ISO/IEC JTC 1/SC 27, information security, cybersecurity and privacy protection, is responsible for helping to mitigate against the growing problems of cyber risks and attacks, online fraud, information and identity theft, and the breach to personally identifiable information. It provides organizations with solutions to protect their sensitive and critical information, as well as personal data, regardless of business sector and organizational structure.

SC 27 has developed many well-known standards such as ISO/IEC 27001 (ISMS requirements) ranked 3rd in the ISO survey of management system standards, ISO/IEC 27002 (information security controls) and ISO/IEC 15408 (security evaluation criteria for IT security). More recently the emergence of ISO/IEC 27701 (an extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy information management) is a much needed addition to the SC 27 portfolio. Also included in the ISO/IEC 27001 family are standards on cloud security and privacy (ISO/IEC 27017 and 27018), energy utility security (ISO/IEC 27019), network security (ISO/IEC 27033 series), application security (ISO/IEC 27034 series) and information security incident management (ISO/IEC 27035).

More and more organizational budgets are being directly linked to information security. The ISO/IEC 27001:2013 requirements enables organizations to understand how to enhance the quality of information protection related to their internal needs and in regard to external customers needs. Many programmes that are designed to tackle the cyber-war issue reference ISO/IEC 27001, its supporting code of practice ISO/IEC 27002:2013 and other standards in the growing family of ISO/IEC 27000 standards.


Information security standards provide many benefits to an organization including the following :

  • Better and more effective management of the risks a business faces
  • Greater performance efficiencies in the protection of the information
  • Higher quality of security being delivered
  • Higher return on security investment
  • Greater assurance, trust and confidence to customers and consumers in the delivery of information security and privacy protection built into the services and products that a company provides
  • Common language for information security to facilitate better business relationships : business-to-business, business-to-consumer, outsourcing, supply chains and other business relationship models


All types of organizations benefit from information security standards, from the smallest to the largest: commercial companies, public sector organizations, government departments and agencies, and research and academic/teaching institutions.