What's the structure of the ISO 27000 series, and which standard is the only one you can be certified against?
ISO 27000 = vocabulary, 27001 = ISMS Requirements (the only one with formal certification), 27002 = code of practice (control catalogue), 27003 = implementation guidance, 27004 = measurements, 27005 = risk management, 27006 = certification body requirements, 27007 = audit guidelines.
* The 27k series in four layers — vocabulary, requirements, guidance, sector — with only ISO 27001 written in shall, hence the only one you certify against. *
The series is layered:
| Layer | Standards |
|---|---|
| Terminology | 27000 (overview & vocabulary) |
| General requirements | 27001 (Requirements — the certifiable one), 27006 (Certification Body Requirements) |
| General guidelines | 27002 (CoP), 27003 (Implementation), 27004 (Measurements), 27005 (Risk Mgmt), 27007 (Audit Guidelines) |
| Sector-specific | 27011 (Telecoms), 27017 (Cloud Services), 27018 (Cloud PII), 27799 (Health) |
Only 27001 is normative ("must") — everything else is informative ("should"). When an organisation says they are "ISO 27001 certified", that's the only ISO 27k certification that exists.
Tip: The other standards aren't useless — 27002 in particular is the daily companion when you have to implement 27001 controls. Think of 27001 as "what" and 27002 as "how."
Go deeper:
ISO/IEC 27000-series — full standard-by-standard list — walks the whole family and marks which layer each number sits in.
ISO/IEC JTC 1/SC 27 (the committee that writes them) — who authors and maintains the series, and its wider scope beyond ISMS.