prEN ISO/IEC 27000

SLOVENSKI STANDARD
01-september-2025
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Sistemi
vodenja informacijske varnosti - Pregled (ISO/DIS 27000:2025)
Information security, cybersecurity and privacy protection - Information security
management systems - Overview (ISO/DIS 27000:2025)
Informationstechnik - Sicherheitsverfahren -
Informationssicherheitsmanagementsysteme - Überblick und Terminologie (ISO/IEC DIS
27000:2025)
Sécurité de l'information, cybersécurité et protection de la vie privée - Systèmes de
management de la sécurité de l'information - Vue d'ensemble (ISO/DIS 27000:2025)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27000
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC DIS 27000
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security management
2025-07-15
systems — Overview
Voting terminates on:
ICS: 35.030; 01.040.35
2025-10-07
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2025
ISO/IEC DIS 27000:2025(en)
DRAFT
ISO/IEC DIS 27000:2025(en)
International
Standard
ISO/IEC DIS 27000
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security management
systems — Overview
Voting terminates on:
ICS: 35.030; 01.040.35
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2025
ISO/IEC DIS 27000:2025(en)
© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC DIS 27000:2025(en)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Concepts and principles . 2
4.1 Concepts .2
4.1.1 The need for information security .2
4.1.2 Information .3
4.1.3 Information security . .3
4.1.4 Risks are constantly changing .3
4.1.5 Risk treatment plan .4
4.1.6 Purpose of an information security management system (ISMS) .4
4.1.7 Importance of an ISMS .4
4.1.8 Process approach .5
4.1.9 Scope .5
4.2 Principles .5
4.2.1 Establishing, implementing, maintaining and improving an ISMS .5
4.2.2 Successful ISMS implementation .5
4.2.3 Determining information security requirements .6
4.2.4 Integration into business processes .6
5 Documents related to ISMS including ISO/IEC 27001 . 6
5.1 General .6
5.2 ISO/IEC 27001 (Specification of an ISMS) .6
5.3 Candidate necessary information security controls .6
5.3.1 ISO/IEC 27002 (Information security controls) .6
5.3.2 ISO/IEC 27010 (Inter-sector and inter-organizational communications) .7
5.3.3 ISO/IEC 27011 (Telecommunications organizations) .7
5.3.4 ISO/IEC 27017 (Cloud services).7
5.3.5 ISO/IEC 27019 (Energy utility industry) .7
5.4 Fulfilment of ISMS requirements .7
5.4.1 ISO/IEC 27003 (ISMS guidance) .7
5.4.2 ISO/IEC 27004 (Monitoring, measurement, analysis and evaluation) .7
5.4.3 ISO/IEC 27005 (Guidance on managing information security risks) .7
5.4.4 ISO/IEC 27007 (ISMS auditing) .7
5.5 Use of ISMS .7
5.5.1 ISO/IEC 27013 (Integrated implementation with ISO/IEC 20000-1) .7
5.5.2 ISO/IEC 27014 (Governance of information security) .8
5.5.3 ISO/IEC TR 27016 (Organizational economics) .8
5.5.4 ISO/IEC TR 27029 (ISO/IEC 27002 and ISO and IEC standards) .8
5.6 Control assessment, attributes, processes and competence .8
5.6.1 ISO/IEC TS 27008 (Assessment of information security controls) .8
5.6.2 ISO/IEC 27021 (Competence requirements for ISMS professionals) .8
5.6.3 ISO/IEC TS 27022 (ISMS processes) .8
5.6.4 ISO/IEC 27028 (ISO/IEC 27002 attributes) .8
5.7 Conformity assessment .8
5.7.1 ISO/IEC 27006-1 (Requirements for bodies providing audit and certification) .8
5.8 Relationships between the standards .8
Bibliography .10

© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC DIS 27000:2025(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent
rights identified during the development of the document will be in the Introduction and/or on the ISO list of
patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Information security, cybersecurity and privacy protection.
This sixth edition cancels and replaces the fifth edition (ISO/IEC 27000:2018), which has been technically
revised.
The main changes are as follows:
— the title has been modified;
— the structure of the document has been changed to stress its primary role, which is to provide an
overview of, and relationships between documents related to ISMS (information security management
systems) including ISO/IEC 27001;
— text presenting the concepts and principles of information security and information security management
systems has been added;
— Clause 3 contains definitions for those terms used in presenting the concepts and principles ISO/IEC 27000;
— ISO/IEC 27000 is no longer a terminology document.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
iv
ISO/IEC DIS 27000:2025(en)
Introduction
This document explains the concepts and principles that underpin information security and information
security management systems. It provides an overview of all documents related to ISMS (Information
security management systems) including ISO/IEC 27001 and explains the relationship between them.

© ISO/IEC 2025 – All rights reserved
v
DRAFT International Standard ISO/IEC DIS 27000:2025(en)
Information security, cybersecurity and privacy protection —
Information security management systems — Overview
1 Scope
This document gives an overview of the concepts and principles of documents related to information
security management system (ISMS), including ISO/IEC 27001.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
information security
preservation of confidentiality (3.2), integrity (3.3) and availability (3.4) of information
3.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
3.3
integrity
property of accuracy and completeness
3.4
availability
property of being accessible and usable on demand by an authorized entity
3.5
event
occurrence or change of a particular set of circumstances
[SOURCE: ISO 31000:2018, 3.5]
3.6
likelihood
chance of something happening
[SOURCE: ISO 31000:2018, 3.7]
© ISO/IEC 2025 – All rights reserved
ISO/IEC DIS 27000:2025(en)
3.7
consequence
outcome of an event (3.5) affecting objectives
[SOURCE: ISO 31000:2018, 3.6]
3.8
risk
effect of uncertainty on objectives
[SOURCE: ISO 31000:2018, 3.1]
3.9
risk treatment
process to modify risk (3.8)
3.10
risk owner
person or entity with the accountability and authority to manage a risk (3.8)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.11
control
measure that maintains and/or modifies risk (3.8)
[SOURCE: ISO 31000:2018, 3.8]
3.12
specified requirement
need or expectation that is stated
[SOURCE: ISO/IEC 17000-1:2004, 3.1]
3.13
conformity assessment
demonstration that specified requirements (3.12) relating to a product, process, system, person or body are
fulfilled
[SOURCE: ISO/IEC 17000-1:2004, 2.1]
4 Concepts and principles
4.1 Concepts
4.1.1 The need for information security
Organizations of all types and sizes:
a) collect, process, store, transmit and delete information;
b) recognize that some information (and the associated information and communications technology,
software, processes and people) can help the organization to achieve its objectives, and can therefore be
regarded as an asset;
c) appreciate that some of this information belongs to other organizations (e.g. customers) and that they
should manage that information in accordance with the agreed requirements;
d) realise that the organization can suffer if information is disclosed, lacks or loses integrity or is not
available when it is required.

© ISO/IEC 2025 – All rights reserved
ISO/IEC DIS 27000:2025(en)
Confidentiality, integrity and availability of information are important properties of value to organizations.
The preservation of these properties is referred to as “information security”.
In this modern interconnected world, information and related processes, systems, and networks can
constitute critical business assets. Organizations and their information systems and networks face
information security threats from a wide range of sources, including human errors, computer-assisted
fraud, theft, espionage, sabotage, vandalism, fire, flood, and climate change. Damage to information systems
and networks caused by malicious code, computer hacking, and denial of service attacks have become more
common, more ambitious, and increasingly more sophisticated. The extent to which such events should
worry an organization depends on the likelihood of the occurrence of the event and the severity of the
consequences. The combination of likelihood and consequence is referred to as “risk”.
If the risk is unacceptable to the organization, it must be “treated”. Risk treatment is the process whereby
risks are modified, often through the implementation of information security controls. Ideally, the process
of treatment continues until the risk becomes acceptable to the organization.
Risks associated with an organization’s information assets
...