Important international standards at a glance

Standards are the concentrated expertise of people who have deep knowledge in their industry and understand the requirements of the organizations they represent: manufacturers, suppliers, clients, users, professional associations, and authorities. Based on this shared wealth of experience, norms and requirements are created that help to work more systematically and successfully.

Discover some of the best-known and most widely used standards, as well as those that address current challenges and changes that affect us all.

ISO/IEC 27000:2018 – Information Security Management Systems –
Overview and Vocabulary

(Information security management systems – Overview and vocabulary)

ISO/IEC 27000:2018 is the introductory and foundational standard of the ISO/IEC 27000 family, which focuses on information security.
Its purpose is to establish a common understanding of information security management systems (ISMS) and to ensure that all stakeholders — regardless of their professional background — use and understand the same terminology.

The standard defines fundamental concepts such as:

• • Information security (confidentiality, integrity, availability)

• • ISMS (Information Security Management System)

• • Risk management (threats, vulnerabilities, risk assessment)

• • Controls (measures for risk reduction)

• • Incident management (incidents, response, recovery)

ISO/IEC 27000:2018 is not a certification standard — it serves exclusively as a reference and guidance document.
It provides the conceptual foundation for all other standards in the ISO/IEC 27000 family, in particular:

• • ISO/IEC 27001 (requirements for ISMS – certifiable)

• • ISO/IEC 27002 (information security controls)

• • ISO/IEC 27005 (risk management)

Without a common understanding of these terms, misunderstandings, misinterpretations and inefficient processes may arise. ISO/IEC 27000:2018 addresses this by providing clear, internationally recognized terminology.

What is ISO/IEC 27000:2018?

Why is ISO/IEC 27000:2018 important?

In an era where cyber threats, data leaks and information security incidents occur on a daily basis, a common language is essential.

Different interpretations between organizations, consultants, auditors and international partners can lead to security risks and inefficiencies.

ISO/IEC 27000:2018 provides clarity by defining:

• For IT professionals: clear definitions of technical concepts (e.g. authentication, access control, vulnerabilities)

• For management and executives: understandable explanations of governance, risk and compliance requirements

• For auditors and consultants: consistent terminology for certifications and assessments

• For data protection officers: clear differentiation between data protection and information security

The standard helps organizations avoid ambiguity and misunderstandings by ensuring that everyone involved speaks the same professional language — even before an ISMS is implemented.

Benefits for Your Business

Common professional language
When employees, consultants, auditors and partners use the same terminology, misunderstandings are reduced and decision-making becomes more efficient.

Better understanding of information security
Many organizations perceive information security as “technical”. ISO/IEC 27000 explains core concepts in a clear and structured way.

Foundation for certification
If you plan ISO/IEC 27001 certification, a solid understanding of ISO/IEC 27000 terminology is indispensable.

Efficient communication with auditors and authorities
During audits and compliance reviews, standardized ISO terminology is used. This saves time and avoids confusion.

Avoidance of misinterpretations
Terms such as “risk”, “incident” or “control” are often used differently in everyday language. ISO/IEC 27000 clearly defines their precise meaning.

Training and awareness
The standard is ideal as training material for employees or management teams who are new to information security.

Summary of Key Benefits

• ✔ Unified terminology for information security
• ✔ Foundation for understanding the entire ISO/IEC 27000 family
• ✔ Improved communication with auditors and partners
• ✔ Reduced misunderstandings and misinterpretations
• ✔ Efficient preparation for certification
• ✔ Training material for employees and management

Who is ISO/IEC 27000:2018 relevant for?

ISO/IEC 27000:2018 is relevant for any organization dealing with information security, including:

• IT departments and security teams (technical implementation of security frameworks)
• Executive management (strategic decision-making on information security)
• Data protection officers (distinction between data protection and information security)
• Auditors and consultants (certifications, assessments, compliance)
• Risk managers (identification and handling of information security risks)
• Online academies and e-learning platforms (protection of learner data and training information)
• Coaches, consultants and service providers (handling confidential customer information)
• Freelancers and creatives (protection of intellectual property and project data)
• Small and medium-sized enterprises (entry into structured information security)

How does EAS™ support you with ISO/IEC 27000:2018?

The standard is divided into two main parts:

Part 1: Overview of ISMS and the ISO/IEC 27000 Family

• What is an ISMS and why is it important?

• Which principles underlie an ISMS (confidentiality, integrity, availability)?

• How does the PDCA cycle (Plan-Do-Check-Act) work in the context of information security?

• Which standards belong to the ISO/IEC 27000 family and how do they interact?

Part 2: Terms and Definitions (Glossary)

The standard defines internationally recognized terms, including:

• Information security

• Risk

• Threat

• Vulnerability

• Control

• Incident

• Authentication

• Access control

• Risk assessment

• Risk management

• Compliance

  All definitions are precise, internationally harmonized and designed to avoid interpretation differences.

_______________________________________

📌Learn more: Visit the ISO website or contact an EAS™-certified auditor for comprehensive advice tailored to your specific situation.

What does ISO/IEC 27000:2018 specifically cover?

The European Attestation Standard™ (EAS™) aligns with the basic principles of ISO/IEC 27000 and ensures that online services and digital education offerings are evaluated according to internationally recognized information security standards — without requiring ISO certification.

By applying EAS™ criteria, you can:

• Build a common security language within your organization

• Systematically identify and assess information security risks

• Implement recognized security standards

• Communicate professionally with auditors, partners and customers

• Build trust with learners and clients

• Prepare for future ISO/IEC 27001 certification

Overview of the ISO/IEC 27000 Family

ISO/IEC 27000:2018 serves as the entry point to the entire standards family.

1. First, read ISO/IEC 27000 — to understand terminology and concepts

2. Implement ISO/IEC 27001 — to establish a certifiable ISMS

3. Use ISO/IEC 27002 — to select and implement security controls

4. Apply ISO/IEC 27005 — to systematically manage risks

Without an understanding of ISO/IEC 27000, the other standards may appear complex or unclear.
For this reason, it is the ideal starting point for organizations beginning their information security journey.

Relationship to Other Standards in the ISO/IEC 27000 Family

ISO/IEC 27000 forms the conceptual foundation of the entire 27000 family.
All other standards build upon it.

Key related standards include:

• ISO/IEC 27001 – Information security management systems (requirements)
• ISO/IEC 27002 – Information security controls
• ISO/IEC 27005 – Information security risk management
• ISO/IEC 27701 – Privacy information management
• ISO/IEC 27017 – Cloud security
• ISO/IEC 27018 – Protection of personal data in the cloud