The ISO/IEC 27000 family has dozens of members — how is this large series organised, and how do you find your way around it?
Think of it as concentric rings around 27001: a vocabulary core, the certifiable requirements, the "how-to" guidance standards, then ever-more-specific sector and topic extensions out to the 27700s.
* Navigate by ring, not by memorising titles: core/vocabulary to certifiable requirements to generic guidance to topic extensions to sector extensions. *
The 27000-series is deliberately modular — instead of one giant document, ISO/IEC split the subject into many small standards so an organisation only reads the ones it needs. The trick to navigating it is to recognise the layer a number lives in rather than memorising every title:
| Layer | Purpose | Examples |
|---|---|---|
| Core / vocabulary | Defines terms used by the whole family | 27000 (overview & glossary) |
| Certifiable requirements | The "shall" standards | 27001 (ISMS), 27006 (certification bodies) |
| Generic guidance | The "should" how-to companions | 27002 (controls), 27003 (implementation), 27004 (metrics), 27005 (risk), 27007 (auditing) |
| Topic extensions | One security topic in depth | 27031 (ICT continuity), 27033 (network), 27034 (application), 27035 (incidents), 27037 (digital evidence) |
| Sector extensions | One industry / context | 27011 (telecoms), 27017 (cloud), 27018 (cloud PII), 27019 (energy), 27701 (privacy/PIMS), 27799 (health) |
So a number like 27017 isn't random: the "270xx" tells you it's ISMS-family, and its place in the cloud-extension band tells you it adapts the generic controls for a specific context.
Tip: Don't try to learn all of them. Learn the shape — 27000 = words, 27001 = the certificate, 27002 = the controls, 2700x = guidance, and the higher numbers (2701x, 2703x, 277xx) = "for a particular industry or topic." Then you can place any new 27k number you meet without having seen it before.
Go deeper:
ISO/IEC 27000-series overview (~97 members) — the canonical index; skim it to see how numbers cluster by purpose.
ISO/IEC 27001 — the core the rest orbit — start here, then read outward into the guidance and sector rings.