Standard

BS ISO/IEC 27003:2017 - TC

Information technology. Security techniques. Information security management systems. Guidance

Current, Under Review

Published:

What is ISO/IEC 27003about?  

ISO/IEC 27003 discusses information security management systems. Information security management system helps organizations protect their information against threats. It details guidance to information security management system which will ensure in analysing the risks and opportunities and information security management system (ISMS) adaption to external and internal issues.  ISO/IEC 27003 provides explanation and guidance on ISO/IEC 27001:2013.  

Note: It is not the intention of ISO/IEC 27003 to provide general guidance on all aspects of information security. 

Note: ISO/IEC 27003 does not add any new requirements for an ISMS and its related terms and definitions. 

Who is ISO/IEC 27003 for? 

ISO/IEC 10118-3 on information security management system is useful for: 

  • All organizations 

Why should you use ISO/IEC 27003 

As an integral function of the information security management system (ISMS), the organization continually analyses itself and the world surrounding it. The analysis is concerned with external and internal issues that in some way affect information security and how information security can be managed, and that are relevant to the organization’s objectives. 

ISO/IEC 27003 provides guidance on the requirements for an information security management system (ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’), and permissions (‘may’) in relation to them.  

ISO/IEC 27003 on ISMS guides on the importance of the following phases: 

  • Understanding the organization’s needs and the necessity for establishing information security
  • Policy and information security objectives 
  • Assessing the organization's risks related to information security 
  • Implementing and operating information security processes, controls, and other measures to treat risks 
  • Monitoring and reviewing the performance and effectiveness of the ISMS 
  • Practicing continual improvement 

What’s changed since the last update?  

BS ISO/IEC 27003:2017 cancels and replaces BS ISO/IEC 27003:2010

The main changes are as follows: 

  • The scope and title have been changed to cover an explanation of, and guidance on the requirements of, ISO/IEC 27001:2013 rather than the previous edition (ISO/IEC 27001:2005
  • The structure is now aligned to the structure of ISO/IEC 27001:2013 to make it easier for the user to use it together with ISO/IEC 27001:2013 
  • BS ISO/IEC 27003:2010 had a project approach with a sequence of activities. BS ISO/IEC 27003:2017 instead provides guidance on the requirements regardless of the order in which they are implemented 
Product Details
Descriptors
Documents
Information exchange
Measurement
Organizations
Risk analysis
Risk assessment
Planning
Project management
Policy
Management
Computers
Data storage protection
Data security
Data processing
ICS Codes
03.100.70 Management systems
35.030 IT Security
Committee
IST/33/1
International relationships
Identical to:

ISO/IEC 27003:2017

ISBN
978 0 539 08359 0
Publisher
BSI