Search Results

All about the ISO/IEC 27000-series information risk and security management standards Introduction and overview of the ISO27k standards "ISO27k" refers to the ISO/IEC 27000 series standards, a set of 100 good practice guidelines for managing the risks affecting or involving business, commercial, national and personal information. "ISO/IEC" denotes the bodies that jointly developed and maintain the standards: ISO is the Geneva-based International Organization for Standardisation, a non-governmental federation of representatives from national standards bodies across the world - more info ; IEC is the I nternational E lectrotechnical C ommission, another Swiss-based non-governmental global body responsible for standardising various technologies - more info . Effective risk management serves to protect valuable information against harm whilst also permitting its use for legitimate purposes. Both aspects are important. Although in theory we might lock the information away forever, permanently blocking access by everyone, its value would decay to zero given such an excessive level of security. The ISO standards lay out guidance in the form of generic ‘management systems’ that are flexible enough to be adapted for any organisation's unique situation, and various topics. You may already be familiar with ISO 9001 (for quality) or ISO 14001 (for environmental management). Management systems are specified in ISO/IEC 27001 (for information security) and ISO/IEC 27701 (for privacy) . These structures support a systematic approach to: Identify risks of concern, analyse and evaluate them; Treat (avoid, share, mitigate or accept) the risks appropriately; Ensure the risk treatments are working properly in practice (assurance); and Handle changes and drive continual improvement (maturity). Other ISO27k standards expand on various aspects in more detail: ISO/IEC 27005 , for instance, elaborates on the information risk management process, while ISO/IEC 27004 offers advice on security metrics. Certified conformity to ISO/IEC 27001 and ISO/IEC 27701 demonstrates that an organisation is serious about managing information security and privacy. In short, ISO27k is about systematically protecting and legitimately exploiting valuable information for sound business reasons. The ISO27k standards are listed below: click to open any one for further details. The ISO27k standards ISO/IEC 27000 ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) Open ISO/IEC 27001 ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) Open ISO/IEC 27002 ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) Open ISO/IEC 27003 ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) Open ISO/IEC 27004 ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) Open ISO/IEC 27005 ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) Open ISO/IEC 27006-1 ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) Open ISO/IEC 27007 ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) Open ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Open ISO/IEC 27010 ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) Open ISO/IEC 27011 ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) Open ISO/IEC 27013 ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) Open ISO/IEC 27014 ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) Open ISO/IEC 27015 ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) Open ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Open ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Open ISO/IEC 27019 ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) Open ISO/IEC 27021 ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals (first edition) Open ISO/IEC TS 27022 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) Open ISO/IEC TR 27024 ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] Open ISO/IEC 27028 ISO/IEC 27028 — Information security, cybersecurity and privacy protection — Guidance on using information security control attributes [DRAFT] Open ISO/IEC 27031 ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity (second edition) Open ISO/IEC 27032 ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) Open ISO/IEC 27033-1 ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) Open ISO/IEC 27033-2 ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) Open ISO/IEC 27033-3 ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) Open ISO/IEC 27033-4 ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) Open ISO/IEC 27033-5 ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) Open ISO/IEC 27033-6 ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) Open ISO/IEC 27033-7 ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) Open ISO/IEC 27034-1 ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts (first edition) Open ISO/IEC 27034-2 ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework (first edition) Open ISO/IEC 27034-3 ISO/IEC 27034-3:2018 — Information technology — Security techniques — Application security — Part 3: Application security management process (first edition) Open ISO/IEC 27034-5 ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) Open ISO/IEC 27034-6 ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies (first edition) Open ISO/IEC 27034-7 ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) Open ISO/IEC 27035-1 ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition) Open ISO/IEC 27035-2 ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) Open ISO/IEC 27035-3 ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) Open ISO/IEC 27035-4 ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination (first edition) Open ISO/IEC 27036-1 ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) Open ISO/IEC 27036-2 ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements (second edition) Open ISO/IEC 27036-3 ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) Open ISO/IEC 27036-4 ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) Open ISO/IEC 27037 ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) Open ISO/IEC 27038 ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction (first edition) Open ISO/IEC 27039 ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operation of intrusion detection and prevention systems (IDPS) (first edition) Open ISO/IEC 27040 ISO/IEC 27040:2024 — Information technology — Security techniques — Storage security (second edition) Open ISO/IEC 27041 ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method (first edition) Open ISO/IEC 27042 ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) Open ISO/IEC 27043 ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes (first edition) Open ISO/IEC 27045 ISO/IEC 27045 — Information technology — Big data security and privacy — Guidelines for managing big data risks [DRAFT] Open ISO/IEC 27046 ISO/IEC 27046 — Information technology — Big data security and privacy — Implementation guidelines [DRAFT] Open ISO/IEC 27050-1 ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) Open ISO/IEC 27050-2 ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) Open ISO/IEC 27050-3 ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) Open ISO/IEC 27050-4 ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness (first edition) Open ISO/IEC 27070 ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) Open ISO/IEC 27071 ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services (first edition) Open ISO/IEC 27090 ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] Open ISO/IEC 27091 ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] Open ISO/IEC 27099 ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) Open ISO/IEC TS 27100 ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) Open ISO/IEC 27102 ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) Open ISO/IEC TR 27103 ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition) Open ISO/IEC TR 27109 ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] Open ISO/IEC TS 27110 ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development guidelines (first edition) Open ISO/IEC TS 27115 ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) Open ISO/IEC TS 27116-1 ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] Open ISO/IEC 27400 ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines (first edition) Open ISO/IEC 27402 ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] Open ISO/IEC 27403 ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) Open ISO/IEC 27404 ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [first edition] Open ISO/IEC TR 27550 ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) Open ISO/IEC 27551 ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) Open ISO/IEC 27553-1 ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: local modes (first edition) Open ISO/IEC 27553-2 ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) Open ISO/IEC 27554 ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] Open ISO/IEC 27555 ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) Open ISO/IEC 27556 ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) Open ISO/IEC 27557 ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) Open ISO/IEC 27559 ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection — Privacy-enhancing data de-identification framework (first edition) Open ISO/IEC TS 27560 ISO/IEC TS 27560:2023 — Privacy technologies — Consent record information structure (first edition) Open ISO/IEC 27561 ISO/IEC 27561:2024 — Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) ( first edition) Open ISO/IEC 27562 ISO/IEC 27562:2024 — Information technology — Security techniques — Privacy guidelines for fintech services (first edition) Open ISO/IEC TR 27563 ISO/IEC TR 27563:2023 — Security and privacy in artificial intelligence use cases — Best practices (first edition) Open ISO/IEC TS 27564 ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] Open ISO/IEC 27565 ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] Open ISO/IEC 27566-1 ISO/IEC 27566-1 :2025 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1: Framework [First edition] Open ISO/IEC 27566-2 ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [PROPOSAL] Open ISO/IEC 27566-3 ISO/IEC 27566-3 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 3: Approaches to analysis or comparison [DRAFT] Open ISO/IEC TS 27568 ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] Open ISO/IEC TS 27569 ISO/IEC TS 27569 — Personal identifiable information (PII) processing record information structure [PROPOSAL] Open ISO/IEC TS 27570 ISO/IEC TS 27570:2021 — Privacy protection — Privacy guidelines for smart cities (first edition) Open ISO/IEC 27573 ISO/IEC 27573 — Privacy protection of user avatar and system avatar interactions in the metaverse [DRAFT] Open ISO/IEC 27574 ISO/IEC 27574 Information security, cybersecurity and privacy protection— Privacy in brain computer interface (BCI) applications [DRAFT] Open ISO/IEC 27701 ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition) Open ISO/IEC 27706 ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) Open ISO 27799 ISO 27799:20 25 — Health informatics — Information security controls in health using ISO/IEC 27002 (third edition) Open

Up Up Up ISO/IEC TR 27103 ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition) Up Abstract ISO/IEC TR 27103 "provides guidance on how to leverage existing standards in a cybersecurity framework.” [Source: ISO/IEC TR 27103:2018 ] Introduction If “cybersecurity” is simply that part of information security concerned with IT, then existing information risk and security standards are directly relevant to cyber risk and security. An I nformation S ecurity M anagement S ystem as specified in ISO/IEC 27001 and other ISO27k standards is generally accepted as a comprehensive management system, governance framework or structure with which to manage information risks, including “cyber” risks pertaining to IT and the Internet, among others. Scope The standard offers guidance on using existing ISO and IEC standards (not just ISO27k ) in a risk-based ‘cybersecurity framework and programme'. The 'framework and programme' is sdescribed as a set of five 'activities' relating to the 'target state for cybersecurity' (presumably meaning objectives), applying the conventional systematic ISO27k approach to the management of 'cybersecurity risk': Describe the organization’s current cybersecurity status; Describe the organization’s target state for cybersecurity; Identify and prioritize opportunities for improvement; Assess progress toward the target state; and Communicate among internal and external stakeholders about cybersecurity risk Confusingly, the 'framework and programme' also revolves around five 'functions' relating to the incident timescale - basically the NIST-style C yber S ecurity F ramework: Identify; Protect; Detect; Respond; and Recover. The 'functions' are further divided into 'categories' and 'subcategories'. Structure Main sections: 5: Background 6: Concepts Annex A: sub-categories Annex B: Three principles and ten essentials of the cybersecurity for top management With an arbitrary structure, the standard references relevant ISO and IEC standards down to the first-level subclauses (e.g. ISO/IEC 27001 :2013 clause 9.3) where they are deemed relevant to various aspects of cybersecurity. Status The current first edition of this standard was published as a T echnical R eport in 2018 and confirmed unchanged in 2022 . The TR is now being updated to reflect ISO/IEC 27002:2022 . It is intended to explain how to manage cybersecurity risk in a comprehensive and structured manner drawing on processes, governance and controls from current ISO and IEC standards (not just ISO27k !). The update has passed a vote at D raft T echnical S pecification stage and should be published during 2026. Following a clarification/change of ISO policy, it is set to become a T echnical S pecification rather than a T echnical R eport. The title will become ISO/IEC TS 27103 “Cybersecurity - Guidance on using ISO and IEC standards in a Cybersecurity Framework” . Commentary The original standards project set out to develop an internal SC 27 S tanding D ocument explaining how various ISO and IEC standards can usefully be applied to cybersecurity. Somehow, it ended up producing a T echnical R eport in the ISO27k series that singularly failed to define “cybersecurity” and related terms such as “cyber risk”, “cybersecurity risk” and “cybersecurity framework” (as did ISO/IEC 27032 ), despite the introduction acknowledging the likelihood of confusion due to unclear terminology and differing ‘perspectives’: “Perspectives, and consequent approaches, to risk management are affected by the terminology used, e.g. “cybersecurity” versus “information security”. Where similar risks are addressed, this different perspective can result in “cybersecurity” approaches focusing on external threats and the need to use information for organizational purposes, while, in contrast, “information security” approaches consider all risks whether from internal or external sources. There can also be a perception that cybersecurity risks are primarily related to antagonistic threats, and that a lack of “cybersecurity” can create worse consequences to the organization than a lack of “information security”. Thus, cybersecurity can be perceived as more relevant to the organization than information security. This perception can cause confusion and also reduces the effectiveness of risk assessment and treatment.” [ ISO/IEC TR 27103:2018 ] Hmmmmm. Oh well. See also ISO/IEC TS 27110 . Up Up Up This page last updated: 6 January 2026

ISO27k standards List ISO/IEC 27000 Open ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) ISO/IEC 27001 Open ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) ISO/IEC 27002 Open ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) ISO/IEC 27003 Open ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) ISO/IEC 27004 Open ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) ISO/IEC 27005 Open ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) ISO/IEC 27006-1 Open ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) ISO/IEC 27007 Open ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) ISO/IEC TS 27008 Open ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) ISO/IEC 27010 Open ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) ISO/IEC 27011 Open ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) ISO/IEC 27013 Open ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) ISO/IEC 27014 Open ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) ISO/IEC 27015 Open ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) ISO/IEC TR 27016 Open ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) ISO/IEC 27018 Open ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) ISO/IEC 27019 Open ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) ISO/IEC 27021 Open ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals (first edition) ISO/IEC TS 27022 Open ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) ISO/IEC TR 27024 Open ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] ISO/IEC 27028 Open ISO/IEC 27028 — Information security, cybersecurity and privacy protection — Guidance on using information security control attributes [DRAFT] ISO/IEC 27031 Open ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity (second edition) ISO/IEC 27032 Open ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) ISO/IEC 27033-1 Open ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) ISO/IEC 27033-2 Open ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) ISO/IEC 27033-3 Open ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) ISO/IEC 27033-4 Open ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) ISO/IEC 27033-5 Open ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) ISO/IEC 27033-6 Open ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) ISO/IEC 27033-7 Open ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) ISO/IEC 27034-1 Open ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts (first edition) ISO/IEC 27034-2 Open ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework (first edition) ISO/IEC 27034-3 Open ISO/IEC 27034-3:2018 — Information technology — Security techniques — Application security — Part 3: Application security management process (first edition) ISO/IEC 27034-5 Open ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) ISO/IEC 27034-6 Open ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies (first edition) ISO/IEC 27034-7 Open ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) ISO/IEC 27035-1 Open ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition) ISO/IEC 27035-2 Open ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) ISO/IEC 27035-3 Open ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) ISO/IEC 27035-4 Open ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination (first edition) ISO/IEC 27036-1 Open ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) ISO/IEC 27036-2 Open ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements (second edition) ISO/IEC 27036-3 Open ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) ISO/IEC 27036-4 Open ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) ISO/IEC 27037 Open ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) ISO/IEC 27038 Open ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction (first edition) ISO/IEC 27039 Open ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operation of intrusion detection and prevention systems (IDPS) (first edition) ISO/IEC 27040 Open ISO/IEC 27040:2024 — Information technology — Security techniques — Storage security (second edition) ISO/IEC 27041 Open ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method (first edition) ISO/IEC 27042 Open ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) ISO/IEC 27043 Open ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes (first edition) ISO/IEC 27045 Open ISO/IEC 27045 — Information technology — Big data security and privacy — Guidelines for managing big data risks [DRAFT] ISO/IEC 27046 Open ISO/IEC 27046 — Information technology — Big data security and privacy — Implementation guidelines [DRAFT] ISO/IEC 27050-1 Open ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) ISO/IEC 27050-2 Open ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) ISO/IEC 27050-3 Open ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) ISO/IEC 27050-4 Open ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness (first edition) ISO/IEC 27070 Open ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) ISO/IEC 27071 Open ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services (first edition) ISO/IEC 27090 Open ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] ISO/IEC 27091 Open ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] ISO/IEC 27099 Open ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) ISO/IEC TS 27100 Open ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) ISO/IEC 27102 Open ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) ISO/IEC TR 27103 Open ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition) ISO/IEC TR 27109 Open ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] ISO/IEC TS 27110 Open ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development guidelines (first edition) ISO/IEC TS 27115 Open ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) ISO/IEC TS 27116-1 Open ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] ISO/IEC 27400 Open ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines (first edition) ISO/IEC 27402 Open ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] ISO/IEC 27403 Open ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) ISO/IEC 27404 Open ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [first edition] ISO/IEC TR 27550 Open ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) ISO/IEC 27551 Open ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) ISO/IEC 27553-1 Open ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: local modes (first edition) ISO/IEC 27553-2 Open ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) ISO/IEC 27554 Open ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] ISO/IEC 27555 Open ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) ISO/IEC 27556 Open ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) ISO/IEC 27557 Open ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) ISO/IEC 27559 Open ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection — Privacy-enhancing data de-identification framework (first edition) ISO/IEC TS 27560 Open ISO/IEC TS 27560:2023 — Privacy technologies — Consent record information structure (first edition) ISO/IEC 27561 Open ISO/IEC 27561:2024 — Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) ( first edition) ISO/IEC 27562 Open ISO/IEC 27562:2024 — Information technology — Security techniques — Privacy guidelines for fintech services (first edition) ISO/IEC TR 27563 Open ISO/IEC TR 27563:2023 — Security and privacy in artificial intelligence use cases — Best practices (first edition) ISO/IEC TS 27564 Open ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] ISO/IEC 27565 Open ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] ISO/IEC 27566-1 Open ISO/IEC 27566-1 :2025 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1: Framework [First edition] ISO/IEC 27566-2 Open ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [PROPOSAL] ISO/IEC 27566-3 Open ISO/IEC 27566-3 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 3: Approaches to analysis or comparison [DRAFT] ISO/IEC TS 27568 Open ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] ISO/IEC TS 27569 Open ISO/IEC TS 27569 — Personal identifiable information (PII) processing record information structure [PROPOSAL] ISO/IEC TS 27570 Open ISO/IEC TS 27570:2021 — Privacy protection — Privacy guidelines for smart cities (first edition) ISO/IEC 27573 Open ISO/IEC 27573 — Privacy protection of user avatar and system avatar interactions in the metaverse [DRAFT] ISO/IEC 27574 Open ISO/IEC 27574 Information security, cybersecurity and privacy protection— Privacy in brain computer interface (BCI) applications [DRAFT] ISO/IEC 27701 Open ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition) ISO/IEC 27706 Open ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) ISO 27799 Open ISO 27799:20 25 — Health informatics — Information security controls in health using ISO/IEC 27002 (third edition)

Join the global self-help community of >5,000 ISO27k/infosec professionals, lurk and chip-in if you feel inspired. It's FREE! The ISO27k Forum The Forum is a Google Group/email reflector for ISO27k practitioners, a supportive global community of peers-helping-peers. The back story Since its launch back in 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of more than 5,000 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their experience, expertise and wisdom freely with others. Membership of the Forum is free for those with a genuine professional interest in the ISO27k standards , particularly those with practical implementation experience and knowledge they are willing to share with the community. We also welcome students and newbies taking their first baby steps, studying and in time maybe adopting the standards. The Forum and this website demonstrate our support for the liberal social principles on which the Web was founded - our way to give a little back to the online world that gives us so much. Purpose and vision This is a practitioners’ group with a practical focus, where (almost!) every contribution is treasured and every member valued. We mostly discuss matters of interest and concern to those interpreting and applying the ISO27k standards in genuine real-world situations (see the typical topics ). Typical ISO27k Forum members: Are generally interested in information security standards; May have relevant professional qualifications, having completed ISO/IEC 27001 Lead Auditor or ISO27k Lead Implementer training, CISSP, CISM, CISA, CRISC, GIAC and similar; May be CISOs, ISMs, CROs, Compliance Managers, Cybersecurity Managers, Infosec Consultants, IT Security Specialists, Security Analysts or whatever; May be students, academic researchers and teachers; Would like more information about applying the standards in real life, beyond that available on this website and elsewhere; Are planning to implement, actively implementing, fully conformant with or simply using the ISO27k standards , or are auditing organisations against the standards, or are advising others about the standards; May work for organisations that have been certified conformant with ISO/IEC 27001 or are working towards that point; Would like to help promote the standards more widely; May be involved in the standards bodies and committees responsible for developing the standards, or have an interest in this aspect; Wish to discuss information security management standards, practices, methods etc. with the community of professional peers; Are here to give and to take, to contribute knowledge and learn new stuff. Sharing is important to us. As a member put it, “We are a TEAM - T ogether E veryone A chieves M ore”. Sign me up! Our favourite topics The Forum is a low-volume high-quality group. We discuss anything and everything ISO27k-related, such as: Assurance - ISMS internal audits, management reviews, certification, surveillance, accreditation, supplier security audits, trust centres ...; B usiness C ontinuity M anagement including resilience, recovery and contingency planning, and ISO 22301; Business cases : reasons to embrace the ISO27k standards in furtherance of business objectives, going beyond mere conformity, and gaining executive/board-level support; Concepts and terms-of-art in risk and security e.g. threats, vulnerabilities, probabilities, impacts, exposure, incidents, CIA, preventive, detective, corrective controls, people, process, physical, technology controls, inherent and residual risks, risk appetite, risk tolerance, risk vs opportunity, protecting and exploiting information ...; Control attributes - using the parameters, characteristics or features to select and make the most of security controls; Documentation - mandatory vs discretionary, audiences, purposes, content, document controls ...; Governance of information, information risk, information security etc ., including organisation structures, reporting lines, direction, oversight, monitoring and conformity, management support and involvement, integrating management systems; How to implement the standards - pragmatic advice from those who have been there, done that; Information risk management methods such as B usiness I mpact A nalysis, threat intelligence, risk modelling; Information security controls for software, system, network and service development, provision and acquisition, for cloud, privacy, safety, IT, OT, AI, IoT ...; I nformation S ecurity M anagement S ystems, of course, plus viable strategies, implementation plans, resourcing, timescales, priorities, options, shortcuts, tips; Metrics for measuring information risk and security, for monitoring, reporting and management; News about ISO27k and related standards; Policies , procedures, rules, guidelines, laws and regulations, content, structure, purpose and value, compliance, conformity, enforcement and reinforcement; Preventive and corrective actions , continual improvement, maturity, post-incident reviews ... and incident management; Privacy , data protection, safety, quality and other obligations; Risk analysis tips e.g. common information security threats to consider, methods and tools, ‘where to start’ advice; Scope , S tatement o f A pplicability and R isk T reatment P lans - what they are, how they differ, what they do, what they are supposed to contain ...; Security awareness - why it’s needed, how to do it, making it cost-effective; 'The ISO27k way ' - a systematic, structured, information risk-driven approach underpinning all the ISO27k standards; Tools and resources supporting busy CISOs, ISMs, SOCs, analysts, trainers, documenters and consultants. This is just a potted selection to give you a flavour of the discussion. As well as the FAQ , we have accumulated a huge amount of worthwhile content in the group’s archive so it's worth getting to grips with Google’s search syntax . Projects Occasionally, ISO27k Forum members collaborate in crowdsourcing topical issues, such as drafting new materials for the ISO27k Toolkit. We have also contributed to the promotion and further development of the ISO27k standards. Privacy If you join the ISO27k Forum, you will obviously receive ISO27k-related emails. We will not exploit, sell or give away your email address or other personal information. If you post a message to the Forum, your email address is shown in the message header. Other members may email you directly rather than the entire group. We actively discourage anyone from overtly advertising on the Forum or pestering members but vendors may contact you directly/off-list if you express an interest in their products. Feel free to create a unique email address solely for the Forum and please let us know if you receive spam. We utterly detest and actively fight spam. Any Forum members who spam other members will be fed limb-by-limb, organ-by-organ to the ravenous bugblatter beast of Traal or, under our environmental policy, may be gently composted back into mother Earth. Forum tips and etiquette (important!) Guidelines to keep the ISO27k Forum on track, and benefit the whole community: Please be professional and respectful at all times. The Forum is deliberately non-commercial: No advertising or promoting your organisations and products, no commercial offers, no vacancy notices etc. Definitely no spamming! Conventional email signatures are fine though. Just be discreet. Take commercial matters off-line with individuals, not via the Forum.. Add your name to your postings: what should we call you? The Forum’s primary language is plain English. Be considerate. Browse the archives (using the Google Groups search ) before posting. Glance back a few weeks at least to see where current threads arose. Read the ISO27k FAQ . Stay on-topic! This Forum is exclusively about the ISO/IEC 27000-series standards and closely related matters. Take a moment to explain your context: Why are you writing? Why does it matter? What have you already done in an attempt to find an answer? What type of organisation do you represent? Industry? Size? Location? How mature is your ISMS? What stage are you at? When responding to a post, don’t change the subject line unless you are deliberately heading off at a tangent. Gmail and other mailers string related messages into threads by the subject line. For further advice on asking questions intelligently, see here and here . Manage your subscription via the Google Groups web interface: Receive each message individually or as regular digests. Suspend Forum emails temporarily or permanently (access online instead). Change your email address. Unsubscribe and leave the Forum.. File Forum emails automatically in your email software. All emails contain “[ISO 27001 security]” in the subject line: set up a rule to move emails with that subject string into a suitable folder to browse, search and read at your leisure. Respect intellectual property rights and laws: Do not circulate copyright materials (such as ISO/IEC standards!) on the ISO27k Forum unless you are the copyright owner or have the copyright owner’s express permission. This is a hard and fast rule, no exceptions, no second chances. Don't risk the Forum's existence as well as prosecution. It is generally OK to share URLs for materials legitimately published on the Web, rather than sharing the content. Respect the copyright of Forum members too. Don't share Forum postings elsewhere without first getting the authors’ agreement. Finally, if you are unclear about the rules, bothered about recent exchanges or wary of posting something inappropriate, email the Forum Admin . If you have a keen interest in the ISO27k standards and intend to participate actively in the community, apply to join the ISO27k Forum . Membership is FREE but please make your case briefly when you apply to join: in just a few short words, persuade us that you are qualified and willing to share. If you ignore this request and leave the application blank, don’t be surprised if your application is rejected just as rudely. Aside from excluding spambots, we like to know what brought you here and what interests you.

Up Up Up ISO/IEC 27553-2 ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) Up Abstract ISO/IEC 27553 part 2 "provides high-level security and privacy requirements for authentication using biometrics on mobile devices, in particular, for functional components, communication, storage and remote processing. [The standard] is applicable to remote modes, i.e. the cases where: the biometric sample is captured through mobile devices, and the biometric data or derived biometric data are transmitted between the mobile devices and the remote services in either or both directions. The following are out of scope of this document: the cases where the biometric data or derived biometric data never leave the mobile devices (i.e. local modes), the preliminary steps for biometric enrolment before authentication procedure, and the use of biometric identification as part of the authentication.” [Source: ISO/IEC 27553-2:2025 ] Introduction Part 2 provides high-level requirements for situations where biometric authentication on mobile devices involves communicating biometric data over the network to a remote authentication server. Scope Biometric authentication on mobile devices where biometric information is communicated between the devices and remote services via network connections, as opposed to local modes where the authentication process and data are limited to the devices. The standard is restricted to authentication, excluding enrolment and identification. Structure Main sections: 5: Security and privacy considerations 6: System description 7: Information assets 8: Threat analysis 9: Security requirements and recommendations 10: Privacy considerations, requirements and recommendations Annex A: Implementation example Annex B: Authentication assurance and assurance level Status The current first edition was published in 2025 . Commentary Involvement of remote services in the authentication process implies network data communication with associated confidentiality, integrity and availability implications, as well as risks relating to the remote storage and processing (such as aggregating, correlating and comparing biometric and other data between various remote and networked systems to glean additional information). Not being a S ubject M atter E xpert in authentication, specifically, I am intrigued by obscure terms such as “synthesized wolf biometric samples” and “hill climbing attack”. Presumably these are covered by the numerous cited standards and familiar to authentication SMEs. It would be challenging to adopt ISO’s version of plain English for such a technical standard. Up Up Up This page last updated: 5 January 2026

Up Up Up ISO/IEC 27015 ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) Up Abstract “ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.” [Source: ISO/IEC 27017:2015/ITU-T X.1631] Introduction This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2013 and other ISO27k standards . Scope The 'code of practice' provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002:2013 , in the cloud computing context. Structure The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section, mirroring the structure and controls sequence of ISO/IEC 27002:2013 Status The current first edition was published in 2015 . Having been developed jointly by ISO/IEC and ITU-T, the standard is dual-numbered ISO/IEC 27017 and ITU-T X.1631 with identical content. Work on a second edition started in 2022. It is being updated to “capture a full set of guidance for information security controls applicable to cloud services, both from the third [2022] edition of ISO/IEC 27002 and any additional controls specific related specifically to cloud services.” ISO/IEC SC 27 and SC 38, ITU-T SG17 and the C loud S ecurity A lliance are collaborating on the revision, requiring careful scheduling to coordinate several parallel activities. Substantial changes are coming in the second edition of this standard with a complete reorganisation of the controls as per ISO/IEC 27002:2022 . The title will become “Information security, cybersecurity and privacy protection - Information security controls based on ISO/IEC 27002 for cloud services ”. It is at D raft I nternational S tandard stage and may be published at the end of 2025, more likely in 2026. Commentary In my opinion, ISO/IEC 27017 takes an unrealistically simplistic view of cloud service provider and customer relationships as individual one-to-one interactions. In reality, cloud services are often provided by multiple suppliers to multiple clients in different organisations, and nothing remains static for long. In practice, inter-organisational business relationships often extend through complex cloud supply chains or supply networks, with multiple parties involved in collaborating to assemble, deliver and manage cloud services (e.g . network, data centre, physical servers, virtual servers, operating systems, databse management systems and other layered software, applications, and all the associated services). Consequently, there are numerous supplier-customer relationship risks to manage, such as organisational interdependence, contracting and subcontracting, complexity, dynamics and compliance. There are risk visibility and trust issues, resourcing challenges, commercial angles, technological challenges and more to contend with. Cloud-related information risks are cloudy! Risk treatments for cloud and other information risks may include risk sharing, avoidance and acceptance - not just risk mitigation using security controls. Neither this standard nor ISO/IEC 27002 pay much attention to risk treatments other than mitigation using security controls. Particularly for small or immature organisations, cloud services providing email, file storage and office apps etc . may be treated as mere commodities, procured without adequate consideration of information risk, security, privacy etc . However, some cloud services may be critical for core business, and cloud generally increases the organisation’s attack surface and vulnerabilities. [This issue may be more relevant to ISO/IEC 27005 and ISO/IEC 27036 .] Cloud services proved their value for resilience and flexible working through COVID. There are general principles and lessons here that can help organisations be better prepared to cope with future widespread/global challenges such as further pandemics, wars, Internet connectivity issues etc. Our challenge now is to draw them out, consider and embed them where appropriate - possibly in this standard. The standard has widespread support from ISO/IEC JTC 1/SC 27, ITU-T SG17, national standards bodies and CSA among others. However, aligning disparate perspectives and objectives while remaining within the defined scope of the current update project is tricky. SC 27 decided not to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient and given pressure from ISO not to proliferate Management Systems Standards ‘unnecessarily’. Therefore, SC 27 does not intend to develop a formal requirements specification standard against which to certify the security of cloud service providers specifically. Providers can however be certified against ISO/IEC 27001 , ISO/IEC 27701 and other standards in the usual way, while there are non-ISO cloud security assessment and certification, classification, benchmarking or assurance schemes such as CSA STAR . Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Up Abstract ISO/IEC 27008 "provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation. [ISO/IEC 27008] offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organisations, including public and private companies, government entities, and not-for-profit organisations conducting information security reviews and technical compliance checks.” [Source: ISO/IEC TS 27008:2019] Introduction This standard (strictly speaking a T echnical S pecification) on “technical auditing” complements ISO/IEC 27007 . It is focused on auditing the information security controls (or rather the “technical controls”, which although undefined evidently means IT security or cybersecurity controls). In contrast, ISO/IEC 27007 concerns the management system . Scope ISO/IEC TS 27008 provides guidance for all auditors/assessors regarding “information security management systems controls” [sic ] selected through a risk-based approach (e.g . as presented in a S tatement o f A pplicability) for information security management. It supports the information risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the organisation’s "necessary ISMS controls” satisfy the control objectives. Furthermore, it supports any organisation using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for the governance and management of information risk and security. Structure Main sections: 5: Background 6: Overview of information security control assessments 7: Review methods 8: Control assessment process Annex A: Initial information gathering (other than IT) Annex B: Practice guide foir technical security assessments Annex C:Technical assessment guide for cloud services (Infrastructure as a Service) Status The first edition was published in 2011 as ISO/IEC TR 27008:2011, a Type 2 T echnical R eport. It set out to provide “Guidelines for auditors on information security controls”. The second edition was published in 2019 as ISO/IEC TS 27008:2019, a T echnical S pecification reflecting the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002 . The title morphed into “Guidelines for the assessment of information security controls”, dropping the explicit reference to auditing. The third edition is currently in preparation, being revised to reflect ISO/IEC 27002:2022 . It will revert to a T echnical R eport. It is at D raft T echnical R eport stage, likely to emerge during 2026. Commentary ISO/IEC TS 27008 gives technology auditors background knowledge to help them review and evaluate the information security controls being managed through an I nformation S ecurity M anagement S ystem. The current second edition: Is applicable to organisations of all types and sizes; Supports planning and execution of ISMS audits and the information risk management process; Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g . in the ISO27k user organisations, assessing security elements of business processes, IT systems and IT operating environments); Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002:2013 ; Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organisation and intangibles such as reputation and image of the organisation and privacy, skills and experience of people); Supports an ISMS-based assurance and information security governance approach and audit thereof [?? That strays from the standard’s scope into the area of management systems auditing]; Supports effective and efficient use of audit resources. Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001 , ISO/IEC TS 27008 focuses on checking the information security controls themselves, such as (for example) those as in Annex A of ISO/IEC 27001 . ISO/IEC TS 27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organisation. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004 , ISO/IEC 27005 or ISO/IEC 27007 respectively.” 'Technical compliance checking/auditing' is explained as a process of examining ‘technical’ security controls, interviewing those associated with the controls (managers, technicians, users etc. ), and testing the controls. The methods should be familiar to experienced technology auditors. ‘Technical’ controls, while not explicitly defined in the standard, appear to be what are commonly known as IT security or cybersecurity controls, in other words a subset of the information security controls listed in ISO/IEC 27001 Annex A and described in ISO/IEC 27002 . Furthermore, the correct term here is conformity, not compliance, since it is discretionary. But I digress. Liberal use of “technical” in phrases such as “technical compliance checking of information system controls”, “technical assessment” and “technical security controls”, indicates that this standard is concerned with technology , implying IT or cyber security, specifically, rather than information risk and security in general. While this standard is not intended to be used for certification, it remains inconsistent and ambiguous (frankly, unclear and confusing) in the use of key terms such as: review, assessment, test, validation, check and audit. For example, are “information security auditors” the same as “certification auditors”, “IT auditors”, “internal auditors”, “ISMS internal auditors”, “compliance auditors”, “conformity auditors”, or something else? There are no (zero) definitions in the second edition since all terms are supposedly defined in ISO/IEC 27000 : concerning that little list of terms, only “audit”, “information security” and “conformity” are defined, separately. “Risk assessment” is specifically defined but not “assessment” in general. So, conventional dictionary definitions presumably apply ... but don’t really help. For an international standard, it could hardly be more muddled. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27033-5 ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) Up Abstract ISO/IEC 27033 part 5 “gives guidelines for the selection, implementation, and monitoring of the technical controls necessary to provide network security using Virtual Private Network (VPN) connections to interconnect networks and connect remote users to networks.” [Source: ISO/IEC 27033-5:2013] Introduction Part 5 revised ISO/IEC 18028 part 5. It extends the IT security management guidelines of ISO/IEC TR 13335 by detailing the specific operations and mechanisms needed to implement network security safeguards and controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations. It provides guidance for securing remote access over public networks. Scope Guides network administrators and technicians who plan to make use of this kind of connection, or who already have it in use and need advice on how to set it up securely and operate it securely. Structure Main sections: 6 - Overview 7 - Security threats 8 - Security requirements 9 - Security controls 10 - Design techniques 11 - Guidelines for product selection Status ISO/IEC 27033-5 revised and replaced ISO/IEC 18028-5 . The current first edition of part 5 was published in 2013 and confirmed unchanged in 2019. Commentary Gives a high-level, incomplete assessment of the threats to VPNs (i.e. it mentions the threats of intrusion and denial of service but not unauthorized monitoring/interception, traffic analysis, data corruption, insertion of bogus traffic, various attacks on VPN end points, malware, masquerading/identity theft, insider threats etc ., although these are mentioned or at least hinted-at later under security requirements). Introduces different types of remote access including protocols, authentication issues and support when setting up remote access securely. Up Up Up This page last updated: 16 December 2025

Detailed answers to a bunch of Frequently Asked Questions about the ISO/IEC 27000-series information security standards ISO27k FAQ This unusually detailed FAQ poses and addresses F requently A sked Q uestions regarding ISO27k, the ISO/IEC 27000 standards. There is a lot to say, lots of pragmatic advice to offer. FAQ topics About the ISO27k standards Implementing the standards Managing information risks ISO27k documentation Assurance ISMS maturity A gentle introduction to the information security standards Guidance on interpreting and applying the standards in practice Tips on identifying, analysing, evaluating and treating the risks Required documents - SoA, RTP, policies, procedures, records ...? Guidance on auditing and certification for confidence and trust Ideas on using continual improvement to embed and mature your ISMS

Get in touch with the backstage crew of 1 - questions, improvement ideas and complaints are all as welcome as compliments and other feedback. What can I do for you? How can I help? Connect Something to say or ask about the ISO27k standards? Comments on the new-look website? Improvement ideas and requests? Go ahead! First name* Last name* Email* Write a message Submit