ISO 27003: Information security techniques for ISMS

What is ISO 27003?

Formally known as "ISO 27003:2017 Information technology — Security techniques — Information security management systems — Guidance",  the ISO 27003:2017 standard instructs the implementation of ISO 27001, and how to meet its detailed criteria. When establishing an ISO-certified ISMS, it is not mandatory that you follow the guidance outlined by ISO 27003, but it is recommended you follow it for a simplified and successful implementation process. 

It is important to remember that ISO 27003 is not a certification. It is a basic guide and does not go into full detail about ISO 27001 implementation or information security risk management requirements, as many criteria are out of scope. 

What are the ISO and IEC?

The International Organisation for Standardisation (ISO) is a non-governmental international body consisting of several national standards bodies and 167 member countries. The International Electrotechnical Commission (IEC) specialises in standards for electrical, electronic, and related technologies, or "electrotechnology", that are outside the ISO's scope.

Together, the ISO and IEC develop global ICT standards. Now, let’s look at why ISO 27003 in particular is important.

Why is ISO 27003 important?

Since many organisations in today’s day and age operate in the digital realm, they regularly collect and store personal data. This makes proper information security management important. Regardless of size or sector, data breaches can have serious consequences on an organisation, including but not limited to heavy fines, loss of stakeholder trust and interruptions to operations. Having an ISO 27001 compliant information security management system (ISMS) reduces these risks and also gives your organisation an edge over competitors that don’t possess ISO certifications. 

This is where ISO 27003 comes into play; it guides the implementation of an ISO 27001 compliant ISMS and the other steps of the ISO 27001 certification process.

ISO 27001 compliance can be tricky for small businesses or organisations attempting the certification for the first time—therefore, following the guidelines outlined by ISO 27003 is highly recommended to ensure success. 

What is the relationship between ISO 27003 and ISO 27001?

While ISO 27001 sets out the requirements and criteria for planning and implementing an ISMS, ISO 27003 guides this implementation. 

The following aspects of ISMS implementation are covered under clauses 4 through 10 of ISO 27003:

• Organisational context
• Leadership
• Planning
• Support
• Operation
• Performance evaluation

The above clauses correspond to their respective ISO 27001 sub clauses, and contain the following:

• Required activity
• Explanation
• Guidance
• Other information

Clause 4 of the ISO 27001 standard can help you identify the context of your organisation and how to build an effective ISMS according to your organisation’s needs. 

The two standards should be used in conjunction with each other. 

What are the benefits of ISO 27003?

ISO 27003 covers how an organisation should implement their ISMS based on the ISO 27001 standard. After a thorough risk assessment, you might find that your ISMS needs just a few adjustments to become ISO compliant. ISO 27003 can also support the maintenance and continuous improvement of the ISMS, and guide compliance with auditing requirements.

More specifically, ISO 27003 guides organisations on getting approval to start an ISMS project, how to define the scope of their ISMS and implementation, and how to set out planning the project. 

Scoping your project will help to identify relevant guidelines within the standard.

Who should use ISO 27003?

Any organisation seeking to implement an ISO 27001 aligned ISMS can benefit from following ISO 27003. 

Some guidance outlined in the standard may be more relevant to organisations of a larger scale, but the standard is generally useful for organisations of any size or sector that wish to prioritise information technology security.  You can pick out what guidance is relevant to your circumstances, and disregard what does not apply. 

How does ISO 27003 relate to other ISO standards?

The ISO family of standards lay the foundation for an organisation’s information security framework. Besides ISO 27001, ISO 27003 supplements other ISO standards:

• ISO 27002 - The standard sets out more than a hundred control mechanisms that guide initiation, implementation and maintenance principles of information technology security techniques.
• ISO 27004 - The standard guides the monitoring, measurement, analysis and evaluation of information technology security.
• ISO 27005 - The standard provides guidelines for information security risk management.
• ISO 22301 - The standard specifies the requirements for a business continuity management system, depending on the type and context of your organisation.

Conclusion

ISO 27003 is not certifiable, but supplements the ISO 27001 certification process. While not mandatory, following ISO 27003 is highly recommended as it simplifies and clarifies certain aspects of ISO 27001 compliance and ISMS maintenance and improvement. 

Bridging these gaps is crucial to ensuring nothing goes amiss and avoiding data breaches or other service interruptions. Keep reading to learn more about becoming ISO 27001 compliant and improving your organisation’s information security efforts.

Our experts can help you achieve your Information Security goals. Why not get to know us in person?