The ISO/IEC 27000 family of information security standards
The ISO/IEC 27000 series is a set of international standards for managing information security. At its centre is ISO/IEC 27001, the certifiable standard for an Information Security Management System (ISMS); the surrounding documents provide controls guidance, sector extensions and measurement methods. This reference lists the most widely used members of the family with each one’s scope, whether it is certifiable, and a filter to find the right standard fast.
The core family and their roles
| Standard | Title (short) | Certifiable | Primary audience |
|---|---|---|---|
| ISO/IEC 27000 | Overview and vocabulary | No | Everyone — read first |
| ISO/IEC 27001 | ISMS requirements | Yes | Any organisation seeking certification |
| ISO/IEC 27002 | Controls implementation guidance | No | Security teams implementing 27001 Annex A |
| ISO/IEC 27004 | Monitoring, measurement, analysis | No | Teams building metrics for the ISMS |
| ISO/IEC 27005 | Information security risk management | No | Risk managers |
| ISO/IEC 27017 | Cloud service controls | No | Cloud providers and cloud customers |
| ISO/IEC 27018 | PII protection in public clouds | No | Cloud processors handling personal data |
| ISO/IEC 27035 | Incident management | No | Security operations and IR teams |
| ISO/IEC 27701 | Privacy information management (PIMS) | Yes (extension of 27001) | Organisations needing privacy certification |
How the family is structured
Each standard in the family plays a defined role. 27000 is the free vocabulary and overview document. 27001 states the ISMS requirements and is the one organisations get audited and certified against. 27002 is the implementation code of practice for the controls listed in 27001 Annex A — it explains the how, not just the what.
Sector and topic extensions — 27017 (cloud), 27018 (PII in public clouds), 27701 (privacy) — layer specialised guidance on top of 27001 and 27002. Measurement (27004), risk management (27005) and incident response (27035) round out the operational practice. Only 27001 (and 27701 as an extension to it) are certifiable; the rest are guidance that support a certified ISMS.
ISO 27001:2022 vs. the earlier 2013 edition
The current edition is ISO/IEC 27001:2022, which restructured Annex A from 114 controls across 14 categories into 93 controls in four themes: Organisational, People, Physical, and Technological. Eleven new controls were added, including ones for threat intelligence, cloud services, data leakage prevention, and configuration management. Organisations certified against the 2013 edition had a transition period (now closed) to migrate to 2022. All new certifications must be to the 2022 edition.
Practical guidance on which standards to apply
Start here:
- 27001 + 27002 — requirements plus implementation guidance for controls. These two are always the foundation.
- 27000 — the free vocabulary document. Read it before tackling 27001 to understand the terminology.
Add these when relevant:
- 27017 + 27018 — if you operate or consume cloud services, especially where you act as a cloud service customer or provider under GDPR.
- 27701 — if you need a certifiable privacy management layer. It extends 27001 and maps well to GDPR and other data-protection regimes.
- 27005 — if your risk treatment process needs a more systematic methodology than 27001’s minimal prescriptions provide.
- 27035 — if you are building or maturing an incident response capability.
Certificate wording matters: a genuine ISO 27001 certificate names the specific edition (e.g. “ISO/IEC 27001:2022”) and lists the scope of the certified ISMS. Certificates citing other 27000-family standards alone (27002, 27017, etc.) are not meaningful — those standards are guidance, not requirements, and are not audited independently.