ISO 27000 Series Reference

Information security management standards (ISMS) at a glance.

Reference table of the ISO/IEC 27000-family standards — 27001, 27002, 27017, 27018, 27701 and more — with each standard's scope, status and a quick filter to find the right one. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Which ISO 27000 standard can you actually be certified against?

ISO/IEC 27001 is the certifiable standard — it specifies the requirements for an Information Security Management System (ISMS). Most other 27000-family documents (like 27002) are guidance or code-of-practice supplements that support 27001 but are not certified on their own. ISO 27701 extends 27001 and can be certified as a privacy add-on.

The ISO/IEC 27000 family of information security standards

The ISO/IEC 27000 series is a set of international standards for managing information security. At its centre is ISO/IEC 27001, the certifiable standard for an Information Security Management System (ISMS); the surrounding documents provide controls guidance, sector extensions and measurement methods. This reference lists the most widely used members of the family with each one’s scope, whether it is certifiable, and a filter to find the right standard fast.

The core family and their roles

StandardTitle (short)CertifiablePrimary audience
ISO/IEC 27000Overview and vocabularyNoEveryone — read first
ISO/IEC 27001ISMS requirementsYesAny organisation seeking certification
ISO/IEC 27002Controls implementation guidanceNoSecurity teams implementing 27001 Annex A
ISO/IEC 27004Monitoring, measurement, analysisNoTeams building metrics for the ISMS
ISO/IEC 27005Information security risk managementNoRisk managers
ISO/IEC 27017Cloud service controlsNoCloud providers and cloud customers
ISO/IEC 27018PII protection in public cloudsNoCloud processors handling personal data
ISO/IEC 27035Incident managementNoSecurity operations and IR teams
ISO/IEC 27701Privacy information management (PIMS)Yes (extension of 27001)Organisations needing privacy certification

How the family is structured

Each standard in the family plays a defined role. 27000 is the free vocabulary and overview document. 27001 states the ISMS requirements and is the one organisations get audited and certified against. 27002 is the implementation code of practice for the controls listed in 27001 Annex A — it explains the how, not just the what.

Sector and topic extensions — 27017 (cloud), 27018 (PII in public clouds), 27701 (privacy) — layer specialised guidance on top of 27001 and 27002. Measurement (27004), risk management (27005) and incident response (27035) round out the operational practice. Only 27001 (and 27701 as an extension to it) are certifiable; the rest are guidance that support a certified ISMS.

ISO 27001:2022 vs. the earlier 2013 edition

The current edition is ISO/IEC 27001:2022, which restructured Annex A from 114 controls across 14 categories into 93 controls in four themes: Organisational, People, Physical, and Technological. Eleven new controls were added, including ones for threat intelligence, cloud services, data leakage prevention, and configuration management. Organisations certified against the 2013 edition had a transition period (now closed) to migrate to 2022. All new certifications must be to the 2022 edition.

Practical guidance on which standards to apply

Start here:

  1. 27001 + 27002 — requirements plus implementation guidance for controls. These two are always the foundation.
  2. 27000 — the free vocabulary document. Read it before tackling 27001 to understand the terminology.

Add these when relevant:

  • 27017 + 27018 — if you operate or consume cloud services, especially where you act as a cloud service customer or provider under GDPR.
  • 27701 — if you need a certifiable privacy management layer. It extends 27001 and maps well to GDPR and other data-protection regimes.
  • 27005 — if your risk treatment process needs a more systematic methodology than 27001’s minimal prescriptions provide.
  • 27035 — if you are building or maturing an incident response capability.

Certificate wording matters: a genuine ISO 27001 certificate names the specific edition (e.g. “ISO/IEC 27001:2022”) and lists the scope of the certified ISMS. Certificates citing other 27000-family standards alone (27002, 27017, etc.) are not meaningful — those standards are guidance, not requirements, and are not audited independently.