
Clauses 4 to 10 of this document mirror the structure of ISO/IEC 27001:2013.
This document does not add any new requirements for an ISMS and its related terms and definitions. Organisations should refer to ISO/IEC 27001 and ISO/IEC 27000 for requirements and definitions. Organisations implementing an ISMS are under no obligation to observe the guidance in this document.
An ISMS emphasises the importance of the following phases:
-
understanding the organisation’s needs and the necessity for establishing information security policy and information security objectives;
-
assessing the organisation's risks related to information security;
-
implementing and operating information security processes, controls and other measures to treat risks;
-
monitoring and reviewing the performance and effectiveness of the ISMS; and
-
practising continual improvement.