A forest of ISO standards and related documents

These ISO standards and related documents all orbit around “information security, management systems, auditing, and related governance”, but each has a different purpose. Breaking them down into logical groups and explaining their differences and relationships.

The catch: ISO standards are not freely available in full. They are copyrighted, so you usually have to purchase them. So only get what you need.

Foundations and vocabulary

These standards define the terms, concepts, and structure used across the ISO/IEC 27000 series:

  • ISO/IEC 27000:2018 – Overview and vocabulary Provides definitions and context for all ISO/IEC 27000-series standards. Think of it as the “dictionary and map” of the ISMS world.

  • ISO/IEC TS 27100:2020 – Cybersecurity overview and concepts Gives a broader overview of cybersecurity concepts, not just ISMS, so it frames how ISO/IEC 27001 fits into the wider cybersecurity landscape.

  • ISO/IEC Directives, Part 2:2018 – Rules for drafting ISO/IEC documents Guides how ISO documents are structured and written; more relevant if you are developing or interpreting ISO standards.

All other ISO/IEC 27000-series standards rely on the definitions and framework established in these. They are the “reference manual” for terminology and concepts.

Core ISMS requirements

These define what an organisation must do to implement a compliant ISMS:

  • ISO/IEC 27001:2022 – Requirements for ISMS The main certification standard. Specifies what an organisation must implement to meet ISO 27001 requirements (policies, risk management, controls, monitoring, improvement).

  • ISO/IEC 27001:2022/Amd1:2024 – Amendment 1: Climate action changes Updates the 2022 version with climate-related requirements, likely adding considerations for environmental risks to information security.

ISO/IEC 27001 is the “law of the land” for certification; the amendment tweaks the law for climate considerations. Everything else either supports it or guides its implementation.

Controls and implementation guidance

Standards describing how to implement, select, and manage controls:

  • ISO/IEC 27002:2022 – Information security controls Provides best-practice guidance on individual controls (technical, organisational, physical).

  • ISO/IEC 27003:2017 – Guidance on ISMS implementation Explains how to plan and implement an ISMS to meet ISO 27001 requirements.

  • ISO/IEC 27005:2022 – Information security risk management guidance Details risk assessment and treatment processes for ISMS.

  • ISO/IEC TS 27008:2019 – Guidelines for assessing controls Helps auditors or internal teams evaluate whether controls are adequate.

  • ISO/IEC 27701:2019 – Privacy extension to 27001/27002 Adds controls and guidance for handling personally identifiable information (PII), essentially turning an ISMS into a privacy information management system (PIMS).

  • ISO/IEC 27032:2023 – Cybersecurity guidelines for internet Focuses on cyber threats and safe internet practices, complementing 27001/27002.

These are the “toolkits and manuals” for building, implementing, and maintaining the ISMS. ISO 27002 lists the tools; 27003 and 27005 explain how to apply them; 27008 explains how to check them; 27701 extends them for privacy.

Audit, certification, and conformity standards

These focus on auditing and certifying an ISMS, including requirements for audit bodies:

  • ISO/IEC 27006-1:2024 – Requirements for certification bodies of ISMS Specifies what auditors and certification bodies must do to certify ISO 27001.

  • ISO/IEC 27007:2020 – Guidelines for ISMS auditing Guidance for auditing an ISMS, mainly for auditors.

  • ISO/IEC TS 27108:2019 – (already covered in controls guidance above)

  • ISO/IEC 17021-1:2015 – Audit and certification body requirements for management systems General framework for all management system certification bodies (not ISMS-specific).

  • ISO/IEC 17024:2012 – Certification of persons How to certify personnel (auditors, professionals).

  • ISO/IEC 17065:2012 – Certification of products, processes, services General rules for product/service certification (not ISMS-specific).

  • ISO 19011:2018 – Guidelines for auditing management systems Practical auditing guidance for auditors (risk-based approach, planning, evidence collection).

These define who can audit, how to audit, and how certification bodies operate, both for ISO 27001 specifically and for management systems in general.

These are complementary ISO standards that often inform or integrate with ISO 27001:

  • ISO 9000:2015 – Quality management vocabulary and fundamentals Introduces management system principles. Useful when integrating quality and ISMS.

  • ISO 31000:2018 – Risk management guidelines Provides general risk management concepts that feed into 27005 and 27001.

  • ISO 55000:2014 – Asset management overview Defines principles for managing organisational assets (physical or information).

  • NIST SP 500-291:2013 – Cloud computing standards roadmap US standard, not ISO, provides cloud-specific guidance. Can complement ISO 27001 for cloud deployments.

These provide conceptual and operational context for risk, asset, and quality management — all relevant for an integrated ISMS.

Summary of relationships

  1. Foundations/vocabulary → ISO 27000, TS 27100

  2. Core ISMS requirements → ISO 27001 (+ amendments)

  3. Implementation guidance & controls → ISO 27002, 27003, 27005, 27008, 27701, 27032

  4. Audit and certification → ISO 27006-1, 27007, 19011, 17021, 17024, 17065

  5. Supporting frameworks → ISO 9000, 31000, 55000, NIST SP 500-291