Topic-specific policies
ISO/IEC 27009

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27009:2020 — Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 Requirements (second edition)



“This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC  27002 to support a specific sector (domain, application area or market). This document explains how to:  include requirements in addition to those in ISO/IEC 27001; refine or interpret any of the ISO/IEC 27001 requirements; include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002; modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002; add guidance to or modify the guidance of ISO/IEC 27002. This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001. This document is applicable to those involved in producing sector-specific standards.”
[Source: ISO/IEC 27009:2020]


This standard is intended to guide those who would develop ‘sector-specific’ standards based on or relating to ISO/IEC 27001, where ‘sector’ means “domain, application area or market sector” ... and so the muddle begins.


Scope and purpose

The standard specifies how to generate ‘sector-specific’ variants of ISO/IEC 27001. It appears to be aimed at ISO/IEC JTC 1 SC 27.



There are two main-body sections:

  • Guidance on how to refine or even extend the generic management system requirements for a specific ‘sector’ (adapting ISO/IEC 27001);
  • Guidance on adding new information security controls or expanding on the implementation advice in ISO/IEC 27002 for a specific ‘sector’. [Note: this goes beyond the scope implied by the standard’s title.]

... plus three annexes:

  • Two template for writing ‘sector’-specific variants of ‘27001 and/or ‘27002;
  • An explanation of the pros and cons of different clause-numbering approaches in the annex on sector-specific variants of ISO/IEC 27002 (!).


Status of the standard

The first edition was published in 2016.

An expanded second edition was published in 2020.

Being so little used, especially outside of the committee itself, SC 27 has decided to withdraw this standard rather than continue maintaining it.


Personal comments

Sense at last!

In my admittedly rather cynical estimation, the entire standard could be replaced by a diagram or a simple sentence along the lines of “A sector-specific standard is generated by adding, refining or interpreting the requirements in ISO/IEC 27001 and/or ISO/IEC 27002 for the sector concerned <full stop>”


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights