ISO/IEC TS 27103
ISO/IEC TS 27103:2026 — Cybersecurity — Guidance on using ISO and IEC standards in a cybersecurity framework
(first edition*)
Abstract
ISO/IEC TS 27103 "provides guidance on how to leverage existing ISO and IEC standards in a cybersecurity framework.”
[Source: ISO/IEC TS 27103:2026]
Introduction
"The concepts behind information security can be used to assess and manage cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured manner, and ensure that processes, governance and controls are addressed. This can be done through a management systems approach. An Information Security Management system (ISMS) as described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity. [ISO/IEC TS 27103] demonstrates how a cybersecurity framework can utilize current information security standards to achieve a well-controlled approach to cybersecurity management."
[Source: ISO/IEC TS 27103:2026]
Scope
The standard offers guidance on using existing ISO and IEC standards (not just ISO27k) in a "risk-based, prioritized, flexible, outcome-focused, and communications-enabling framework for cybersecurity".
The 'cybersecurity framework and programme' is described as a set of five 'activities' relating to the 'target state for cybersecurity' (presumably meaning objectives), applying the conventional systematic ISO27k approach to the management of 'cybersecurity risk':
Describe the organization’s current cybersecurity status;
Describe the organization’s target state for cybersecurity;
Identify and prioritize opportunities for improvement;
Assess progress toward the target state; and
Communicate among internal and external stakeholders about cybersecurity risk
Confusingly, the 'framework and programme' also revolves around five 'functions' relating to the incident timescale - basically NIST's Cyber Security Framework:
Identify - business context, resources and risks relating to critical [business] functions;
Protect - safeguard delivery of critical infrastructure services;
Detect - activities to identify cybersecurity events, promptly;
Respond - react to and contain identified events;
Recover - resilience and restoration of impaired capabilities or services.
The 'functions' are further divided into 'categories' and 'subcategories' which are cross-referenced to relevant clauses in ISO27k and other standards.
Structure
Main clauses:
5: Background - risk-based approach, stakeholders, framework and programme
6: Concepts - overview, framework functions
Annex A: Sub-categories - identify, protect, detect, respond, recover
Annex B: Three principles of the cybersecurity [plus ten essentials] for top management - an alternative to the NIST CSF approach, cross-referenced to ISO27k standards
Status
* This standard was initially published as a Technical Report in 2018 and confirmed unchanged in 2022.
It was updated, becoming the current first edition as a Technical Specification in 2026.
Commentary
See also ISO/IEC TS 27110.
In ISO-land, a Technical Specification is a standard for an immature or developing technical subject. In theory, that means it should be formally reviewed within three years, becoming an International Standard if there is consensus ... otherwise continuing unchanged or being withdrawn.