Beyond ISO 27001, what other ISO management-system standards exist, and what do they cover?
9000 = Quality, 14001 = Environment, 20000 = IT-Service, 27001 = Information security, 31000 = Risk, and 27005 = IS-specific risk (a hybrid).
| ISO Norm | Management system for… |
|---|---|
| 9000 | Qualität (Quality) |
| 14001 | Umwelt (Environment) |
| 20000 | IT-Service |
| 27001 | Informationssicherheit (IS) |
| 31000 | Risiko (general risk) |
| 27005 | IS-specific risk (lives under 27k umbrella but uses 31000-style framework) |
There are endless management systems with overlapping topics. The "ISMS world" specifically includes BSI 200-1, ISIS12, and VDS 10000 — but they're not the only show in town.
Why this matters: A mature enterprise often runs several management systems in parallel (e.g., 9001 + 14001 + 27001), and the overhead of running them as silos is huge. ISO published the Annex SL / High-Level Structure so all modern MS standards share clauses 4–10, letting you merge them into a single integrated management system.
Tip: ISO 27005 is the special one — it's not a full management system standard, it's a risk management methodology tuned specifically to information security. Think of it as "ISO 31000 dialect for the ISMS world."
Go deeper:
ISO/IEC 27001 and the 27000 family (Wikipedia) — how 27001 sits among the sibling management-system standards.
Standardization: bodies, types and Annex SL (Wikipedia) — background on the High-Level Structure that lets 9001/14001/27001 share clauses 4-10.