< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT]

Abstract

[TBA]

Introduction

It appears the standard intends to address the claimed dire global shortage of cybersecurity professionals, hopefully increasing the supply of newly-minted professionals to the market by suggesting standard curricula for educators offering college and university courses etc.

Scope of the standard

[TBA]

Content of the standard

The standard may:

• Cover cybersecurity awareness (?), training and education;
• Suggest common/standard education and training curricula in this area;
• List/mention applicable national guidance, strategies or regulations.

Status

A Technical Report is in preparation.

It was originally to be published in 2024 but the project was extended to 2026 for ‘additional technical work’.

 The standard development project missed its extended deadlines and so was cancelled in September 2025 ... but was magically rejuvenated as another 3-year project (I have no idea how that works!).

Personal comments

The standard will hopefully complement rather than replace ISO/IEC 27021 concerning competencies required of ISMS professionals.

 SC27 is collaborating with another committee on ‘cybersecurity competence’. 

If national guidelines are to be listed in this standard, the details will need to be collated and managed indefinitely, implying a stream of maintenance updates to keep the standard reasonably accurate and current. Why is such an approach even being considered? Most other international standards don’t attempt to list national aspects except perhaps as examples.

< Previous standard      ^ Up a level ^      Next standard >