ISO27k standards

ISO/IEC 27565:2026 is a brand new ISO27k standard on Z ero- K nowledge P roofs. It explains how to go about collecting and verifying personal information for various legitimate purposes without 'over-collecting' i.e. requiring and gathering additional information beyond that strictly needed for the stated purpose - verifying whether a statement or claim is or is not true. Age verification is a common example. A new law in Australia, for instance, prohibits youngsters from

In part, the current (fifth, 2018) edition of ISO/IEC 27000 defines key terms of art used throughout the ISO27k standards . The standard is available as a legitimate free download from ISO . If you haven't already seen it, go ahead - download the standard for a good look at these 77 terms defined in clause 3: access control attack audit audit scope authentication authenticity availability base measure competence confidentiality conformity consequence continual improvement c

Cover page ISO/IEC TS 27103:2026 "Cybersecurity - Guidance on using ISO and IEC standards in a cybersecurity framework" is, essentially, a mapping of NIST's C yber S ecurity F ramework to ISO27k and other standards. The Technical Specification belatedly updates references to various clauses in the 2022 editions of ISO/IEC 27001 and 27002 from 2018's T echnical R eport. Read more about the standard here on this site and at ISO.org

Although ISO/IEC 27000 and most other standards incorporate definitions, the language is often formalised/stilted and very succinct.  Being the product of committees within the larger structure of the global standards bodies means new terms have to be carefully word-crafted to avoid conflict with the existing body of knowledge.  Reducing definitions to their essence may be worthwhile from an academic perspective, although I wonder about the poor reader trying to make sense of

No, not that kind of 'medium'! Two new ISO/IEC JTC 1/SC 27/WG 1  standards projects are under way, raising fundamental questions about how we standardise and promote information security. 1. Practical ISMS implementation guidance First, we are defining the scope and plan for a second part to ISO/IEC 27003 (possibly a distinct standard or some other format). This project aims to offer ISMS implementation advice for small, medium and large organizations, with a specific emphas

I've received the first W orking D raft for the revision of ISO/IEC 27102 :2019 - "Information security management - Guidelines for cyber-insurance ". With a new title already approved ("Information security, cybersecurity and privacy protection — Guidelines for applying ISO/IEC 27001 and related standards in support of cyber insurance ") and a revised scope, the committee intends to refocus the second edition more explicitly on the I nformation S ecurity M anagement S ystem

Today I updated several pages concerning the current status of various ISO27k standards development projects - nothing particularly significant. I am struggling to keep up with the work of ISO/IEC JTC 1/SC 27 Working Group 5. I'm not sure at the moment whether I am not receiving WG5 emails with updates, or not reading them properly and taking note of them. Either way, it is hard for me to keep track and update this site for the WG5 standards. Also today, I noticed a curious

Having seen yet another comment on social media this morning along the lines of "I'm petrified that the certification auditor will raise a nonconformity if we don't adopt specific Annex A controls", I've added an ISO27k FAQ under the assurance section . This is one of the most frequent of F requently A sked Q uestions, a frustratingly persistent concern relating to the natural anxieties about being audited. I've been audited. I've been an auditor. Audits are challenging,

ISO/TC 215 has updated ISO 27799 to reflect ISO/IEC 27002:2022 , omitting the previous edition's content re ISO/IEC 27001 . The standard now concentrates on the implementation of organisational, people, physical and technological controls within the healthcare industry.

ISO/IEC 27566-1:2025 "Information security, cybersecurity and privacy protection — Age assurance systems — Part 1: Framework " has been published. This is the start of a multi-part standard concerning the tricky process of verifying someone's age to an appropriate level of assurance, without unnecessarily invading or compromising their privacy rights. As usual for a 'part 1', it provides a general introduction and conceptual basis for the framework that the remaining parts wi

An updated D raft I nternational S tandard ISO/IEC 27028 has been released to ISO/IEC JTC 1/SC 27 for voting by early February 2026. I have been expecting a 'Technical Specification' rather than full International Standard but maybe I missed the memo. Not to worry. The DIS is in good shape. So far I spotted just a few minor grammatical issues and concerns about terminology (risk tolerance denotes a different concept to risk appetite, - these are not synonyms; likewise for 'co

A new SC27 project has been approved, developing an ISO27k standard on privacy for the B rain- C omputer I nterface, part of meditech or healthtech you could say. Consider the privacy implications of these vaguely-conceivable futuristic or other-worldly BCI applications: Brain implants picking-up neurological signals to control prosthetic limbs or weapons, ideally providing 'force feedback' for proportional control, dexterity and accuracy. Remote control/direction of animal

Ever since migrating this website to Wix a month ago, I've been systematically checking and refining the content, updating broken links, correcting typos, reconsidering and refreshing the text. Last few days I've been giving our ISO27k FAQ the once-over, and today wrote-up a new FAQ on ISMS documentation. It was triggered by my reading naive advice elsewhere to "Document everything": I appreciate it's not meant literally but the emphasis is clear. Since the ISO/IEC 27001 co

Voting has commenced on the D raft I nternational S tandard ISO/IEC 27091 on AI privacy, with national standards bodies invited to vote and comment by Feb 25th 2026. I have updated the standard's page on this website , based on a brief skim-reading of the DIS, so far. I will update that page if I find the time to study the standard properly and reconsider my opinions. In summary, although I have concerns about the scope, focus and coverage of the standard, it does offer us

The D raft I nternational S tandard version of this forthcoming security and privacy standard on 'big data' has been released for national bodies to vote and comment before March 2026. Supplementing ISO's 'official' page about this standard , I have outlined the structure of the standard on its detailed info page on this website. If the DIS is approved by the voting members of ISO/IEC JTC 1/SC 27 without significant comments or objections, it may be published later in 2026

Patiently chiselling another work of art for ISO This month I am slaving away, diligently reviewing a C ommittee D raft of the next release of ISO/IEC 27003 , updating the 2017 second edition. ISO/IEC 27003:2017 provided 'explanation and guidance' on ISO/IEC 27001:2013. In practice, that meant mostly elaborating quite formally on the mandatory requirements from the main body of '27001. According to the editorial team, the standard revision project was supposed to take place

ISO/IEC TS 27028 moved a step closer to publication by passing a vote at DIS stage. When released in the middle of 2026, the standard will have a new title not now mentioning ISO/IEC 27002: Guideline on using information security control attributes and a succinct scope: This document provides guidance on the use of information security control attributes. The guidance set out given in this document is generic and is intended to be applicable to all organizations, regardless

ISO/IEC JTC 1/SC 27/WG 1 has two interesting new projects on the cards ... ISMS implementation First comes a proposal to develop ISMS implementation guidance, essentially rejuvenating the original ISO/IEC 27003 . When the standard's 2010 first edition was revised in 2017, the committee decided to reduce the implementation guidance, instead focusing on explaining the I nformation S ecurity M anagement S ystem requirements in ISO/IEC 27001 . At the time (and subsequently, t

When drafting technical standards, there are natural tensions concerning the audience, purpose and language used. On the one hand, 'technical' implies complexities and precision in the content, with details relating to science and engineering. This generally means writing for a competent and knowledgeable professional audience, providing specific details to guide and enable them to get to grips with the subject matter. A technical standard on, say, nuts and bolts would typi

An initial draft of this standard has been released to SC27 as the first W orking D raft, so I took the opportunity to update the info page. '27566 concerns age verification - techniques to determine the age of a website or app user, for example to prevent minors accessing adult materials. Part 2 will form a bridge linking the foundational concepts in part 1 with the analytical approaches in part 3.  It will advise on how to ascertain the age verification objectives, parame