< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27009:2020 — Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements (second edition)
Abstract
“This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: include requirements in addition to those in ISO/IEC 27001; refine or interpret any of the ISO/IEC 27001 requirements; include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002; modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002; add guidance to or modify the guidance of ISO/IEC 27002. This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001. This document is applicable to those involved in producing sector-specific standards.” [Source: ISO/IEC 27009:2020]
Introduction
This standard is intended to guide those who would develop ‘sector-specific’ standards based on or relating to ISO/IEC 27001, where ‘sector’ means “domain, application area or market sector” ... and so the muddle begins.
Scope and purpose
The standard specifies how to generate ‘sector-specific’ variants of ISO/IEC 27001. It appears to be aimed at ISO/IEC JTC 1 SC 27.
Content
There are two main-body sections:
- Guidance on how to refine or even extend the generic management system requirements for a specific ‘sector’ (adapting ISO/IEC 27001);
- Guidance on adding new information security controls or expanding on the implementation advice in ISO/IEC 27002 for a specific ‘sector’. [Note: this goes beyond the scope implied by the standard’s title.]
... plus three annexes:
- Two template for writing ‘sector’-specific variants of ‘27001 and/or ‘27002;
- An explanation of the pros and cons of different clause-numbering approaches in the annex on sector-specific variants of ISO/IEC 27002 (!).
Status of the standard
The first edition was published in 2016.
An expanded second edition was published in 2020.
The standard may be updated to reflect ISO/IEC 27002:2022 ... but since it is so little used, it may not be worth revising. A white paper is to be developed.
Personal comments
In my admittedly rather cynical estimation, the entire standard could be replaced by a diagram or a simple sentence along the lines of “A sector-specific standard is generated by adding, refining or interpreting the requirements in ISO/IEC 27001 and/or ISO/IEC 27002 for the sector concerned <full stop>”
< Previous standard ^ Up a level ^ Next standard >
|