top of page

ISO/IEC TR 27103

ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards

(first edition)

Abstract

ISO/IEC TR 27103 "provides guidance on how to leverage existing standards in a cybersecurity framework.”


[Source: ISO/IEC TR 27103:2018]

Introduction

If “cybersecurity” is simply that part of information security concerned with IT, then existing information risk and security standards are directly relevant to cyber risk and security.


An Information Security Management System as specified in ISO/IEC 27001 and other ISO27k standards is generally accepted as a comprehensive management system, governance framework or structure with which to manage information risks, including “cyber” risks pertaining to IT and the Internet, among others.

Scope

The standard offers guidance on using existing ISO and IEC standards (not just ISO27k) in a risk-based ‘cybersecurity framework and programme'.  


The 'framework and programme' is sdescribed as a set of five 'activities' relating to the 'target state for cybersecurity' (presumably meaning objectives), applying the conventional systematic ISO27k approach to the management of 'cybersecurity risk':

  1. Describe the organization’s current cybersecurity status;

  2. Describe the organization’s target state for cybersecurity;

  3. Identify and prioritize opportunities for improvement;

  4. Assess progress toward the target state; and

  5. Communicate among internal and external stakeholders about cybersecurity risk


Confusingly, the 'framework and programme' also revolves around five 'functions' relating to the incident timescale - basically the NIST-style Cyber Security Framework:

  1. Identify;

  2. Protect;

  3. Detect;

  4. Respond; and

  5. Recover.


The 'functions' are further divided into 'categories' and 'subcategories'.

Structure

Main sections:

  • 5: Background

  • 6: Concepts

  • Annex A: sub-categories

  • Annex B: Three principles and ten essentials of the cybersecurity for top management


With an arbitrary structure, the standard references relevant ISO and IEC standards down to the first-level subclauses (e.g. ISO/IEC 27001:2013 clause 9.3) where they are deemed relevant to various aspects of cybersecurity.

Status

The current first edition of this standard was published as a Technical Report in 2018 and confirmed unchanged in 2022.


The TR is now being updated to reflect ISO/IEC 27002:2022. It is intended to explain how to manage cybersecurity risk in a comprehensive and structured manner drawing on processes, governance and controls from current ISO and IEC standards (not just ISO27k!).


The update has passed a vote at Draft Technical Specification stage and should be published during 2026. 


Following a clarification/change of ISO policy, it is set to become a Technical Specification rather than a Technical Report. The title will become ISO/IEC TS 27103 “Cybersecurity - Guidance on using ISO and IEC standards in a Cybersecurity Framework”.

Commentary

The original standards project set out to develop an internal SC 27 Standing Document explaining how various  ISO and IEC standards can usefully be applied to cybersecurity. Somehow, it ended up producing a Technical Report in the ISO27k series that singularly failed to define “cybersecurity” and related terms such as “cyber risk”, “cybersecurity risk” and “cybersecurity framework” (as did ISO/IEC 27032), despite the introduction acknowledging the likelihood of confusion due to unclear terminology and differing ‘perspectives’:


“Perspectives, and consequent approaches, to risk management are affected by the terminology used, e.g. “cybersecurity” versus “information security”. Where similar risks are addressed, this different perspective can result in “cybersecurity” approaches focusing on external threats and the need to use information for organizational purposes, while, in contrast, “information security” approaches consider all risks whether from internal or external sources. There can also be a perception that cybersecurity risks are primarily related to antagonistic threats, and that a lack of “cybersecurity” can create worse consequences to the organization than a lack of “information security”. Thus, cybersecurity can be perceived as more relevant to the organization than information security. This perception can cause confusion and also reduces the effectiveness of risk assessment and treatment.”

[ISO/IEC TR 27103:2018]


Hmmmmm.  Oh well.  


See also ISO/IEC TS 27110.

This page last updated:

6 January 2026

© 2026 IsecT Limited 

 

  • Link
  • LinkedIn
bottom of page