Search Results

ISO27k standards List ISO/IEC 27000 Open ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) ISO/IEC 27001 Open ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) ISO/IEC 27002 Open ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) ISO/IEC 27003 Open ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) ISO/IEC 27004 Open ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) ISO/IEC 27005 Open ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) ISO/IEC 27006-1 Open ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) ISO/IEC 27007 Open ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) ISO/IEC TS 27008 Open ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) ISO/IEC 27010 Open ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) ISO/IEC 27011 Open ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) ISO/IEC 27013 Open ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) ISO/IEC 27014 Open ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) ISO/IEC 27015 Open ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) ISO/IEC TR 27016 Open ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) ISO/IEC 27018 Open ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) ISO/IEC 27019 Open ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) ISO/IEC 27021 Open ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals (first edition) ISO/IEC TS 27022 Open ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) ISO/IEC TR 27024 Open ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] ISO/IEC TS 27028 Open ISO/IEC TS 27028 — Information security, cybersecurity and privacy protection — Guideline on using information security control attributes [DRAFT] ISO/IEC 27031 Open ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity (second edition) ISO/IEC 27032 Open ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) ISO/IEC 27033-1 Open ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) ISO/IEC 27033-2 Open ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) ISO/IEC 27033-3 Open ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) ISO/IEC 27033-4 Open ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) ISO/IEC 27033-5 Open ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) ISO/IEC 27033-6 Open ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) ISO/IEC 27033-7 Open ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) ISO/IEC 27034-1 Open ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts (first edition) ISO/IEC 27034-2 Open ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework (first edition) ISO/IEC 27034-3 Open ISO/IEC 27034-3:2018 — Information technology — Security techniques — Application security — Part 3: Application security management process (first edition) ISO/IEC 27034-5 Open ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) ISO/IEC 27034-6 Open ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies (first edition) ISO/IEC 27034-7 Open ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) ISO/IEC 27035-1 Open ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition) ISO/IEC 27035-2 Open ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) ISO/IEC 27035-3 Open ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) ISO/IEC 27035-4 Open ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination (first edition) ISO/IEC 27036-1 Open ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) ISO/IEC 27036-2 Open ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements (second edition) ISO/IEC 27036-3 Open ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) ISO/IEC 27036-4 Open ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) ISO/IEC 27037 Open ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) ISO/IEC 27038 Open ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction (first edition) ISO/IEC 27039 Open ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operation of intrusion detection and prevention systems (IDPS) (first edition) ISO/IEC 27040 Open ISO/IEC 27040:2024 — Information technology — Security techniques — Storage security (second edition) ISO/IEC 27041 Open ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method (first edition) ISO/IEC 27042 Open ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) ISO/IEC 27043 Open ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes (first edition) ISO/IEC 27045 Open ISO/IEC 27045 — Information technology — Big data security and privacy — Guidelines for managing big data risks [DRAFT] ISO/IEC 27046 Open ISO/IEC 27046 — Information technology — Big data security and privacy — Implementation guidelines [DRAFT] ISO/IEC 27050-1 Open ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) ISO/IEC 27050-2 Open ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) ISO/IEC 27050-3 Open ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) ISO/IEC 27050-4 Open ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness (first edition) ISO/IEC 27070 Open ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) ISO/IEC 27071 Open ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services (first edition) ISO/IEC 27090 Open ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] ISO/IEC 27091 Open ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] ISO/IEC 27099 Open ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) ISO/IEC TS 27100 Open ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) ISO/IEC 27102 Open ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) ISO/IEC TR 27103 Open ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition) ISO/IEC TR 27109 Open ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] ISO/IEC TS 27110 Open ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development guidelines (first edition) ISO/IEC TS 27115 Open ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) ISO/IEC TS 27116-1 Open ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] ISO/IEC 27400 Open ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines (first edition) ISO/IEC 27402 Open ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] ISO/IEC 27403 Open ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) ISO/IEC 27404 Open ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [first edition] ISO/IEC TR 27550 Open ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) ISO/IEC 27551 Open ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) ISO/IEC 27553-1 Open ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: local modes (first edition) ISO/IEC 27553-2 Open ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) ISO/IEC 27554 Open ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] ISO/IEC 27555 Open ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) ISO/IEC 27556 Open ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) ISO/IEC 27557 Open ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) ISO/IEC 27559 Open ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection — Privacy-enhancing data de-identification framework (first edition) ISO/IEC TS 27560 Open ISO/IEC TS 27560:2023 — Privacy technologies — Consent record information structure (first edition) ISO/IEC 27561 Open ISO/IEC 27561:2024 — Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) ( first edition) ISO/IEC 27562 Open ISO/IEC 27562:2024 — Information technology — Security techniques — Privacy guidelines for fintech services (first edition) ISO/IEC TR 27563 Open ISO/IEC TR 27563:2023 — Security and privacy in artificial intelligence use cases — Best practices (first edition) ISO/IEC TS 27564 Open ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] ISO/IEC 27565 Open ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] ISO/IEC 27566-1 Open ISO/IEC 27566-1 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1 — Framework [DRAFT] ISO/IEC 27566-2 Open ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [PROPOSAL] ISO/IEC 27566-3 Open ISO/IEC 27566-3 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 3: Approaches to analysis or comparison [DRAFT] ISO/IEC TS 27568 Open ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] ISO/IEC TS 27569 Open ISO/IEC TS 27569 — Personal identifiable information (PII) processing record information structure [PROPOSAL] ISO/IEC TS 27570 Open ISO/IEC TS 27570:2021 — Privacy protection — Privacy guidelines for smart cities (first edition) ISO/IEC 27573 Open ISO/IEC 27573 — Privacy protection of user avatar and system avatar interactions in the metaverse [PROPOSAL] ISO/IEC 27574 Open ISO/IEC 27574 Information security, cybersecurity and privacy protection— Privacy in brain computer interface (BCI) applications [PROPOSAL] ISO/IEC 27701 Open ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition) ISO/IEC 27706 Open ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) ISO/IEC 27799 Open ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition)

All about the ISO/IEC 27000-series information risk and security management standards Introduction and overview of the ISO27k standards "ISO27k" refers to the ISO/IEC 27000 series standards, a set of 100 good practice guidelines for managing the risks affecting or involving business, commercial, national and personal information. "ISO/IEC" denotes the bodies that jointly developed and maintain the standards: ISO is the Geneva-based International Organization for Standardisation, a non-governmental federation of representatives from national standards bodies across the world - more info ; IEC is the I nternational E lectrotechnical C ommission, another Swiss-based non-governmental global body responsible for standardising various technologies - more info . Effective risk management serves to protect valuable information against harm whilst also permitting its use for legitimate purposes. Both aspects are important. Although in theory we might lock the information away forever, permanently blocking access by everyone, its value would decay to zero given such an excessive level of security. The ISO standards lay out guidance in the form of generic ‘management systems’ that are flexible enough to be adapted for any organisation's unique situation, and various topics. You may already be familiar with ISO 9001 (for quality) or ISO 14001 (for environmental management). Management systems are specified in ISO/IEC 27001 (for information security) and ISO/IEC 27701 (for privacy) . These structures support a systematic approach to: Identify risks of concern, analyse and evaluate them; Treat (avoid, share, mitigate or accept) the risks appropriately; Ensure the risk treatments are working properly in practice (assurance); and Handle changes and drive continual improvement (maturity). Other ISO27k standards expand on various aspects in more detail: ISO/IEC 27005 , for instance, elaborates on the information risk management process, while ISO/IEC 27004 offers advice on security metrics. Certified conformity to ISO/IEC 27001 and ISO/IEC 27701 demonstrates that an organisation is serious about managing information security and privacy. In short, ISO27k is about systematically protecting and legitimately exploiting valuable information for sound business reasons. The ISO27k standards are listed below: click to open any one for further details. The ISO27k standards ISO/IEC 27000 ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) Open ISO/IEC 27001 ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) Open ISO/IEC 27002 ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) Open ISO/IEC 27003 ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) Open ISO/IEC 27004 ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) Open ISO/IEC 27005 ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) Open ISO/IEC 27006-1 ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) Open ISO/IEC 27007 ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) Open ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Open ISO/IEC 27010 ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) Open ISO/IEC 27011 ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) Open ISO/IEC 27013 ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) Open ISO/IEC 27014 ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) Open ISO/IEC 27015 ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) Open ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Open ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Open ISO/IEC 27019 ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) Open ISO/IEC 27021 ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals (first edition) Open ISO/IEC TS 27022 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) Open ISO/IEC TR 27024 ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] Open ISO/IEC TS 27028 ISO/IEC TS 27028 — Information security, cybersecurity and privacy protection — Guideline on using information security control attributes [DRAFT] Open ISO/IEC 27031 ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity (second edition) Open ISO/IEC 27032 ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) Open ISO/IEC 27033-1 ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) Open ISO/IEC 27033-2 ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) Open ISO/IEC 27033-3 ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) Open ISO/IEC 27033-4 ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) Open ISO/IEC 27033-5 ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) Open ISO/IEC 27033-6 ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) Open ISO/IEC 27033-7 ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) Open ISO/IEC 27034-1 ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts (first edition) Open ISO/IEC 27034-2 ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework (first edition) Open ISO/IEC 27034-3 ISO/IEC 27034-3:2018 — Information technology — Security techniques — Application security — Part 3: Application security management process (first edition) Open ISO/IEC 27034-5 ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) Open ISO/IEC 27034-6 ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies (first edition) Open ISO/IEC 27034-7 ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) Open ISO/IEC 27035-1 ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition) Open ISO/IEC 27035-2 ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) Open ISO/IEC 27035-3 ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) Open ISO/IEC 27035-4 ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination (first edition) Open ISO/IEC 27036-1 ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) Open ISO/IEC 27036-2 ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements (second edition) Open ISO/IEC 27036-3 ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) Open ISO/IEC 27036-4 ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) Open ISO/IEC 27037 ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) Open ISO/IEC 27038 ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction (first edition) Open ISO/IEC 27039 ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operation of intrusion detection and prevention systems (IDPS) (first edition) Open ISO/IEC 27040 ISO/IEC 27040:2024 — Information technology — Security techniques — Storage security (second edition) Open ISO/IEC 27041 ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method (first edition) Open ISO/IEC 27042 ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) Open ISO/IEC 27043 ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes (first edition) Open ISO/IEC 27045 ISO/IEC 27045 — Information technology — Big data security and privacy — Guidelines for managing big data risks [DRAFT] Open ISO/IEC 27046 ISO/IEC 27046 — Information technology — Big data security and privacy — Implementation guidelines [DRAFT] Open ISO/IEC 27050-1 ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) Open ISO/IEC 27050-2 ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) Open ISO/IEC 27050-3 ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) Open ISO/IEC 27050-4 ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness (first edition) Open ISO/IEC 27070 ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) Open ISO/IEC 27071 ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services (first edition) Open ISO/IEC 27090 ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] Open ISO/IEC 27091 ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] Open ISO/IEC 27099 ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) Open ISO/IEC TS 27100 ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) Open ISO/IEC 27102 ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) Open ISO/IEC TR 27103 ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition) Open ISO/IEC TR 27109 ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] Open ISO/IEC TS 27110 ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development guidelines (first edition) Open ISO/IEC TS 27115 ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) Open ISO/IEC TS 27116-1 ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] Open ISO/IEC 27400 ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines (first edition) Open ISO/IEC 27402 ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] Open ISO/IEC 27403 ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) Open ISO/IEC 27404 ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [first edition] Open ISO/IEC TR 27550 ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) Open ISO/IEC 27551 ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) Open ISO/IEC 27553-1 ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: local modes (first edition) Open ISO/IEC 27553-2 ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) Open ISO/IEC 27554 ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] Open ISO/IEC 27555 ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) Open ISO/IEC 27556 ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) Open ISO/IEC 27557 ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) Open ISO/IEC 27559 ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection — Privacy-enhancing data de-identification framework (first edition) Open ISO/IEC TS 27560 ISO/IEC TS 27560:2023 — Privacy technologies — Consent record information structure (first edition) Open ISO/IEC 27561 ISO/IEC 27561:2024 — Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) ( first edition) Open ISO/IEC 27562 ISO/IEC 27562:2024 — Information technology — Security techniques — Privacy guidelines for fintech services (first edition) Open ISO/IEC TR 27563 ISO/IEC TR 27563:2023 — Security and privacy in artificial intelligence use cases — Best practices (first edition) Open ISO/IEC TS 27564 ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] Open ISO/IEC 27565 ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] Open ISO/IEC 27566-1 ISO/IEC 27566-1 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1 — Framework [DRAFT] Open ISO/IEC 27566-2 ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [PROPOSAL] Open ISO/IEC 27566-3 ISO/IEC 27566-3 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 3: Approaches to analysis or comparison [DRAFT] Open ISO/IEC TS 27568 ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] Open ISO/IEC TS 27569 ISO/IEC TS 27569 — Personal identifiable information (PII) processing record information structure [PROPOSAL] Open ISO/IEC TS 27570 ISO/IEC TS 27570:2021 — Privacy protection — Privacy guidelines for smart cities (first edition) Open ISO/IEC 27573 ISO/IEC 27573 — Privacy protection of user avatar and system avatar interactions in the metaverse [PROPOSAL] Open ISO/IEC 27574 ISO/IEC 27574 Information security, cybersecurity and privacy protection— Privacy in brain computer interface (BCI) applications [PROPOSAL] Open ISO/IEC 27701 ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition) Open ISO/IEC 27706 ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) Open ISO/IEC 27799 ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition) Open

Up Up Up ISO/IEC TS 27564 ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] Up Abstract ISO/IEC TS 27564 "provides guidance on how to use modelling in privacy engineering. It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references, including International Standards on privacy engineering and on modelling. It provides high-level use cases describing how models are used.” [Source: ISO/IEC TS 27564:2025] Introduction Modelling and other systems engineering approaches are useful when designing complex systems, such as IT systems plus their associated operating environments and processes. This standard is focused on using modelling and engineering to specify, design and embed suitable privacy arrangements/controls into complex [IT] systems that handle personal information. Determining requirements and incorporating privacy into the product lifecycle from the outset should reduce the issues that arise if privacy is neglected until later. Bolting-on privacy (or security or safety) late in the day is less than ideal (suboptimal), albeit still better than nothing. Scope Guidance on applying the M odel-B ased S ystems and S oftware E ngineering approach (as per ISO/IEC/IEEE 24641:2023 - Systems and Software engineering - Methods and tools for model-based systems and software engineering ) to design-in appropriate privacy controls for complex systems using conceptual models. Structure Main sections: 5: Engineering with models (particularly MBSSE) 6: Privacy engineering with models (more MBSSE) 7: Guidance on the use of privacy models (and standards) Annex A: examples of using models for privacy engineering Status The current first edition was published in 2025 . Commentary This standard explains the use of others such as ISO/IEC/IEEE 24641 , ISO/IEC 27555 (models for deletion of personal information), ISO/IEC 27556 (models for managing privacy preferences), ISO/IEC 27559 (models for de-identification) and ISO/IEC 27561 (POMME), for privacy engineering. The systems engineering approach involves determining and taking account of the context in which a complex system is to be used, as well as the complexities within, to develop a definitive model. The architectural model, in turn, drives a coordinated approach to the system development, with updates as things progress to keep everything aligned - in this case, aligned around privacy, specifically. It is published as a T echnical S pecification rather than a full International Standard, presumably because the subject matter is still in development. As such, it should (according to the ISO Directives ) be reviewed within just three years of the agreed “stability date” rather than the usual five years after publication. Up Up Up This page last updated: 10 December 2025

Up Up Up ISO/IEC 27565 ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] Up Abstract ISO/IEC 27565 "provides guidelines on using zero-knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing information disclosure. It includes several ZKP functional requirements relevant to a range of different business use cases, then describes how different ZKP models can be used to meet those functional requirements securely.” [Source: ISO/IEC 27565 FDIS] Introduction Z ero K nowledge P roofs are mathematical techniques (families of cryptographic protocols) allowing someone (the prover) to prove to someone else (the verifier) that they are in possession of a secret, without actually disclosing the secret to the verifier or to some trusted third party. The secret is often a credential used for authentication (such as a password, biometric or personally identifiable information) but could equally be some other piece of sensitive/valuable information which is to remain confidential/private during the verification process. The process involves the prover (who knows the secret) convincing the verifier (who needs to check it) that the verifier’s statement/s or assertion/s concerning the secret (e.g. “The person is older than 18 years”) are either true or false, without revealing additional information (their birthday). At the same time, the process substantially prevents malicious interference such as replay attacks (e.g. repeating a previous age-verification sequence that applied to a different person) and collusion between the parties. Scope This standard principally concerns the use of ZKP for privacy protection (e.g . someone checking the claimed identity or age of a person known to an authority, without the authority having to disclose or reveal that personal information), although other use cases are noted (e.g . digital wallets). Structure Main sections (in draft): 5: Introduction to ZKPs 6: Considerations of implementing ZKPs for attribute verification 7: Use cases of ZKPs 8: Privacy preservation using ZKPs 9: Functional use cases 10: Business use examples Annex A: Factors facilitating or hindering ZKP developments Annex B: Subject binding Annex C: Example of a consistency check between two documents Annex D: Example of ZKP for selective disclosure Annex E: Examples of slective disclosure without using ZKP Annex F: Example of secure comparison of two numbers Annex G: Implementing digital credentials with ZKP Status The standard development project commenced in 2021. The standard is at F inal D raft I nternational S tandard stage, heading for release at the end of 2025 or early 2026. Commentary Some 32 specialist terms are defined - a clue as to the complexity of ZKP. ZKP is an evolving/cutting edge technique. Up Up Up This page last updated: 9 December 2025

Up Up Up ISO/IEC TS 27115 ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) Up Abstract ISO/IEC TS 27115 "provides the foundations and concepts for the cybersecurity evaluation of complex systems. Two frameworks are defined: The first is used to specify the cybersecurity of a complex system, including system of systems. The second is used to evaluate the corresponding cybersecurity solutions. The frameworks use basic architecture concepts: to enable description of reference or solution cybersecurity architectures; to support model-based, comprehensive and scalable security solutions and their evaluation; and to allow for the definition of architecture-based cybersecurity profiles (ACP) and hierarchies of profiles.” [Source: ISO.org info page ] Introduction The standard attempts to explain how to (a) develop a security architecture (or design) for a complex system, and (b) evaluate a complex system against the architecture, using concepts and terms borrowed from the C ommon C riteria such as T arget o f E valuation and security profile. Scope The formal definition of "complex system" as "a system or system of systems" is self-referential and unhelpful. The introduction refers somewhat obtusely to complex system as: The complexity of security and legislation for privacy, cybersecurity or AI (hinting, perhaps, at 'the complex system' being a computer system of some sort plus its associated security arrangements and compliance framework); 'Scaling up towards' ecosystems, or socio-technical systems (your guess is as good as mine on that one!); Systems of systems ... which apparently means subsystems or discrete systems that interact to provide services, within an environment. Structure Main sections: 5 - Overview 6 - Security architecture description - "concepts and elements supporting the framework for constructing a security architecture description" 7 - Security architecture evaluation - evaluating systems against criteria declared in their security profiles 8 - Architecture-based security profiles 9 - Composed security profiles (compilation of security profiles from individual systems comprising system-of-systems) Annex A - Architecture foundations Annex B - Guidance for elaborating a security architecture Annex C - Guidance for evaluating a security architecture Annex D - Security example for a network infrastructure Status The standard development project commenced in 2023. It is now at W orking D raft stage. It is due to be published in 2026 or 2027. Commentary This is all Greek to me, patently not my area of expertise. It is theoretical or adademic rather than pragmatic. It doesn't help that the W orking D raft has hardly any usable references, most being replaced by "Error: Reference source not found ", while what I presume are internal references within the text to particular figures (e.g. "Figure 11) or tables are completely missing (e.g. "The security process can be iterative, as shown on step H in ,"). So no clues there either. Up Up Up This page last updated: 9 December 2025

Up Up Up ISO/IEC 27043 ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes (first edition) Up Abstract “ISO/IEC 27043:2015 provides guidelines based on idealized models for common incident investigation processes across various incident investigation scenarios involving digital evidence. ...” [Source: ISO/IEC 27043:2015] Introduction The fundamental purpose of the digital forensics standards ISO/IEC 27037 , ISO/IEC 27041 , ISO/IEC 27042 , ISO/IEC 27043 and ISO/IEC 27050 is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardisation will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations, even across multiple jurisdictions. Scope The standard concerns the principles behind, and the forensic processes involved in, investigating digital incidents. Structure Main sections: 5: Digital investigations 6: Digital investigation processes 7: Readiness processes 8: Initialization processes 9: Acquisitive processes 10: Investigative processes 11: Concurrent processes 12: Digital investigation process model schema Annex A: Digital investigation processes: motivation for harmonization Status The current first edition was published in 2015 and confirmed unchanged in 2020. It is up for periodic review again in 2025 ... and looks likely to be confirmed as-is. Commentary I am puzzled why SC 27 publishes and maintains several distinct forensics standards covering different aspects of forensics, when they are in reality complementary parts of the same process: ISO/IEC 27037 concerns the initial capturing of digital evidence. ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly. ISO/IEC 27042 covers what happens after digital evidence has been collected i.e. its analysis and interpretation. This standard covers the broader incident investigation activities, within which forensics usually occur. ISO/IEC 27050 (in 4 parts) concerns electronic discovery ... which is pretty much what the other standards cover. British Standard BS 10008 “Evidential weight and legal admissibility of electronically stored information (ESI), Specification. ” may also be of interest. A multi-part standard would make more sense to me, with a “part 1” overview explaining how the jigsaw pieces fit together. Up Up Up This page last updated: 8 December 2025

Up Up Up ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Up Abstract ISO/IEC 27008 "provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation. [ISO/IEC 27008] offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organisations, including public and private companies, government entities, and not-for-profit organisations conducting information security reviews and technical compliance checks.” [Source: ISO/IEC TS 27008:2019] Introduction This standard (strictly speaking a T echnical S pecification) on “technical auditing” complements ISO/IEC 27007 . It concentrates on auditing the information security controls - or rather the “technical controls” (as in IT security or cybersecurity controls), whereas ISO/IEC 27007 concentrates on auditing the management system elements of the ISMS. Scope This standard provides guidance for all auditors/assessors regarding “information security management systems controls” [sic ] selected through a risk-based approach (e.g . as presented in a S tatement o f A pplicability) for information security management. It supports the information risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the organisation’s required “ISMS controls” are implemented. Furthermore, it supports any organisation using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for the governance and management of information risk and security. Structure Main sections: 5: Background 6: Overview of information security control assessments 7: Review methods 8: Control assessment process Annex A: Initial information gathering (other than IT) Annex B: Practice guide foir technical security assessments Annex C:Technical assessment guide for cloud services (Infrastructure as a Service) Status The first edition was published in 2011 as ISO/IEC TR 27008:2011, a Type 2 T echnical R eport. It set out to provide “Guidelines for auditors on information security controls”. The second edition was published in 2019 as ISO/IEC TS 27008:2019, a T echnical S pecification reflecting the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002 . The title morphed into “Guidelines for the assessment of information security controls”, dropping the explicit reference to auditing. The third edition is currently in preparation, being revised to reflect ISO/IEC 27002:2022 . It has reverted to a T echnical R eport with a new abstract: “This Technical Report provides guidance for assessing the implementation of ISMS controls determined through a risk-based approach for information security management. It supports the information security risk management process and assessment of ISMS controls by explaining the relationship between the ISMS and its supporting controls.” [Source: SC 27 Standing Document 11 (July 2022)] The third edition is just entering D raft T echnical R eport stage. It is likely to emerge during 2026. Commentary This standard gives auditors background knowledge to help them review and evaluate the information security controls being managed through an I nformation S ecurity M anagement S ystem. The current second edition: Is applicable to organisations of all types and sizes; Supports planning and execution of ISMS audits and the information risk management process; Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g . in the ISO27k user organisations, assessing security elements of business processes, IT systems and IT operating environments); Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002:2013 ; Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organisation and intangibles such as reputation and image of the organisation and privacy, skills and experience of people); Supports an ISMS-based assurance and information security governance approach and audit thereof [?? That strays from the standard’s scope into the area of management systems auditing]; Supports effective and efficient use of audit resources. Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001 , ISO/IEC TS 27008 focuses on checking the information security controls themselves, such as (for example) those as in Annex A of ISO/IEC 27001 . ISO/IEC TS 27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organisation. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004 , ISO/IEC 27005 or ISO/IEC 27007 respectively.” 'Technical compliance checking/auditing' is explained as a process of examining ‘technical’ security controls, interviewing those associated with the controls (managers, technicians, users etc. ), and testing the controls. The methods should be familiar to experienced technology auditors. ‘Technical’ controls, while not explicitly defined in the standard, appear to be what are commonly known as IT security or cybersecurity controls, in other words a subset of the information security controls described in ISO/IEC 27001 and ISO/IEC 27002 . Furthermore, the correct term here is conformity, not compliance, since it is discretionary. But I digress. Liberal use of “technical” in phrases such as “technical compliance checking of information system controls”, “technical assessment” and “technical security controls”, indicates that this standard is concerned with technology , implying IT or cyber security, specifically, rather than information risk and security in general. While this standard is not intended to be used for certification, it remains inconsistent and ambiguous (frankly, unclear and confusing) in the use of key terms such as: review, assessment, test, validation, check and audit. For example, are “information security auditors” the same as “certification auditors”, “IT auditors”, “internal auditors”, “ISMS internal auditors”, “compliance auditors”, “conformity auditors”, or something else? There are no (zero) definitions in the second edition since all terms are supposedly defined in ISO/IEC 27000 : concerning that little list of terms, only “audit”, “information security” and “conformity” are defined, separately. “Risk assessment” is specifically defined but not “assessment” in general. So, conventional dictionary definitions presumably apply ... but don’t really help. For an international standard, it could hardly be more muddled. Up Up Up This page last updated: 8 December 2025

Up Up Up ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Up Abstract ISO/IEC 27018 "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, [ISO/IEC 27018] specifies guidelines based on ISO/IEC 27002:2022, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services ... The guidelines in [ISO/IEC 27018] can also be relevant to organizations acting as PII controllers.” [Source: ISO/IEC 27018:2025] Introduction This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing P ersonally I dentifiable I nformation entrusted to them. See also ISO/IEC 27017 covering the wider information security angles of cloud computing, aside from privacy. The standard development project had widespread support from national standards bodies plus the C loud S ecurity A lliance. Scope The standard intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001 , or as a guidance document for organisations for implementing commonly accepted PII protection controls”. The standard is primarily concerned with public-cloud computing service providers acting as PII processors . “A public cloud service provider is a 'PII processor' when it processes PII for and according to the instructions of a cloud service customer” [according to the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls. The standard interprets rather than duplicates ISO/IEC 27002 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors. ISO/IEC 27000 , ISO/IEC 27001 and ISO/IEC 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788 “Cloud computing - overview and vocabulary” and ISO/IEC 29100 “Privacy framework” (a free download!). Structure Main sections: 6: Organizational controls 7: People controls 8: Physical controls 9: Technological controls Annex A: Public cloud PII processor extended control set for PII protection Annex B: Correspondence between this document and the first edition ISO/IEC 27018:2019 Status The first edition was published in 2014 . The second edition (a minor revision) was published in 2019 . The current third edition was published in 2025 , having been updated to reflect ISO/IEC 27002:2022 and offering an ‘extended control set’ aligned with ISO/IEC 29100:2024 Commentary The standard builds on ISO/IEC 27002 , expanding on its generic advice in a few areas, and referring to the OECD privacy principles that are enshrined in several privacy laws and regulations around the globe. In most sections, it simply says: “The objectives specified in, and the contents of, clause [whatever] of ISO/IEC 27002 apply.” The expansions or additions are straightforward - no surprises here. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27403 ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) Up Abstract ISO/IEC 27403 "provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.” [Source: ISO/IEC 27403:2024] Introduction “Domotics” was originally known as home automation a.k.a. “smart homes”, where domicile or home is described as “The private, hence highly customizable area where someone lives, alone or with guests or cohabitants” that “includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment or gaming.” Setting the standard for information security and privacy of IoT things intended for home use is quite a challenge given the variety of things , homes and living arrangements, security and privacy issues and controls. Rapid innovation and change in this area further complicates matters. Scope This cybersecurity standard is aimed squarely at the designers, manufacturers and security/privacy assessors of IoT domotics rather than the “users” (consumers/retail customers). It covers the information security and privacy aspects of device-device interactions (e.g. hubs and subsystems) as well as human-device plus device-sensors/actuators that physically interact with the home, and networking both within the home and beyond (e.g. via Internet gateways). Structure Main sections: 5: Overview of the stakeholders (IoT device manufacturers, service providers, regulatory authorities and users), the lifecycles for IoT domotics developers, service providers and users, an architectural reference model, and an introduction to the ‘security’ (meaning cybersecurity) and privacy aspects. 6: Risk assessment guidelines covering cybersecurity and privacy risks (referring to eight other standards!). 7:’Security’ and privacy controls. Annex A: Use cases - six examples of the principles in action. Annex B: ‘Security’ and privacy concerns of various stakeholders with differing perspectives. Annex C: Stakeholders’ security and privacy responsibilities. Annex D: ‘Security measures’ (cybersecurity and privacy controls) for various IoT domotics devices. Status The current first edition was published in 2024 . Commentary Whereas “IoT” is a common abbreviation, “domotics” is a neologism derived from domus (Latin for house) and robotics. Rather than simply recommending a bunch of controls, the standard describes typical information [security and privacy] risks relating to domotics, and recommend information security controls to mitigate them, making this a risk-based ISO27k standard. Sounds good in theory, although strictly speaking several of the ‘risks’ described in the draft are in fact weak or missing controls, not risks. Information risks provide the rationale, context or basis for the controls. Helping readers identify and consider the information risks should give them a better appreciation of what the information security controls are meant to achieve - the control objectives. The risks and the controls in the standard are examples to stimulate readers into considering the risks and control objectives in their particular contexts. Challenges (risks) in the home environment include: Limited information security awareness and competence by most people. IoT things are generally just black-boxes. Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically permanently installed about the home (e.g. smart heating controls, door locks and cat feeders). Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper or constrain their security capabilities. Lack of processes for managing security and privacy systematically at home. Any such activities tend to be ad hoc /informal and reactive rather than proactive. Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g . entertainment). Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment. Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ... Physically securing things against accidental or malicious interaction (e.g. someone reading the label with the default password, hitting the reset button, damaging or stealing the device) is difficult. Limited ability to manage or control IoT device and service upstream supply chains, as well as the downstream installation, configuration, use, monitoring and maintenance of devices and services, with little if any coordination among the parties. Given their number, variety and significance, I believe conventional, structured and systematic information risk management is largely impracticable for domotics: there is way too much to do here! In accordance with the risk-based approach that underpins all the ISO27k standards, this standard prioritises some significant information risks, encouraging IoT device and service providers to play their parts - although even that is difficult since they are only providing parts of a complex and dynamic system. The bigger picture remains of concern. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27007 ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) Up Abstract ISO/IEC 27007 "provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.” [Source: ISO/IEC 27007:2020] Introduction ISO/IEC 27007 provides guidance for C ertification B odies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 i.e. auditing the M anagement S ystem for conformity with the standard. Scope "[ISO/IEC 27007] provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011 . [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme." [Source: ISO/IEC 27007:2020] Structure The standard covers the process of ISMS-specific conformity auditing, emphasising the 'MS' bit: Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement); Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups); Managing ISMS auditors (competencies, skills, attributes, evaluation). The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not-terribly-helpful explanatory comments (e.g . audits are likely to involve sensitive proprietary or personal information, hence auditors may need to be security-cleared to the appropriate level before auditing, and secure audit evidence appropriately). However the more valuable annex describes specific audit tests concerning the organisation’s conformity with the requirements of ISO/IEC 27001 . Status The first edition was published in 2011 . The second edition was published in 2017 . The third edition was published in 2020 , having been updated to reflect ISO 19011:2018. A fourth edition is being prepared, updating the third to reflect the 2022 release of ISO/IEC 27001 and the imminent release of ISO 19011 (due by early 2026). The new version of ISO 19011 will incorporate guidance on remote auditing, including remote auditing of virtual locations such as globally-distributed data centres providing cloud services, plus other editorial changes. Publication of the fourth edition of ISO/IEC 27007 is planned for 2027 - once again lagging two years behind the ISO 19011 update. It is at C ommittee D raft stage, coming along nicely. Commentary This standard primarily concerns conformity or compliance auditing , a particular form of auditing with a very specific goal: to determine whether the audited organisation’s ISMS conforms with (i.e. fulfills all the mandatory management system requirements specified formally by) ISO/IEC 27001 . Such audits are primarily performed for certification purposes. Other types of audits have different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance/conformity auditors, or that all audits are compliance/conformity audits! Specifically in relation to information risk and security management, competent technology auditors might for instance: Evaluate the organisation’s strategies and policies relating to information and privacy risk management, incident management, fraud etc. for aspects such as strategic fit, currency, relevance, readability, coverage, suitability and quality (fitness for purpose); Audit workers’ conformity with organisational policies, procedures, directives, guidelines, employment contracts/agreements and so on, in the general area of information risk, information security and privacy; Delve into the root causes of ongoing issues and repetitive incidents, including near-misses and lesser events; Examine the governance arrangements in this area e.g. organisational structure, internal and external reporting relationships, information flows within and between management layers, accountabilities, roles and responsibilities ...; Audit the organisation’s compliance/conformity with other relevant obligations and expectations, aside from ISO/IEC 27001 e.g. privacy and data protection laws, intellectual property protection, health and safety plus employment laws, fire codes and building standards, technical security standards, supplier, partner and customer agreements, industry guidelines, ethical codes ..., including the associated arrangements such as enforcement actions, and how the organisation ensures it remains up to date with changes; Audit the effectiveness and efficiency of the ISMS, including aspects such as the net value (benefits less costs) it generates for the business, and any unrealised potential; Examine ‘assurance’, ‘integrity’, ‘confidentiality’, ‘availability’, ‘risk’, ‘information risk management’, ‘compliance’, ‘privacy’ etc. in the broad, deliberately interpreting such words and phrases very widely to take in related aspects that are not usually considered in any depth; Review improvements made and explore further opportunities to improve the ISMS; Examine the organisation’s potential and actual exploitation of other standards, methods and frameworks relating to information risk and security management; Survey, compare and contrast various stakeholders’ opinions, comments and suggestions on the ISMS, teasing-out the deeper, longstanding concerns that normally remain hidden/unspoken; Follow-up on previous ISMS audits, reviews, penetration tests, security assessments, post incident reports etc. , delving deeper into areas of concern or extending the scope, and examining the manner in which audits etc. are scoped, conducted, reported, actioned, closed off etc. ; Explore the management aspects of business continuity and resilience; Look into the integration and interoperability etc. of various management systems with the ISMS; Audit the organisation’s information management as a whole, such as the integration of risk and security aspects with other business imperatives; Benchmark the ISMS against comparable organisations or business units, or against other operational management systems e.g. quality assurance, environmental protection; Measure and comment on the organisation’s maturity in this area; Review the organisation’s use of security metrics, reports, and management information. Although that is not even a complete list, there are clearly plenty of creative possibilities here, in addition to the basic ‘check conformity with the standard’ approach. One of the best things about auditing is the chance to do something different for a change. Exploit the auditors’ independence, competence, experience, skills, focus, information access, rigorous methods etc. to delve into aspects that are rarely if ever addressed as part of routine management and operations - potentially including those awkward politically-charged issues that are studiously avoided, and longstanding problems that seem destined to remain, forever. Some pessimists see audits as information threats to be avoided or minimised: speaking as a former (lapsed? Reformed!) IT auditor and optimist (realist!), I see audits as valuable business opportunities to be exploited to the max. If they must be endured, make the best of them. Up Up Up This page last updated: 19 November 2025