Share This Article:

ISO/IEC 27000, 27001 and 27002 for Information Security Management

Abstract Full-Text HTML XML Download Download as PDF (Size:258KB) PP. 92-100
DOI: 10.4236/jis.2013.42011    16,271 Downloads   26,725 Views   Citations
Author(s)    Leave a comment


With the increasing significance of information technology, there is an urgent need for adequate measures of information security. Systematic information security management is one of most important initiatives for IT management. At least since reports about privacy and security breaches, fraudulent accounting practices, and attacks on IT systems appeared in public, organizations have recognized their responsibilities to safeguard physical and information assets. Security standards can be used as guideline or framework to develop and maintain an adequate information security management system (ISMS). The standards ISO/IEC 27000, 27001 and 27002 are international standards that are receiving growing recognition and adoption. They are referred to as “common language of organizations around the world” for information security [1]. With ISO/IEC 27001 companies can have their ISMS certified by a third-party organization and thus show their customers evidence of their security measures.

Conflicts of Interest

The authors declare no conflicts of interest.

Cite this paper

G. Disterer, "ISO/IEC 27000, 27001 and 27002 for Information Security Management," Journal of Information Security, Vol. 4 No. 2, 2013, pp. 92-100. doi: 10.4236/jis.2013.42011.


[1] E. Humphreys, “Information Security Management System Standards,” Datenschutz und Datensicherheit, Vol. 35, No. 1, 2011, pp. 7-11. doi:10.1007/s11623-011-0004-3
[2] BSI, “IT-Sicherheitsmanagement und IT-Grundschutz, BSI-Standards zur IT-Sicherheit,” K?ln, 2005.
[3] C. Pelnekar, “Planning for and Implementing ISO 27001,” ISACA Journal, Vol. 4, No. 4, 2011, pp. 1-8.
[4] ISO/Nielsen, “The ISO Survey of Certifications,” International Organization for Standardization ISO, Geneve, 2011.
[5] Deloitte, “Financial Services Global Security Study,” Deloitte, London, 2010.
[6] G. Disterer, “Zertifizierung der IT Nach ISO 20000,” Wirtschaftsinformatik, Vol. 51, No. 6, 2009, pp. 530-534.
[7] M. Winniford, S. Conger and L. Erickson-Harris, “Confusion in the Ranks,” Information Systems Management, Vol. 26, No. 2, 2009, pp. 153-163. doi:10.1080/10580530902797532
[8] ISO 27001, “Information Technology, Security Techniques, Information Security Management Systems, Requirements,” International Organization for Standardization ISO, Geneve, 2005.
[9] ISO 27000, “Information Technology, Security Techniques, Information Security Management Systems, Overview and Vocabulary,” International Organization for Standardization ISO, Geneve, 2009.
[10] Y. Barlette and V. Fomin, “Exploring the suitability of IS Security Management Standards for SMEs,” In: R. H. Sprague, Ed., Proceeding of 41st Hawaii International Conference on System Sciences (HICSS), Los Alamitos, 2008, pp. 308-317.
[11] ISO 27002, “Information Technology, Security Techniques, Code of Practice for Information Security Management,” International Organization for Standardization ISO, Geneve, 2005.
[12] A. Teubner and T. Feller, “Informationstechnologie, Governance und Compliance,” Wirtschaftsinformatik, Vol. 50, No. 5, 2008, pp. 400-407. doi:10. 1007/s11576-008-0081-6
[13] R. Richardson, “CSI Computer Crime and Security Survey,” Computer Security Institute and Federal Bureau of Investigation, Washington, 2008.
[14] J. D’Arcy and A. Hovav, “Deterring internal information systems misuse,” Communications of the ACM, Vol. 50, No. 10, 2007, pp. 113-117. doi:10.1145/1290958.1290971
[15] “ISO IT Security Techniques,” 8 August 2012.

comments powered by Disqus

Copyright © 2020 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.