Search Results

Back Up Next ISO/IEC 27007 ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) Up Abstract ISO/IEC 27007 "provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.” [Source: ISO/IEC 27007:2020] Introduction ISO/IEC 27007 provides guidance for internal auditors, external/third party auditors (e.g. those performing supplier security assessments) and others auditing ISMSs against ISO/IEC 27001 i.e. auditing the M anagement S ystem for conformity with the standard. For C ertification B odies' conformity assessors, it supplements or complements the mandatory accreditation requirements specified formally in ISO/IEC 27006-1 with additional discretionary advice. The standard covers the process of ISMS-specific conformity assessment or auditing, emphasising the 'management system' elements: Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement); Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups); Managing ISMS auditors (competencies, skills, attributes and evaluation). Scope "[ISO/IEC 27007] provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011 . [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme." [Source: ISO/IEC 27007:2020] Structure Main clauses: 4: Principles of auditing 5: Managing an audit programme 6: Conducting an audit 7: Competence and evaluation of auditors Annex A: Guidance for ISMS auditing practice - includes advice re the documentation required by ISO/IEC 27001:2013 such as the S tatement o f A pplicability. The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not-terribly-helpful explanatory comments (e.g . audits are likely to involve sensitive proprietary or personal information, hence auditors may need to be security-cleared to the appropriate level before auditing, and to secure audit evidence appropriately). However the more valuable annex describes specific audit tests concerning the organisation’s conformity with the requirements of ISO/IEC 27001 . Status The first edition was published in 2011 . The second edition was published in 2017 . The current third edition was published in 2020 . A fourth edition is in the works, belatedly reflecting ISO/IEC 27001:2022 and the imminent release of ISO 19011:2026 . ISO 19011 :2026 is expected to provide guidance on remote auditing (e.g . of virtual locations such as globally-distributed data centres providing cloud services) plus other editorial changes to the current version. Publication of the fourth edition of ISO/IEC 27007 is planned for 2027. It is at C ommittee D raft stage, coming along nicely. Reviewers seek to align the terminology and concepts more closely with ISO/IEC 27000 , 27001 , 27003 and 27005 , for example not implying, suggesting or stating additional requirements beyond those formally stated in 27001 . Additional approaches, guidance and options are fine so long as readers (implementers and auditors) are not led to believe that they must do a load of additional things in order to conform to 27001 . Flexibility is valuable for such a broadly-applicable approach. Additional constraints or demands are not. Commentary As with ISO/IEC 27006-1 , this standard primarily concerns conformity or compliance auditing , a particular form of auditing with a specific goal: to determine whether the audited organisation’s ISMS conforms with (i.e. fulfills all the mandatory requirements specified formally by) ISO/IEC 27001 . Such audits are primarily performed for certification purposes. Other types of audits have different assurance goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance/conformity auditors, or that all audits are compliance/conformity audits! Specifically in relation to information risk and security management, competent technology auditors might for instance: Evaluate the organisation’s strategies and policies relating to information and privacy risk management, incident management, fraud etc. for aspects such as strategic fit, currency, relevance, readability, coverage, suitability and quality (fitness for purpose); Audit workers’ conformity with organisational policies, procedures, directives, guidelines, employment contracts etc. , in the general area of information risk, information security and privacy; Delve into the root causes of ongoing issues and repetitive incidents, including near-misses and lesser events; Examine the governance arrangements in this area e.g. organisational structure, internal and external reporting relationships, information flows within and between management layers, accountabilities, roles and responsibilities ...; Audit the organisation’s compliance/conformity with other relevant obligations and expectations, apart from ISO/IEC 27001 e.g. privacy and data protection, intellectual property protection, health and safety, and employment laws and regulations; fire codes and building standards; technical security standards and protocols; supplier, partner and customer agreements and contracts; industry guidelines; ethical codes ... including the associated arrangements such as enforcement actions, and how the organisation stays up-to-date with changes in the requirements; Audit the effectiveness and efficiency of the ISMS, including aspects such as the net value (benefits less costs) it generates for the business, and releasing any unrealised potential; Examine ‘assurance’, ‘integrity’, ‘confidentiality’, ‘availability’, ‘risk’, ‘information risk management’, ‘compliance’, ‘privacy’ etc. in the broad, deliberately interpreting such words and phrases very widely to take in related aspects that are not usually considered in any depth; Review improvements made and explore further opportunities to improve the ISMS; Examine the organisation’s potential and actual exploitation of other standards, methods and frameworks relating to information risk and security management; Survey, compare and contrast various stakeholders’ opinions , comments and suggestions on the ISMS, teasing-out and addressing deeper, longstanding concerns and points of common interest that might otherwise remain hidden; Follow-up on previous ISMS audits, reviews, penetration tests, security assessments, post incident reports etc. , delving deeper into areas of concern, extending the scope and picking up on recurrent or widespread issues; Examining assurance management e.g. the manner in which various audits or assessments are scoped, approved, resourced, conducted, reported, actioned and closed off, treating ISMS or technology audits as important examples; Explore the management aspects of business continuity and resilience ; Look into the integration and interoperability of various management systems such as the ISMS; Audit the organisation’s information management as a whole, such as the integration of risk and security aspects with other business imperatives, and the proactive exploitation of information despite various risks; Benchmark the ISMS against comparable organisations or business units, or against other operational management systems e.g. quality assurance, environmental protection; Measure and comment on the organisation’s maturity in this general area; Review the organisation’s use of security metrics , reports and other management information. Although that is not even a complete list, there are clearly plenty of creative possibilities here, in addition to the basic conformity-assessment tick-n-bash approach. One of the best things about auditing is the chance to do something different for a change. Exploit the auditors’ independence, competence, experience, skills, focus, information access, rigorous methods, trustworthiness, access to senior management etc. to delve into aspects that are rarely if ever addressed as part of routine management and operations - potentially including those awkward politically-charged issues that are studiously avoided, and longstanding problems that seem destined to remain, forever. Some pessimists see audits as information threats to be avoided or minimised: speaking as a former (lapsed? Reformed!) IT auditor and optimist (realist!), I see audits as valuable business opportunities to be exploited to the max. Make the best of them. Milk the value. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27001 ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) Up Abstract ISO/IEC 27001 "specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. [It] also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization ...” [Source: ISO/IEC 27001:2022] Introduction ISO/IEC 27001:2022 (known colloquially as “ISO 27001”, “ISO27001”, “27001” or “two seven double-oh one”) formally specifies an I nformation S ecurity M anagement S ystem, a governance arrangement comprising a structured suite of organised activities with which to manage risks relating to the confidentiality, integrity and availability of information (called ‘information security risks’ in the standard). According to the ISO directives part 1 annex SL , an ISMS is a set of interrelated or interacting elements of an organisation to establish policies and objectives relating to the security of information, as well as processes to achieve those objectives. An ISMS is an overarching framework through which management identifies, evaluates and treats (addresses) the organisation’s information risks. The ISMS ensures that the security arrangements are appropriately designed and fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts. Adaptation is important in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as opposed to more prescriptive and rigid approaches such as PCI-DSS. Flexibility allows the standard to apply to all types of organisations (e.g . commercial enterprises, government agencies, non-profits, clubs) of all sizes (from micro-businesses to sprawling multinationals) in all industries (e.g . retail, banking, defence, healthcare, education and government), worldwide. Given such a huge brief, the standard is necessarily generic, specifying only the bare minimum, the core ISMS requirements common to all organisations. ISO/IEC 27001 does not formally demand specific information security controls since the controls that are required vary markedly between organisations. The information security controls from ISO/IEC 27002 are summarised in annex A of ISO/IEC 27001, rather like a menu. Organisations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, perhaps but not necessarily drawing on those listed in the menu and potentially supplementing or replacing them with other a la carte options (known as extended or custom control sets). The way to select "necessary" (applicable) controls is to undertake a comprehensive assessment of the organisation’s information risks within scope of the ISMS: this is one vital and mandatory part of the ISMS. Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through information security controls - a risk treatment decision within the specified risk management process. Appropriate governance arrangements and management controls are also appropriate to direct, control and oversee the ISMS: the standard gives fairly rudimentary and circumspect guidance in these areas. Scope The standard applies to any organisation that needs to protect and legitimately exploit information, systematically. 'Information' may include: Business information belonging to the organisation itself, such as its financial, HR and operating info, trade secrets, intellectual property such as trademarks, designs, patents and brands, plus workers' knowledge and experience; Business information belonging to third parties , such as commercial software and content licensed or given to the organisation for custodianship, plus public or community-owned info; and Personal information belonging to individual people such as workers or supplier/customer contacts. Structure The standard has 10 clauses plus an unnumbered introduction and an annex: Scope : it specifies generic ISMS requirements suitable for organisations of any type, size or nature, in any location. Normative references : only ISO/IEC 27000 is considered absolutely essential reading for users of ’27001. Terms and definitions : see ISO/IEC 27000 . Context of the organisation : understanding the organisational/business context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 starkly states that “The organisation shall establish, implement, maintain and continually improve” the ISMS, meaning that it must be operational, not merely designed and documented. Leadership : top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities. Planning : outlines the process to identify, analyse and plan to treat information risks, to clarify the objectives of information security, and to manage ISMS changes. Support : adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled. Operation : more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they may be audited by certification auditors: certification is optional). Performance evaluation : monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary. Improvement : address the findings of audits and reviews (e.g. nonconformities and corrective actions), systematically refining the ISMS. Annex A - Information security control reference : this does little more than name the controls in ISO/IEC 27002 - one sentence summaries of 27002's one page descriptions. The annex is ‘normative’ meaning that certified organisations are required to use it to check their ISMS for completeness (according to clause 6.2), but that does not mean they are required to implement the controls: given their particular information risks, they may prefer other controls or risk treatments or the corresponding risks may be irrelevant (e.g. a totally virtual organisation with no business premises and no physical presence may determine that physical security controls are pointless). Refer to ISO/IEC 27002 for lots more detail on the security controls, including useful implementation guidance, and ISO/IEC 27005 to understand information risk management. Bibliography: points readers to related standards, plus part 1 of the ISO/IEC Directives , for more information. In addition, ISO/IEC 27000 is 'normative' and there are several references to ISO 31000 on risk management. Status The first edition, based on BS 7799 Part 2 (1999), was published in 2005 . The second edition, completely revised with substantial changes to align with other ISO management systems standards, was published in 2013 , followed by two corrigenda (corrections). The current third edition, published in 2022 , has some wording changes to the main-body clauses to reflect the revised ISO directives part 1 annex SL common structure/boilerplate for all the ISO management systems standards, plus a completely restructured and revised Annex A reflecting ISO/IEC 27002:2022 . An amendment to ISO/IEC 27001:2022 was published in 2024 , formally clarifying that, in clauses 4.1 and 4.2, the ‘relevance of climate change should be considered ’ - a timely reminder to think broadly when considering the context and purpose of the ISMS. Take a look at "Secure the planet " for clues about potential touch points between information security and climate change. Commentary Whereas ISO/IEC 27001 does not use the word ‘governance’, a ‘management system’ combines a governance structure with a number of management controls to ensure management’s strategic intent is put into effect, becoming an integral part of the organisation. In the case of an ISMS, the system enables management to direct, oversee, control and gain assurance in information risk, security, privacy and related areas. Other ISO management systems standards based on the same ISO boilerplate text presumably avoid the word ‘governance’ as well. This could be considered a systematic flaw in ISO’s management systems approach. However, companion standards such as ISO/IEC 27014 provide guidance in that area. Planning for updates to any certification standard is tricky because of the need to allow time for the accreditation and certification bodies to plan and enact their transition arrangements, although ISO deliberately and pointedly stays clear of accreditation and certification so, in theory , it should not really matter. In practice , it does, meaning a delicate and ambiguous relationship between standards and certification. An ISMS documented almost entirely in the form of thought-provoking diagrams, mindmaps or motivational videos rather than the usual boring, wordy, static documents would be novel, radical, creative, perhaps even brilliant ... if only someone was willing to give it a go ... Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27003 ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) Up Abstract “ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.” [Source: ISO/IEC 27003:2017] Introduction ISO/IEC 27003 provides guidance for those implementing the ISO27k standards , covering the management system aspects in particular, as opposed to the information security controls which are summarised in ISO/IEC 27001 Annex A and explained more fully in ISO/IEC 27002. The standard supplements and builds upon other ISO27k standards (particularly ISO/IEC 27000 and ISO/IEC 27001 plus ISO/IEC 27004 , ISO/IEC 27005 and ISO/IEC 27014 ) and ISO 31000 . Scope The current edition of this standard primarily interprets or explains the requirements stated formally in ISO/IEC 27001:2013 . As a result of ISO’s intent to make all the M anagement S ystems S tandards consistent in structure, form and style, and in order for it to be usable for conformity assessment (ISMS certification) purposes, the language of ISO/IEC 27001 is inevitably formal, curt and stilted, leaving little room for interpretation. In contrast, ISO/IEC 27003 offers more pragmatic explanations of the requirements. Structure For convenience, ISO/IEC 27003 mirrors the structure of ISO/IEC 27001 , expanding clause-by-clause on ISO/IEC 27001 . The main clauses are therefore: 4: Context of the organisation 5: Leadership 6: Planning 7: Support 8: Operation 9: Performance evaluation 10: Improvement Annex: Policy framework [NOTE: this annex does not reflect or expand on the information security controls listed in ISO/IEC 27001 Annex A, since ISO/IEC 27002 already does that]. For each ISO/IEC 27001 clause and subclause, ISO/IEC 27003: Re-states the requirement/s; Explains the implications; and Offers a little practical guidance and supporting information including examples, to help implementers implement. For example, this is what ISO/IEC 27001 says in section 4.1, ‘Understanding the organisation and its context’: “The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. NOTE Determining these issues refers to establishing the external and internal context of the organisation considered in Clause 5.3 of ISO 31000:2009.” Section 4.1 of ISO/IEC 27003 first succinctly re-states the ‘required activity’: “The organisation determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) of the information security management system (ISMS).” Then it expands on the reasons why it is appropriate and necessary to ‘determine external and internal issues’, providing a page of explanation to supplement the succinct and somewhat hard to understand text from ISO/IEC 27001 . It explains, for instance, that the ‘internal issues’ include the organisation’s culture; its policies, objectives, and the strategies to achieve them; its governance, organisational structure, roles and responsibilities; and lists a further seven ‘internal issues’ to consider. It also identifies/cross-references other clauses that use this information. That alone would be a valuable expansion on ISO/IEC 27001 section 4.1 but ISO/IEC 27003 doesn’t stop there: it goes on to provide a further page of explanation, practical guidance and real-world examples in this area - 3 pages in total concerning that one short subclause. The end result is that the reader gains a better understanding of the formal requirements from the main body clauses of ISO/IEC 27001 and a clearer idea of how to go about satisfying them. Status The first edition was published in 2010 . It included implementation guidance. A substantially revised second edition, with more explanation but less implementation guidance, was issued in 2017. Work is under way now on a third edition, a project supposedly in three phases but the first two have been blended together in practice: Update references and realign to the 2022 versions of ISO/IEC 27001 and ISO/IEC 27002 ; consolidate guidance into the Guidance sections for each clause; clarify the wording to avoid even hinting at additional ISMS requirements beyond those in ISO/IEC 27001 , following rumoured CASCO concerns about implied conformity aspects. Adopt ISO’s version of plain English meaning substantial wording changes throughout, and expand ISO/IEC 27003 to cover the whole main body of ISO/IEC 27001 (excluding the Annex A controls which are covered by ISO/IEC 27002 ). Expand the implementation guidance, including brief introductions and references to related standards such as ISO/IEC 27004 and ISO/IEC 27005 . The third edition is due to be published in 2027. The revision project is presently at C ommittee D raft stage, working on phases 1 and 2 (now merged, apparently). A new title is likely: “Information security, cybersecurity and privacy protection — Information security management systems — Guidance for the application of ISO/IEC 27001:2022”. An amended scope is also likely, appending “and the ISO/IEC 27001:2022/AMD 1:2024” , to acknowledge that climate change is to be considered. Work started in 2025 on another standard (either a second part to '27003 or a completely separate standard), with the development of a P reliminary W ork I nstruction. Whereas the second and third editions of ISO/IEC 27003 focus on explaining the formal ISMS requirements from ISO/IEC 27001 , ISO/IEC 27003-2 (or whatever number it is given) is intended to offer practical guidance on implementing an ISMS , for example ”setting up an implementation project, suitable top management involvement in the steering committee, setting a clear ambition level, appointment of a suitable project manager, etc.” It will hopefully rejuvenate and update the implementation advice from the 2010 first edition that has been eroded and largely lost. Commentary It takes years to prepare and release each new edition. Meanwhile , the ISO27k ISMS implementation guideline is a plain-English explanation of the requirements from ISO/IEC 27001 (based on the ISO Directives Part 1 Annex SL Appendix 2 concerning the wording and intent of the boilerplate text for all ISO’s management systems) plus pragmatic guidance for implementers (based on actual experience). The guideline is not an official ISO/IEC standard but, hey, it’s free of charge ... and available now ! To my eyes, the proposed ISO/IEC 27003-2 resembles phase 3 of the current revision project ... so it is possible that the revision might stop and release the third edition after completing phase 2’s plain English rewording (which I suspect will involve a lot more work than was planned), deferring phase 3 to the new 'part 2;' project. Maybe. We shall see. Although excluded from the current revision project, the scope and purpose of ISO/IEC 27003 could - at some distant future point perhaps - usefully extend beyond the ISMS design, implementation and certification phase to offer pragmatic advice on the operation, management, monitoring and systematic improvement of the ISMS. Certification of an ISMS is, after all, merely a milestone on the never-ending journey towards security maturity. As information security becomes an integral and valuable part of the organisation’s routine business/operational activities and management, changes are bound to occur. Potentially ’27003 might distinguish, encourage and support beneficial ISMS changes while discouraging counterproductive or detrimental ones. Alternatively, developing a separate ISO27k standard in parallel with the ongoing revision of ISO/IEC 27003 might be a quicker (less glacial) option, hinting at the possibility of a part 3 to this standard. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27002 ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) Up Abstract ISO/IEC 27002 "provides a reference set of generic information security controls including implementation guidance. [ISO/IEC 27002] is designed to be used by organisations: (a) within the context of an information security management system (ISMS) based on ISO/IEC27001; (b) for implementing information security controls based on internationally recognized best practices; [and] (c) for developing organisation-specific information security management guidelines.” [Source: ISO/IEC 27002:2022] Introduction ISO/IEC 27002 is a popular international standard describing a generic selection of ‘good practice’ information security controls, typically used to mitigate unacceptable risks to the confidentiality, integrity and availability of information. It was based on British Standard BS 7799 in the mid-1990s, itself based on an oil company's proprietary information security manual. ISO/IEC 27002 is an advisory document, a guideline or recommendation rather than a formal specification such as ISO/IEC 27001 . Organisations are advised to identify and evaluate their own information risks, selecting or designing and applying suitable information security controls to mitigate unacceptable risks using ISO/IEC 27002 and other relevant standards and sources for guidance. Scope Like governance and risk management, information security management is a broad topic with ramifications for all organisations. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, clubs, government departments and quasi-autonomous bodies - in fact any organisation that handles and depends on information. The specific information risks and hence control requirements differ in detail between organisations but there is a lot of common ground, for instance most organisations need to address information risks relating to their employees plus contractors, consultants and third party suppliers of various information and IT services such as networking and cloud computing. The standard is explicitly concerned with information security, meaning the security of all forms of information (e.g. computer data, documentation, knowledge and intellectual property) - not just IT/systems/network/cyber/digital security. It includes those, of course, but there's more to secure. Structure The standard lays out a ‘reference set’ of 93* generic information security controls with guidance, categorised into 4 main clauses or ‘themes’: 5: Organisational controls - a large and misleadingly-named catch-all group of 37* controls that don’t fit neatly into the following themes; 6: People controls - 8* controls involving or relating to people e.g. individuals’ behaviors, activities, roles and responsibilities, terms and conditions of employment etc .; 7: Physical controls - 14* tangible controls to secure tangible information assets; 8: Technological controls - 34* controls involving or relating to technologies, IT in particular. The 93* controls are each tagged with one or more values for each of 5 attributes so they can be grouped, selected or filtered in other ways too. The attributes and attribute values are: Control type : preventive, detective and/or corrective - relating to stages of incidents at which the controls act; Information security properties : confidentiality, integrity and/or availability - which of these information characteristics they protect; Cybersecurity concepts : identify, protect, detect, respond and/or recover - a more detailed breakdown of the incident timeline; Operational capabilities : governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships securit, legal and compliance, information security event management, and information security assurance - reflecting the structure used in the previous edition of this standard; Security domains : governance and ecosystem, protection, defence and resilience - another way to classify controls. The control attribute tagging reflects these complexities: A given control may have several worthwhile applications (e.g. backups help protect against malware, hacks, bugs, accidents, mechanical breakdowns, fires etc. , and can include deputies and multi-skilled replacements for critical people, and alternative suppliers/sources of necessary information services, as well as data backups); An unacceptable risk typically requires several controls (e.g. malware can be mitigated using backups, awareness, antivirus, network access controls plus IDS/IPS, authentication, patching, testing, system integrity controls etc ., while avoiding infection can be a powerful approach if bolstered with controls such as policies and procedures, blacklisting etc .); Many of the ‘controls’ identified in the standard are not atomic, being composed of several smaller elements or pieces (e.g. backups involve strategies, policies and procedures, software, hardware, testing, incident recovery, physical protection of backup media etc. ). Some of the themes and attributes are arbitrarily assigned: for example, a commercial card access lock on a building entrance may fall into any, arguably all four of the themes listed above, but if it and other such controls were covered several times, the standard would become unwieldy. More likely, it would be categorised as - primarily - a physical control, possibly with references to other elements. Organisations can usefully define and use their own attributes as well. ISO/IEC 27028 will soon provide guidance on that. * Note: there are 21 fewer control clauses in the third edition than the second despite adding 11 new ones since several second edition control clauses were updated or merged. Each clause is in fact comprised of or incorporates numerous ‘atomic’ controls at a more detailed level of analysis. ISO/IEC 27002 notes or implies hundreds of detailed information security controls , in fact, way more than the nominal and often-stated total of “93”. Status The first edition was published in 2005 . The second edition was published in 2013 . The completely restructured and updated third edition was published in 2022 . At its September 2025 meeting, ISO/IEC JTC 1 SC 27 WG1 agreed to look into offering guidance on information security controls tailored for small organisations, starting with the development of a P reliminary W ork I tem clarifying the scope and purpose of such an SME infosec guideline. Commentary In my considered opinion, one of the most distinctive, innovative and valuable features of the original Shell policy manual, the UK DTI Code of Practice/DISC standard PD003 and British Standard BS 7799 was that they explicitly addressed information security, recommending approaches and controls to secure information in any form - not just computer data, systems, apps, networks and technologies. The focus was clearly on protecting the intangible, vulnerable and valuable information content. Over the decades since ISO/IEC adopted it as an international standard, it has gradually evolved into a tech-centric IT, ICT or cyber-security standard. The third edition of ‘27002 continues along the same trajectory. The third edition misses numerous opportunities to encourage users to consider their “information risks” in order to determine whether various controls are even needed to avoid or mitigate the risks, and if so what controls are appropriate, taking account of their effectiveness, costs, value, reliability etc . It is as if the controls laid out in the standard are not merely good practices worth considering under various circumstances, but required or mandatory to the extent that not implementing them might perhaps be considered inept, unprofessional or bad practice. There is a subtle presumption that most if not all the controls should be employed by all organisations, regardless of the diversity of organisations in scope and their differing information risks. This is misleading, and has remained an issue for several years. I miss the ‘control objectives ’ from BS 7799: these succinctly explained what the controls were expected to achieve, giving them a business-related purpose that was readily interpreted in the particular context of an individual organisation. If management accepted that an objective was valid, the controls were worth considering not in the sense of being obligatory or even recommended, so much as examples of the kinds of things that could be put in place to achieve the objective. In the third edition, the risk-based control objectives have become watered-down and often self-serving ‘purposes’, with little to no explicit reference to the organisation’s information risks that the suggested controls are supposed to mitigate - a retrograde step as far as I’m concerned ... potentially presenting an opportunity to fill in the gaps (watch this space!). However, some experts complained of ‘challenging conversations’ between auditors and management: I suspect the underlying issue there was a failure to understand the true nature of information risk and risk treatment options. While the restructured third edition is readable and usable on paper, the tagging and cross-linking strongly of controls favours database applications (even something as simple as Excel) allowing users to filter or select and sort the controls by whatever criteria or questions they pose - for instance, “Which physical security controls are relevant to privacy?” or “What preventive controls do not involve technology?”. Given a suitable database application, the sequence is almost irrelevant compared to the categorisation, tagging and description of the controls. It will be interesting to see how this turns out. I am dismayed that the standard has been infected with the “cyber” virus, begging questions about definition and interpretation. Some contributors wanted the standard to cover both information security and cybersecurity controls, implying that they consider those to be distinct domains, while others first want to understand the differences before classifying controls ... and I must say I‘m in the second group. What is the true meaning and scope of “cybersecurity”, in fact ? Similarly, the committee hoped to resolve confusion over the meaning of “policy” in the second edition by distinguishing three variants or hierarchical levels in the third : “Information security policy ” refers to the overall, high-level corporate policy at the peak of the classical policy pyramid, approved by ‘top management’. ‘Strategy’ might have been a better term for this, at the risk of creating yet more confusion, but the ISO management systems standard boilerplate requires 'policy', so 'policy' (singular) it is; “Topic-specific policy ” refers to mid-level policies e.g. topic-specific policies on access control and clear desk and clear screen” (the latter sounds, to me, more like a rule than a mid-level policy ... and indeed, as expressed by the project team, the topic-specific policy concept includes guidelines and rules, making this layer a blend, transition or link between the upper and lower levels). These are aligned with and support the high level policy, approved by ‘the appropriate management level’, and [within reason] may be adapted/interpreted locally by departments, business units etc . where their specific contexts (information risks, security requirements, business situations, locations etc .) differ from the overall corporate context; “Rule ” is the lowest, most detailed/specific level, defined as an “accepted principle or instruction that states the organisation’s expectations on what should be done, what is allowed or not allowed” (I’m not sure an organisation, per se , can ‘expect’ anything, or should have expectations on rather than of something: in a corporate context, rules are generally imposed by management on behalf of the organisation and its stakeholders ... but this definition was a bone of contention within SC 27 so a compromise is needed). Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27000 ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) Up Abstract “ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. [ISO/IEC 27000] is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations). The terms and definitions provided in [ISO/IEC 27000]: cover commonly used terms and definitions in the ISMS family of standards; do not cover all terms and definitions applied within the ISMS family of standards; and do not limit the ISMS family of standards in defining new terms for use.” [Source: ISO/IEC 27000:2018] Introduction ISO/IEC 27000 gives an overview of I nformation S ecurity M anagement S ystems (and thus many of the ISO27k standards), plus a glossary that formally defines many (but not all) of the specialist terms as they are used within the ISMS standards. Scope ISO/IEC 27000 is focused on the 'core ISO27k standards' meaning ISO/IEC 27001 to 27008 . Other ISO27k standards are covered to a lesser extent and many are not mentioned at all (including, of course, new standards published after 2018). Structure The standard has three main clauses: 3: Terms and definitions - a glossary formally defines 77 key terms as used in various ISO27k standards . 4: I nformation S ecurity M anagement S ystems - an overview introduces information security, risk and security management, and management systems. 5: ISMS family of standards - a reasonably clear though wordy description of the ISO27k approach and some of the ISO/IEC 27000-series of standards, from the perspective of the committee that wrote them. Status The first edition was published in 2009 . It was updated in 2012 , 2014 , 2016 and 2018 . The current 2018 fifth edition is available legitimately from ISO for free . This was a minor revision of the 2016 fourth edition with a section on abbreviations, and a rationalisation of the metrics-related definitions following the 2016 rewrite of ISO/IEC 27004 . The sixth edition of ISO/IEC 27000 is a work-in-progress. In accordance with ISO directives, the current edition’s vocabulary will be moved to an annex containing a “definition and explanation of commonly used terms in the ISO/IEC 27000 family of standards” - more specifically, the glossary will apply to ISO27k standards belonging to ISO/IEC JTC 1/SC 27/WG 1 (ISO/IEC 27001 to ISO/IEC 27011 , ISO/IEC 27013 , ISO/IEC 27014 , ISO/IEC 27016 , ISO/IEC 27017 , ISO/IEC 27019 , ISO/IEC 27021 to ISO/IEC 27024 , ISO/IEC 27028 and ISO/IEC 27029 ). Terms will be grouped conceptually in the annex rather than alphabetically. However, various specialist terms used in ISO/IEC 27000 itself are to be defined in clause 3 as usual. The new sixth edition will be a lot shorter, halving the page count. Publication of the sixth edition is due this year. It is at D raft I nternational S tandard stage. The title is to become “Information security, cybersecurity and privacy protection — Information security management systems — Overview” . Commentary Clause 4 “Concepts and principles”, new to the sixth edition is intended to clarify the fundamentals underpinning information risk and security management. The information security controls in ISO/IEC 27001 Annex A , 27002 , 27010 , 27011 , 27017 and 27019 are to be termed “Candidate necessary information security controls ” - a curious and ambiguous turn of phrase reflecting the committee’s persistent difference of opinion in this area. ‘Necessary’ is for the organisation to determine according to its evaluation of information risks relative to its risk appetite. ‘Candidate’ is clearly not ‘required’ and is less than ‘suggested’, but still some readers and inept auditors may feel the controls have to be implemented by default: they don't. Given the chance, I would replace “information security risk” throughout the ISO27k standards with the shorter, simpler and more appropriate term “information risk”. “Information security risk” is not formally defined as a complete phrase and doesn’t even make sense: it is presumably trying to indicate that we are talking about risk in the context of information security, but it could be interpreted as “risk to information security” which I guess would including things such as failing to identify novel risks, and lack of management support for the function: those are indeed risks, but they are not the focus of ISO27k. “Information risk”, in contrast, is reasonably self-evident but, if the committee feels the desperate need for an explicit definition, I suggest something as simple as “risk relating to or involving information” or even “risk pertaining to information”, where both risk and information are adequately defined in dictionaries (whereas the current ISO27k definition of risk is unhelpful). Thus far, I have failed to persuade the committee to accept this terminological change, which admittedly would ripple through most of the ISO27k standards. However, the sixth edition's clause 4.1.2 is expected to include the following concerning information: “Information is an asset that, like other important business assets, is essential to an organization’s business and, consequently, needs to be suitably protected.” OK, yes it deserves adequate protection, but it also deserves legitimate exploitation for business purposes. That duality is something that management should address systematically using the ISMS as a framework. “It does not matter whether the information is owned by the organization or is entrusted to its care by a third party, e.g., a customer.” Patently ownership of information does matter, so that statement is plain wrong. Protection and exploitation of information matter to the owners of both business/commercial/proprietary and personal information (including that belonging to employees, by the way). Even public-domain information can be of value to society, groups or individuals, while inaccurate, outdated, incomplete, misleading, coercive, manipulative or malicious information is of concern regardless of who owns it. I suspect that second sentence was supposed to build upon the first but somehow the linkage has been lost in translation, with unintended consequences. Pressing ahead: “Information can be stored in many forms, including digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as information in the form of knowledge. Information can be transmitted by various means including courier, electronic or verbal communication. Whatever form information takes, or how it is transmitted, it always needs appropriate protection.” All good so far, but then ... “In many organizations, information is dependent on information and communications technology. This technology is often an essential element in the organization and assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information.” The final paragraph reveals the longstanding systemic bias towards technology (more specifically, I nformation T echnology as opposed to, say, Operational, Communications or Smart Technologies) throughout the ISO27k standards. While clearly it is true that information security controls based on technology play a large part in protecting digital data, technology alone will never completely replace the need for humans to protect information as well, including the use of physical and organisational controls (such as policies, contracts and assurance measures). And, last but not least, the controls are specified, designed, used and managed by humans, while security incidents affect humans. In short, it’s humans all the way down . Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27004 ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) Up Abstract “ISO/IEC 27004:2016 provides guidelines intended to assist organisations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013, 9.1. It establishes: (a) the monitoring and measurement of information security performance; (b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls; [and] (c) the analysis and evaluation of the results of monitoring and measurement.” [Source: ISO/IEC 27004:2016] Introduction ISO/IEC 27004 concerns measurements or measures needed for information security management: these are commonly known as ‘security metrics’ in the profession (if not within ISO/IEC JTC 1/SC 27!). Scope The standard is intended to help an organisation evaluate the effectiveness and efficiency of its I nformation S ecurity M anagement S ystem, providing information necessary to manage and (where necessary) improve the ISMS systematically. It expands substantially on Clause 9.1 of ISO/IEC 27001 concerning ‘monitoring, measurement, analysis and evaluation’. Structure Main clauses: 4: Structure and overview - this standard supports and relates to ISO/IEC 27001 ; 5: Rationale - explains the value of measuring things e.g. to increase accountability and performance; 6: Characteristics - what to measure, monitor, analyse and evaluate, when to do it, and who should do it; 7: Types of measures - performance (efficiency) and effectiveness measures; 8: Processes - how to develop, implement and use metrics. Annex A is where most of the theoretical measurement model from the first edition of the standard now languishes. Annex B catalogs 35 metrics examples of varying utility and quality, using a typical metrics definition form. Annex C demonstrates a pseudo-mathematical way to describe a metric, or rather an ‘effectiveness measurement construct’ (!). Status The first edition was published in 2009 . It had a distinctly academic/theoretical style. A substantially revised (rewritten) second edition was published in 2016 . It is more practical. Work is under way on a third edition. The committee plans to: Update the main body and appendix references to reflect the 2022 editions of ISO/IEC 27001 , ISO/IEC 27002 and ISO/IEC 27005 . Adopt ISO’s version of plain English . This may involve extensive wording changes to make the standard easier to understand and apply. Provide additional metrics examples to suit organisations of all sizes. If all goes to plan, the third edition will be published before 2028. Commentary Since a management system is literally worse than useless without suitable metrics, it is appropriate for ISO/IEC 27001 to list this standard as a normative or essential standard. More than that, information security metrics are of value in all organisations, whether they have an ISO27k ISMS in place or not. I understand why ISO/IEC 27004 and several other ISO27k standards are aligned specifically to ISO/IEC 27001 : the narrow scope and tight focus increases the chances of the standards being completed and published in a reasonable timeframe (a problem that plagued the first edition of ISO/IEC 27004). That leaves a gap for broader-scope standards, including a general purpose information risk and security metrics standard ... or indeed an entire book . The example metrics in Annex B of the current second edition are a mixed bunch, poorly described. Please don’t think that you ought to be using them in your ISMS, unless they happen to address your specific management information needs. There are lots of moving parts to an ISMS, numerous objectives and hence plenty of measurable aspects. For example, the incident management process has numerous measureable parameters or factors at each of its eight phases: Prepare : readability of policies and procedures; team size, competencies; salaries. Identify : call-out rate; near-misses reported; Assess : incident breakdowns by type, severity etc .; Contain : investigation costs; business disruption; Investigate : incident root causes; causative factors; Resolve : impacts; time from occurrence to closure; repair costs; Learn : post-incident reviews completed; recurrent/persistent issues; actions arising; Overall : incident management process effectiveness and efficiency. The German standards body, DIN, suggested introducing the GQM (G oal-Q uestion-M etric) approach into the standard - an excellent idea raised too late for the second edition. Unfortunately, it seems the current revision is once again missing the opportunity for this worthwhile improvement. Meanwhile, Lance Hayden’s book “IT Security Metrics ” ably explains using GQM to identify possible metrics, while “PRAGMATIC Security Metrics ” by Brotby and Hinson describes a systematic method to evaluate them and improve their quality and value. Up Up Up This page last updated: 11 February 2026

ISO27001 Security offers free information and guidance to help information risk and security professionals understand and get the most out of the ISO27k standards Tools and resources to help you implement ISO/IEC 27001 and the other ISO27k standards Read about all the ISO27k standards and check out the FAQ . Download the free ISO27k Toolkit and join 5,500 professional peers on the ISO27k Forum (also free!). Keep up with hot news about ISO27k on the new ISO27k Blog . Explore ISO27k ISO27k FAQ ISO27k Toolkit ISO27k Forum ISO27k Blog This website offers extensive, pragmatic guidance on the ISO/IEC 27000-series information risk and security management standards. In support of the global information risk and security community, we have up-to-date information on all 100 "ISO27k" standards and a user forum with over 5,500 professional members. All that, and more, for free! If you value this website, donations towards our costs are gratefully received. This not-for-profit initiative has run on a shoestring for decades. Our generous donors and advertisers (represented below) have stretched the shoestrings long enough to reach this far ... and we'd really like to keep going ... To play, press and hold the enter key. To stop, release the enter key. Hot news - cool blog

Back Up Next ISO/IEC TS 27116-1 ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] Up Abstract [ISO/IEC TS 27116-1] "defines a general framework for customized and multipurpose evaluation.” (!) [Source: Preliminary Wowrk Item Oct 2025] Introduction ?? Scope ?? Structure ?? Status A standard development project commenced in 2024, producing a P reliminary W ork I tem in October 2025. Commentary The PWI was incomplete so I still don’t know what kind of ‘evaluations’ this standard will cover. Evaluation of what? Against what? Why? How? When? By whom? So many questions but next to no answers thus far. The dash-1 suggests this may be a multi-part standard. I have no idea what other parts are planned, if any. Up Up Up This page last updated: 26 January 2026

Back Up Next ISO/IEC 27099 ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) Up Abstract ISO/IEC 27099 "sets out a framework of requirements to manage information security for Public key infrastructure (PKI) trust service providers through certificate policies, certificate practice statements, and, where applicable, their internal underpinning by an information security management system (ISMS). The framework of requirements includes the assessment and treatment of information security risks, tailored to meet the agreed service requirements of its users as specified through the certificate policy. [ISO/IEC 27099] is also intended to help trust service providers to support multiple certificate policies ...” [Source: ISO/IEC 27099:2022] Introduction Since trustworthiness is an essential characteristic of any P ublic K ey I nfrastructure, strenuous efforts are required to minimise all risks that might lead to loss of trust in PKI. The standard describes the use of an ISO/IEC 27001 I nformation S ecurity M anagement S ystem as a PKI management framework. Scope ISO/IEC 27099: Identifies information risk and security management requirements for PKI T rust S ervice P roviders and C ertification A uthorities through C ertificate P olicies and C ertification P ractice S tatements. Facilitates the implementation of operational, baseline controls and practices through an ISMS, building on and generalising the financial services PKI standard ISO 21188:2018 plus ISO/IEC 9594-8 , ISO/IEC 19790 and RFC 3647 . Supports the lifecycle of public key certificates used for digital signatures, authentication, or encryption key establishment and exchange; Primarily concerns PKI systems used in contractual relationships between organisations but also covers open (public) and closed (corporate/internal) PKIs; Is applicable to root and intermediate CAs, not just those issuing certificates directly to users. It does not address: Attribute certificates; Authentication methods; Non-repudiation requirements; Key management protocols based on the use of public key certificates; Blockchain - at least, not explicitly. Structure The ~100-page standard has 3 main clauses and 6 informative annexes: 5: introduces PKI concepts. 6: CP, CPS and their relation to ISMS. 7: CA objectives and controls, plus other requirements concerning the operation of a CA, based on the ISO/IEC 27002:2013 structure. Annex A: Management by CP. Annex B: Elements of a CPS (mapping to RFC 3647 ). Annex C: CA key generation ceremony. Annex D: Content and use of the CA audit journal. Annex E: Certificate and PKI roles. Annex F: Changes from ISO 21188. Status The current first edition was published in 2022. Commentary As with PKIs in general, this standard defines and uses 60 obscure terms of art plus 24 abbreviations, making it tough for non-specialists to comprehend - even tougher than PKI itself and cryptography in general. It is a detailed standard on an advanced, technical topic. It would take a lot of work to adopt ISO’s version of plain English . Up Up Up This page last updated: 26 January 2026