Topic-specific policies
ISO/IEC 27009

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27009:2020 — Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 Requirements (second edition)



“This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC  27002 to support a specific sector (domain, application area or market). This document explains how to:  include requirements in addition to those in ISO/IEC 27001; refine or interpret any of the ISO/IEC 27001 requirements; include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002; modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002; add guidance to or modify the guidance of ISO/IEC 27002. This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001. This document is applicable to those involved in producing sector-specific standards.”
[Source: ISO/IEC 27009:2020]


This standard is intended to guide those who would develop ‘sector-specific’ standards based on or relating to ISO/IEC 27001, where ‘sector’ means “domain, application area or market sector” ... and so the muddle begins.


Scope and purpose

The standard specifies how to generate ‘sector-specific’ variants of ISO/IEC 27001. It appears to be aimed at ISO/IEC JTC 1 SC 27.



There are two main-body sections:

  • Guidance on how to refine or even extend the generic management system requirements for a specific ‘sector’ (adapting ISO/IEC 27001);
  • Guidance on adding new information security controls or expanding on the implementation advice in ISO/IEC 27002 for a specific ‘sector’. [Note: this goes beyond the scope implied by the standard’s title.]

... plus three annexes:

  • Two template for writing ‘sector’-specific variants of ‘27001 and/or ‘27002;
  • An explanation of the pros and cons of different clause-numbering approaches in the annex on sector-specific variants of ISO/IEC 27002 (!).


Status of the standard

The first edition was published in 2016.

An expanded second edition was published in 2020.

The standard may be updated to reflect ISO/IEC 27002:2022 ... but since it is so little used, it may not be worth revising.  A white paper is to be developed.


Personal comments

In my admittedly rather cynical estimation, the entire standard could be replaced by a diagram or a simple sentence along the lines of “A sector-specific standard is generated by adding, refining or interpreting the requirements in ISO/IEC 27001 and/or ISO/IEC 27002 for the sector concerned <full stop>”


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT Ltd.