Currently, the ISO 27000 family includes fifty-seven (57) standards, guidelines, and other documents on information security.
The total number is regularly changing, with the occasional withdrawal of some standards and the regular addition of others (several drafts of new standards have not been included here). How, then, is one to know which ones are mandatory and which are guidelines/advisories? The answer to this question has evolved from our research for ISO 27001 courses and can be found below.
Eight Types of Standards in the ISO 27001 Series
The first step towards understanding the ISO 27001 series of standards is to divide them by type. The eight types and their application are as follows:
1. Requirements
These Standards, such as ISO 27001, set out the requirements that must be fulfilled to achieve compliance with the Standard. Certification bodies gather and record evidence of such compliance as the basis for their issuing Certifications of Compliance.
2. Information Only
Standards here, such as ISO 27000, define the terms and definitions and explain the concepts associated with Information Security. They are advisory by their nature and do not constitute requirements.
3. Code of Practice
A code of practice is a document that complements a requirements standard to provide detailed practical guidance on complying with those requirements. While not itself constituting a set of requirements, the Code should be followed unless another solution with the same or better outcome is in place.
4. General Guidelines
For a given topic or situation, these provide detailed practical guidance on how to comply with requirements. Again, they do not constitute requirements but generate an expectation that they will be applied if they are applicable to the given circumstances.
5. Sector-specific Guidelines
For sectors with particular requirements regarding information security, e.g., telecommunications organizations, these provide detailed practical guidance on how to comply with requirements.
They also identify additional vulnerabilities associated with the sector and identify controls to address the threats arising. They do not constitute requirements but generate an expectation that they will be applied if they are applicable to the given circumstances.
6. Control-specific Guidelines
These guidelines provide detailed practical guidance on how to meet the requirements for assets with particular vulnerabilities or circumstances regarding information security, such as network security and software application security.
Again, they do not constitute requirements but do generate an expectation that they will be applied where applicable.
7. Technical Report
A technical discussion document on a topic of interest and/or relevance.
8. Technical Specification
A set of requirements that are advisory in nature, i.e., they do not constitute formal requirements.
Differences Among the ISO 27000 Series of Documents
Standards other than requirements standards offer non-mandatory guidance and establish concepts and definitions that help in establishing and maintaining effective information security systems.
Such documents are used by external auditors to direct their evidence gathering and to provide a logical basis for their findings.
In circumstances where they might have been followed but were not, auditors can challenge you to demonstrate how a corresponding level of control and security is being achieved by alternative means.
Is Compliance with Other Standards and Guides in the ISO 27000 Series Mandatory?
Analysis by Type of the ISO 27000 Series of Standard
We have analyzed all 57 documents based on the eight types of standards. The Table of standards, shown below, was developed using a color-coded legend.
Legend for Information Security Standard Type
Breakdown of ISO 27000 Standards with Description and Comments
While the Table is 11 pages long, it can be quickly reviewed to establish a comprehensive list of all the Standards that may apply to your circumstances. Enjoy!
This is a Sample Page: 
Click the button to download a complete copy of the 11-page Table.
What of the Future?
As mentioned above, several new Standards in the series are in the draft stage. We will monitor progress, and as new Standards are added, we will update the Table above and advise our Subscribers interested in ISMS and ISO 27001 of these developments.
Related Articles
- ISO 27001 Certification: 27 FAQs answered (downloadable PDF file attached)
- GDPR, ISO 27701, and ISO 27001: a natural combination?
- Free ISO 27001 Implementation Handbook (100+ pages)
deGRANDSON Global is an ISO Certified Educational Organization
In October 2021, we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of…
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a 'university grade' standard used globally by schools, colleges, and universities to demonstrate competence.
We provide Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Risk Management, Data Protection, and more.