ISO/IEC TS 27008
ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls
(second edition)
Abstract
ISO/IEC 27008 "provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation.
[ISO/IEC 27008] offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001.
It is applicable to all types and sizes of organisations, including public and private companies, government entities, and not-for-profit organisations conducting information security reviews and technical compliance checks.”
[Source: ISO/IEC TS 27008:2019]
Introduction
This standard (strictly speaking a Technical Specification) on “technical auditing” complements ISO/IEC 27007. It is focused on auditing the information security controls (or rather the “technical controls”, which although undefined evidently means IT security or cybersecurity controls). In contrast, ISO/IEC 27007 concerns the management system.
Scope
ISO/IEC TS 27008 provides guidance for all auditors/assessors regarding “information security management systems controls” [sic] selected through a risk-based approach (e.g. as presented in a Statement of Applicability) for information security management. It supports the information risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the organisation’s "necessary ISMS controls” satisfy the control objectives. Furthermore, it supports any organisation using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for the governance and management of information risk and security.
Structure
Main sections:
5: Background
6: Overview of information security control assessments
7: Review methods
8: Control assessment process
Annex A: Initial information gathering (other than IT)
Annex B: Practice guide foir technical security assessments
Annex C:Technical assessment guide for cloud services (Infrastructure as a Service)
Status
The first edition was published in 2011 as ISO/IEC TR 27008:2011, a Type 2 Technical Report. It set out to provide “Guidelines for auditors on information security controls”.
The second edition was published in 2019 as ISO/IEC TS 27008:2019, a Technical Specification reflecting the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002. The title morphed into “Guidelines for the assessment of information security controls”, dropping the explicit reference to auditing.
The third edition is currently in preparation, being revised to reflect ISO/IEC 27002:2022. It will revert to a Technical Report. It is at Draft Technical Report stage, likely to emerge during 2026.
Commentary
ISO/IEC TS 27008 gives technology auditors background knowledge to help them review and evaluate the information security controls being managed through an Information Security Management System.
The current second edition:
Is applicable to organisations of all types and sizes;
Supports planning and execution of ISMS audits and the information risk management process;
Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g. in the ISO27k user organisations, assessing security elements of business processes, IT systems and IT operating environments);
Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002:2013;
Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organisation and intangibles such as reputation and image of the organisation and privacy, skills and experience of people);
Supports an ISMS-based assurance and information security governance approach and audit thereof [?? That strays from the standard’s scope into the area of management systems auditing];
Supports effective and efficient use of audit resources.
Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001, ISO/IEC TS 27008 focuses on checking the information security controls themselves, such as (for example) those as in Annex A of ISO/IEC 27001.
ISO/IEC TS 27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organisation. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004, ISO/IEC 27005 or ISO/IEC 27007 respectively.”
'Technical compliance checking/auditing' is explained as a process of examining ‘technical’ security controls, interviewing those associated with the controls (managers, technicians, users etc.), and testing the controls. The methods should be familiar to experienced technology auditors.
‘Technical’ controls, while not explicitly defined in the standard, appear to be what are commonly known as IT security or cybersecurity controls, in other words a subset of the information security controls listed in ISO/IEC 27001 Annex A and described in ISO/IEC 27002.
Furthermore, the correct term here is conformity, not compliance, since it is discretionary. But I digress.
Liberal use of “technical” in phrases such as “technical compliance checking of information system controls”, “technical assessment” and “technical security controls”, indicates that this standard is concerned with technology, implying IT or cybersecurity, specifically, rather than information risk and security in general.
While this standard is not intended to be used for certification, it remains inconsistent and ambiguous (frankly, unclear and confusing) in the use of key terms such as: review, assessment, test, validation, check and audit. For example, are “information security auditors” the same as “certification auditors”, “IT auditors”, “internal auditors”, “ISMS internal auditors”, “compliance auditors”, “conformity auditors”, or something else? There are no (zero) definitions in the second edition since all terms are supposedly defined in ISO/IEC 27000: concerning that little list of terms, only “audit”, “information security” and “conformity” are defined, separately. “Risk assessment” is specifically defined but not “assessment” in general. So, conventional dictionary definitions presumably apply ... but don’t really help. For an international standard, it could hardly be more muddled.