top of page

ISO/IEC TR 27024

ISO/IEC TR 27024 — Technical Report — Information security, cybersecurity and privacy protection — Information on government and regulatory use of information security standards

[DRAFT]

Abstract

ISO/IEC TR 27024 "provides a list of national regulations that reference ISO/IEC 27001 as a requirement.”


[Source: ISO/IEC JTC 1/SC 27 Committee Doc 11, May 2025]

Introduction

This Technical Report is meant to help determine which of the ISO27k standards (or rather "information security management system standards developed by ISO/IEC JTC 1/SC 27") are recommended or required for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management.

Scope

The Technical Report identifies laws, regulations and guidelines from a selection of countries that refer to ISO27k standards such as ISO/IEC 27001, 27002 and 27005, and explicitly concern:

  • Information security

  • Privacy/data protection

  • Digitalisation and electronic archiving.

Structure

The main clause covers 20 countries (some of which are European) plus the European Union. 


Each one has a table:

  • Citing reference document/s (mostly laws and regulations);

  • Identifying the organisations that own/issued the reference documents (e.g. ministries);

  • Stating which ISO27k standards are recommended or required;

  • Plus comments explaining and expanding on the above.  

Status

A Technical Report was prepared from ISO/IEC JTC 1/SC 27 Standing Document 7 - an internal committee reference document.


It is now at Draft Technical Report stage, having been submitted to the ISO secretariat for publication.  It might even surface this year.

Commentary

Notably missing from the coverage list are the United States, China, Russia and all of Africa - in other words, this standard covers roughly a quarter of the globe.  It's a start, I guess. 


Depending on how one interprets part 2 of the ISO Directives, this standard may be stillborn:


"A document does not in itself impose any obligation upon anyone to follow it. 

However, an obligation can be imposed, for example, by legislation or by a contract 

which makes reference to the document.  A document shall not include contractual 

requirements (e.g. concerning claims, guarantees, covering of expenses), 

or legal or statutory requirements."   [clause 4]


The standard progressed rapidly to Draft Technical Report stage and was planned for release way back in 2023. Patently, however, compiling and checking details on relevant laws and regs around the globe, along with editorial changes required by ISO, substantially delayed release. Under ISO/IEC's revised DIrectives and firm deadlines, this project would have been cancelled long ago.


If this had remained a Standing Document without the formalities of becoming a standard, it would have been easier, quicker and cheaper to update it as the referenced standards, laws and regs change, with the bonus of being freely available to those who need the information ... but in its infinite wisdom, the committee decided to publish (and consequently maintain) it as a Technical Report.


The TR does not (explicitly) cover numerous other areas of law less directly/obviously concerned with the confidentiality, integrity or availability of information such as:

  • Classified information and official secrets

  • Contracts

  • Cryptography

  • Digital signatures

  • Defence

  • Family law

  • Financial data integrity, reporting and accounting

  • Forensics

  • Fraud

  • Governance

  • Health and safety

  • Intellectual property

  • Medical records

  • Misinformation

  • Product quality/fitness for purpose

  • Taxation

... nor more besides.  Taking a broad perspective, there are clearly loads of laws and regs that have some relevance to the confidentiality, integrity or availability of information. In the extreme, virtually every law involves forensic evidence with strong cia implications. Laws and regs relating to human safety are important to protect the valuable knowledge and competencies in our heads, while those relating to mental health affect our information processing capabilities. Laws and regs on tax and financial reporting and corporate governance all have information security implications. The standard is unlikely even to mention these, reflecting its arbitrary nature. 


This standards project faces a similar conundrum to ISO/IEC 27002. It would be wonderful if the standard was truly comprehensive and up-to-date and could be relied upon as such, but ultimately that is infeasible. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching (e.g. Googling) which laws and regs are in fact applicable - hopefully not you though, having read this cautionary note!

This page last updated:

10 July 2026

© 2026 IsecT Limited 

 

  • Link
  • LinkedIn
bottom of page