International Standards and Conformity Assessment for all electrical, electronic and related technologies

News release – 2010 Number 3

ISO and IEC help beef up information security management systems with implementation guidance

Toolbox of information security standards


Geneva, Switzerland, 2010-03-16 ISO and IEC have added to their toolbox of information security standards, with guidance for the successful design and implementation of ISO/IEC 27001.


Image of a hand siluethe holding the word PASSWORD, with binary numbers in the background

ISO/IEC 27003, Information technology – Security techniques – Information security management system implementation guidance, gives advice that will be useful for all types of security-conscious organizations, regardless of their size, complexity and risks.


Today, information security is constantly in the news with identity theft, breaches in corporate financial records and threats of cyber terrorism. An information security management system (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.


The successful design and implementation of an ISMS (ISO/IEC 27001) will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because they have in place state-of-the-art processes to deal with information security threats and issues.


Prof. Edward Humphreys, Convenor of the working group, which developed the new standard, comments: "By using ISO/IEC 27003, the organization will be able to develop a process for information security management, giving stakeholders the assurance that risks to information assets are continuously maintained within acceptable information security bounds as defined by the organization."


ISO/IEC 27003 covers the process of ISMS specification and design, from inception to the production of implementation plans. It provides guidance on how to obtain management approval, and gives the concepts on how to design and plan the ISMS project to ensure its successful implementation.


ISO/IEC 27003 is intended to be used in conjunction with ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements, and ISO/IEC 27002, Information technology - Security techniques - Code of practice for information security management. It is not intended to modify and/or reduce the requirements specified in either.


ISO/IEC 27003, Information technology – Security techniques – Information security management system implementation guidance was developed by ISO/IEC JTC 1: Information technology, SC 27: IT Security techniques. It can be purchased from the IEC Webstore