ISMS Guidance in ISO 27003:2017

ISO 27003:2017, Information technology – Security techniques – Information security management systems – Guidance, has been published. It replaces ISO 27003:2010.

The main changes in the second edition of ISO 27003 are:

1. The scope and title have been changed to cover the explanation of, and guidance on, the requirements of ISO 27001:2013 instead of those in ISO 27001:2005;

2. The structure is now aligned to the structure of ISO 27001:2013 to make it easier for ISO 27003:2017 to be used together with ISO 27001:2013;

3. The previous edition had a project approach with a sequence of activities. This edition instead provides guidance on the requirements regardless of the order in which they are implemented.

ISO 27003:2017 provides guidance on the requirements for an information security management system (ISMS) as specified in ISO 27001:2013 and provides recommendations (should), possibilities (can), and permissions (may) related to the requirements.

Clauses 4 through 10 of ISO 27003:2017 mirror the structure of ISO 27001:2013 and do not add any new requirements for an ISMS and its related terms and definitions. You should refer to ISO 27001:2013 for requirements and ISO 27000:2016 for definitions.

ISO 27003:2017 is generic and intended to be applicable to all organizations, regardless of type, size, or nature. You should identify which part of its guidance applies in accordance with your specific organizational context (see ISO 27001:2013, clause 4).

For example, some guidance can be more suited to large organizations, but for very small organizations (e.g. those with fewer than 10 persons) some of the guidance can be unnecessary or inappropriate.

The descriptions of Clauses 4 through 10 are structured as follows:

Required activity: presents key activities required in the corresponding sub-clause of ISO 27001:2013;

Explanation: explains what the requirements of ISO 27001:2013 imply;

Guidance: provides more detailed or supportive information to implement “required activity” including examples for implementation; and

Other information: provides further information that can be considered.

Ordering Information:

ISO 27003:2017 can be ordered from ISO at this web page for about $158. It can also be ordered from ANSI at this web page for $185 (or $148 for members).