What is ISO 27003?
The full title of this standards document is ISO 27003:2017 Information technology — Security techniques — Information security management systems — Guidance. ISO 27003:2017 gives you clear guidance for the implementation of the very technical ISO 27001:2013. You should find ISO 27003 helpful as it explains how to meet the detailed criteria in ISO 27001 successfully. You can think of ISO 27001:2013 as the what and ISO 27003:2017 as the how.
You aren’t required to read the guidance in ISO 27003 when implementing an ISO certified ISMS. If you choose not to, it might make a successful implementation process more difficult to follow. It’s therefore recommended that you do.
Although ISO/IEC 27003 is a basic guide, be aware it does not give detailed guidance on implementing all aspects of ISO 27001. The monitoring, measurement, analysis and evaluation criteria in 27001 are out of scope. ISO 27003 doesn’t give detailed guidance on the information security risk management requirements either.
What is the ISO 27k family?
ISO standards are internationally agreed standards criteria documents. The International Organization for Standardization based in Geneva develops and publishes ISO standards. 165 national standards organisations from around the world form the ISO.
The purpose of ISO standards is to share information and knowledge. Different industries use ISO standards to adopt consistent solutions to operational challenges. ISO standards documents are numerically sequenced in ‘families’. ISO/IEC 27003:2017 comes from the ISO 27000 family.
The 27000 standards exist to underpin all your organisation’s information security management. The key document in the family is ISO 27001:2013. ISO 27001 sets out the technical criteria for the design and implementation of an ISO certified information security management system. Information security management systems are also known by the acronym ISMS.
ISO 27001 certifies that ISMS meet internationally agreed quality assurance standards. This provides clients with assurance about the business and its operation of robust systems and processes. A review of ISO standards happens every five years.
Nearly every organisation now has a digital presence. This brings many benefits but also some risks. The top risks to your business include data breaches and cyberattacks. The ISO requirements for information technology security techniques and ISMS help organisations to mitigate these risks.
The history of ISO/IEC 27003:2017
Before 2017, the standards relevant to information security management systems were in ISO 27001:2005. This ISO contained only the technical criteria for the ISMS. The accompanying implementation guidance appeared in ISO 27003:2010. The five year review process saw ISO 27001:2005 withdrawn in 2010. Its replacement was ISO 27001:2010. The accompanying updated implementation guidance appeared in ISO 27003:2017.
The ISO 27003 documents published in 2010 and 2017 did not change the ISO 27001 requirements for the implementation of ISMS. The key differences in the 2017 revision were:
- to align the document structure with the updated requirements of ISO/IEC 27001:2013
- remove the need for a linear project approach
- more easily explain the ISMS requirements in whatever order implementation takes place
These changes made ISO 27003 more user-friendly. Although ISO 27001:2013 gives a step-by-step ISMS implementation approach, 27003 helps you sequence the steps in the way that best fits your organisation.
ISO/IEC 27003:2010 was the guidance document before the ISO/IEC 27003:2017 revision. It explained the process of planning and implementing an ISO 27001:2005 ISMS. The ISO 27003:2010 guidance covered a sequenced approach. It provided a less flexible project approach to implementation than the 2017 revision.
Relationship with other standards
ISO 27003 works with the other ISO documents in the 27000 family of standards. 27003 also has some overlaps with standards relating to information security techniques. You might find it helpful to have a basic understanding of how 27003 links in.
ISO 27003 and ISO 27001
ISO 27001 sets out the requirements for planning an ISMS. It also gives you the criteria for implementation. 27001 also covers maintenance and quality improvement of the system.
The document’s content structure is as follows:
- organisational context
- performance evaluation
ISO 27003:2017 guides the implementation of your information security management system. You will find its content structure means the 27003 guidance adapts to any contextual sequencing of ISMS implementation. This makes ISO 27003 an invaluable guide.
ISO 27003 and ISO 27002
ISO 27002 is a standard that documents guidelines and principles to initiate, implement, maintain and improve information technology security techniques. This standard is useful when your risk assessment identifies a need for specific information technology security requirements.
The 27002 standard gives you guidance for developing security management techniques. The 27002 standard does this by setting out over one hundred potential controls and control mechanisms. The link between ISO 27003 and ISO 27002 is that any controls implemented from 27002 need to link to the requirements of ISO 27001. You will find 27003 guidance helpful for this.
The ISO 27002 standard covers different sectors too, including manufacturing and health.
ISO 27003 and ISO 22301
ISO 22301 is a standard that specifies the requirements for a robust business continuity management system. Your organisation may implement this either before, or in conjunction with, the implementation of an ISMS. Deciding whether you should prioritise business continuity over ISMS implementation depends on the threats to continuity. If your wider operating environment is stable, business continuity may not need to take immediate priority.
The structure of ISO management systems standards are generally aligned. This means you can use the guidance in ISO/IEC 27003 whilst simultaneously implementing standards 27001 and 22301. This is arguably the most efficient approach. Your organisational type and context will determine which standards are the priority.
ISO 27003 is complementary to another two ISO guidance standards. ISO/IEC 27004 covers monitoring, measurement, analysis and evaluation of information technology security. ISO/IEC 27005 provides guidance on information security risk management.
What are the benefits of ISO 27003?
Since the majority of today’s organisations operate in the digital space, they also routinely collect and store data. Information security management is of vital importance to a business. For many, it will be business critical. Whether your organisation is large, medium, or small data breaches and cyber attacks bring serious consequences. These can include service interruption, loss of client confidence and large regulatory fines.
Holding an ISO certification gives your customers confidence in the organisation. Both initial validation and ongoing compliance indicate your business is at the forefront of information security management. This gives you that competitive edge against organisations that don’t hold ISO certification.
Who can implement ISO 27003?
Any organisation that is setting up an ISMS aligned to ISO 27001:2013 can implement ISO/IEC 27003. Because of the importance of information technology security, organisations of any size or sector can benefit. Written to cover all organisational contexts, you may find some aspects of the guidance are better suited to large organisations. If your organisation is small to medium, you can disregard any unnecessary or inapplicable guidance. If you need help to understand what is applicable, you will find it in Clause 4 of ISO/IEC 27001:2013.
How to Get Started With ISO 27003
There are a couple of approaches to implementing an ISO 27001 compliant ISMS. Use your 27003 standards document to guide the approach that is most suitable for your organisation. Also, take into account why you want an ISO certified ISMS.
The need for an ISO certified ISMS can arise for a range of reasons. Triggers can include external drivers. These might be tender requirements or client rules about service provider certification. There are also internal drivers. One example might be your response to a formal risk assessment of the current ISMS that finds security gaps. Whatever the initial driver, there are benefits and drawbacks to top down and bottom up approaches to implementation.
If the driver is external, there may be a time pressure involved for you. ISO 27003 helps you here, by giving practical guidance for timely achievement of the ISO certification. You might also consider partnering with external ISMS expert services. They are there to guide you through achieving an ISO certified ISMS. They also come with thorough knowledge of ISOs 27001, 27003 and related standards.
Even after certification, you might still find ISO 27003 is useful. Because ISOs 27001 and 27003 support continuous improvements of the ISMS, you can use both for iterative improvement and continued compliance for annual ISO audits.
Demonstrating Good Practice for ISO 27003
Before implementing an ISO, it’s important to understand where the starting point is for your organisation. Start with a rigorous self-assessment process. This allows you to identify the existing system and process gaps. You can then build on what is already in place. There is no point starting an ISMS from scratch if you don’t need to. You may find that your existing ISMS can become ISO certified with some additional tweaks.
Once your assessment stage is complete, and you know what needs to done, don’t jump straight into the implementation phase.
Next, take the time to communicate internally about the changes needed. This will create ownership and buy in from the workforce as well as reducing any potential resistance. This communication phase supports the next steps when moving to successful implementation. These are the basic good practice steps on the journey to an ISO certified ISMS.
ISO 27003 certification
To gain ISO certification, an ISO auditor with the relevant accreditation will visit the organisation. The auditor checks that the ISMS meets the ISO criteria and identifies any gaps. This is the first stage of the audit.
Where there are gaps in processes, procedures or implementation, you will then have time to address these. The auditor will return for the second stage of the audit. On this second visit, if all criteria are now met, ISO certification is then awarded. To maintain ISO certified status, the auditor will make annual visits to your organisation to validate continued compliance.
ISO/IEC 27003:2017 requirements
To meet the requirements of 27003, you will work through the applicable ISO phased guidance. One phase is to obtain management approval for the initiation of an ISMS project. Another is the definition of the scope of the ISMS and its policy. A third phase is to carry out an organisational analysis.
There is also a risk assessment and risk treatment planning phase. The last phase is designing the ISMS. Although these requirements are set out in phases, the latest revision of 27003 does not anticipate you will implement your ISMS in any particular sequence. It is this flexibility that makes ISO 27003:2017 a great addition to the 27000 family of ISO standards.