Topic-specific policies
ISO/IEC TS 27100

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC TS 27100:2020 — Information technology — Cybersecurity Overview and concepts (first edition)



“This document provides an overview of cybersecurity. This document: describes cybersecurity and relevant concepts, including how it is related to and different from information security; establishes the context of cybersecurity; does not cover all terms and definitions applicable to cybersecurity; and does not limit other standards in defining new cybersecurity-related terms for use.”
[Source: ISO/IEC TS 27100:2020]


According to this Technical Specification:

    “Cybersecurity is a broad term used differently through the world. This document defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security.

    Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.”


Scope of the standard

“This document provides an overview of cybersecurity ...”


Content of the standard

The standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management.



The Technical Specification was first published in 2020.

May status update A project to review the standard in 2024 looks set to recommend no changes, despite requests from several SC 27 members to update it: watch this space for news.


Personal notes

See also ISO/IEC 27032.

It seems to me two ‘cyber’ worlds coexist on parallel planes:

  1. Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by highly capable and determined foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It could be a delaying tactic. I may be a semi-paranoid conspiracy theorist.
  2. Plain old IT security, network security and Internet security in particular: protecting digital data in general against deliberate attacks. This is the everyday world, nothing special - a subset of information security in fact. Move along please, nothing to see here.

Rather than clarifying the concepts and terminology, moving the field forward, the standard muddies the waters - possibly the desired outcome of #1 above.

Thankfully, it is just 17 pages and I suspect is destined to become a little-known cul de sac off the information superhighway, despite the project team’s desire for ISO to promote it as a substantial contribution to the field. They claim “cybersecurity is simply an evolution of information security” and that the standard “provides much needed explanation in the environment of general confusion about the differences and similarities between cybersecurity and information security”: ‘in the environment of general confusion’ is a curious way of putting it. Ironic, that, for a standard that is meant to clarify things ...


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights