Topic-specific policies
ISO/IEC 27011

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition)



“The scope of this Recommendation | International Standard is to provide guidelines supporting the implementation of information security  controls in telecommunications organizations. The adoption of this Recommendation | International Standard will allow  telecommunications organizations to meet baseline information security  management requirements of confidentiality, integrity, availability and  any other relevant information security property.”
[Source: ISO/IEC 27011:2024/ITU-T X.1051]


This ISMS implementation guide for the telecoms industry was developed jointly by ITU-T and ISO/IEC JTC 1/SC 27, with the identical text being dual-numbered as both ISO/IEC 27011 and ITU-T X.1051.


Scope and purpose

This standard guides telecoms organisations on the information security controls worth considering and adopting to mitigate their unacceptable information risks. As with ISO/IEC 27002, the controls are discretionary, not mandatory. Telecoms organizations are free to determine whether the controls are or are not applicable according to their information risks, and they may prefer custom versions, bespoke controls or controls suggested by other sources. Ideally, they would do so using an Information Security Management System modeled on ISO/IEC 27001, managing and overseeing the controls and risks systematically.


Content of the standard

Published end of March Aside from minor variations/explanations to a few of the ISO/IEC 27002:2022 controls, the ‘extended control set’ suggests 14 additional information security controls specifically for telecoms organisations.

Published end of March For example, control 5.42 TEL - Non-disclosure of communications indicates that telecoms organisations should, if appropriate, secure metadata relating to the messages they handle for customers, as well as the messages themselves, unless they are legally obliged to disclose.


Status of the standard

The first edition was published in 2008.

The second edition was published in 2016 with minor corrigendum in 2018.

Published end of March Having been updated and substantially restructured to align with the 2022 version of ISO/IEC 27002, the third edition was published at the end of March 2024.


Personal comments

It is good to see continued productive collaboration between these well-respected international standards bodies, despite the challenge and delays caused by batting the draft standard back and forth between their formal processes like a tennis ball at a Wimbledon final.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights