LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the structure of the ISO 27000 series, and which standard is the only one you can be certified against?

ISO 27000 = vocabulary, 27001 = ISMS Requirements (the only one with formal certification), 27002 = code of practice (control catalogue), 27003 = implementation guidance, 27004 = measurements, 27005 = risk management, 27006 = certification body requirements, 27007 = audit guidelines.

Four stacked layers of the ISO 27000 series: vocabulary (27000), certifiable requirements (27001, 27006), informative guidance, and sector extensions, with 27001 flagged as the only certifiable standard

* The 27k series in four layers — vocabulary, requirements, guidance, sector — with only ISO 27001 written in shall, hence the only one you certify against. *

The series is layered:

Layer Standards
Terminology 27000 (overview & vocabulary)
General requirements 27001 (Requirements — the certifiable one), 27006 (Certification Body Requirements)
General guidelines 27002 (CoP), 27003 (Implementation), 27004 (Measurements), 27005 (Risk Mgmt), 27007 (Audit Guidelines)
Sector-specific 27011 (Telecoms), 27017 (Cloud Services), 27018 (Cloud PII), 27799 (Health)

Only 27001 is normative ("must") — everything else is informative ("should"). When an organisation says they are "ISO 27001 certified", that's the only ISO 27k certification that exists.

Tip: The other standards aren't useless — 27002 in particular is the daily companion when you have to implement 27001 controls. Think of 27001 as "what" and 27002 as "how."

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026