News & Commentary on ISO Management System Standards

    Comparing the 57 ISO 27000 Series of Standards, Guides etc

    Information Security-1


    Currently, there are fifty-seven (57) standards, guidelines and other documents in the ISO 27000 Family on information security

    The total number is regularly changing with the occasional withdrawal of some standards and the regular addition of others (several drafts of new standards have not been included here). How then is one to know which ones are mandatory and which are guidelines/advisory?  The answer to this question has evolved from our research for ISO 27001 courses and can be found below.

    8 types of Standards in the ISO 27001 Series

    The first step towards understanding the ISO 27001 series of standards is to divide them by type.  The 8 types and their application are as follows:

    1. Requirements

    These Standards, such as ISO  27001, set out the requirements that must be fulfilled in order to achieve compliance with the Standard.  Evidence of such compliance is gathered and recorded by Certification Bodies as the basis of their issuing Certifications of Compliance.

    2. Information Only

    Standards here, such as ISO 27000, define the terms and definitions and explain the concepts associated with Information Security. They are advisory by their nature and do not constitute requirements.

    3. Code of Practice

    A code of practice is a document that complements a requirements standard so as to provide detailed practical guidance on how to comply with those requirements.  While not itself constituting a set of requirements, the Code should be followed unless another solution with the same or better outcome is in place.


    Choose from eight ISO 27001 Courses


    4. General Guidelines

    For a given topic or situation these provide detailed practical guidance on how to comply with requirements.  Again, they do not constitute requirements but do generate an expectation that, if they are applicable to the given circumstances, they will be applied.

    5. Sector-specific Guidelines

    For sectors with particular requirements regarding information security, e.g. telecommunications organizations, these provide detailed practical guidance on how to comply with requirements.

    They also identify additional vulnerabilities associated with the sector and identify controls to address the threats arising.  They do not constitute requirements but do generate an expectation that, if they are applicable to the given circumstances, they will be applied.

    6. Control-specific GuidelinesCTA ISO 27001 Infographic

    For assets with particular vulnerabilities or circumstances regarding information security, e.g. network security and software application security, these guidelines provide detailed practical guidance on how to meet the requirements. 

    Again, they do not constitute requirements but do generate an expectation that, where applicable, they will be applied.

    7. Technical Report

    A technical discussion document on a topic of interest and/or relevance.

    8. Technical Specification

    A set of requirements that are advisory in nature, i.e. they do not constitute formal requirements.

    Differences Among the ISO 27000 Series of Documents

    Standards other than requirements standards offer non-mandatory guidance and establish concepts and definitions that help in establishing and maintaining effective information security systems. 

    Such documents are used by external auditors to direct their evidence gathering and to provide a logical basis for their findings.

    In circumstances where they might have been followed but were not, you can expect auditors to challenge you to demonstrate how by alternative means a corresponding level of control and security is being achieved.

    Is Compliance with Other Standards and Guides in the ISO 27000 Series Mandatory?

    Accepting that ISO 27001 is mandatory, the answer regarding all other documents is No and Yes!
    NO: There is nothing in the standards and guides making their use obligatory, but:
    YES: External auditors are aware of these standards and guides, and they will be informally using them to frame their interview questions. 
    For example, if an organization has Personally Identifiable Information, the external auditors will ask how the organization has addressed the typical vulnerabilities identified in ISO 27701 - this is 'low-hanging fruit' for the auditor. 
    So, you cannot afford to ignore the standard, and your risk assessment (and opportunities) needs to add relevant vulnerabilities from ISO 27701 to those from the Statement of Applicability in Annex A of ISO 27001.

    Analysis by Type of the ISO 27000 Series of Standard

    Based on the eight types of standards, we have analyzed all 56 documents.  A color-coded legend, shown below, was used in developing the Table of Standards.

    Legend for Information Security Standard Type

     Legend showing the different ISO 27000 standard type

    Breakdown of ISO 27000 Standards with Description and Comments

    While the table is 11 pages long, it can be quickly reviewed to establish a comprehensive list of all the Standards that may apply to your circumstances.  Enjoy!

     ISO 27000 Table of Standards with description and comments

    This is a Sample Page: Click the button to download a complete copy of the 11-page Table.

    Click for the Complete Table of ISO 27000 Standards


    What of the Future?

    As mentioned above, several new Standards in the series are at the draft stage.  We will monitor progress and, as new Standards are added, we will update the table above and advise our Subscribers interested in ISMS and ISO 27001 of these developments.

    Note; Originally published in Dec 2019; revised and updated in July 2023.


    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    In October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts