Search Results

Back Up Next ISO/IEC 27070 ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) Up Abstract ISO/IEC 27070"specifies requirements for establishing virtualized roots of trust.” [Source: ISO/IEC 27070:2021] Introduction The integrity and hence value of some security functions and subsystems (particularly those relating to cryptography) relies on their being based on trustworthy foundations known as the R oot o f T rust. Special RoT security arrangements are necessary to negate threats involving low-level exploitation of data-processing chips, devices or systems, in turn compromising the higher-level firmware, device drivers, operating system and application software that build upon the RoT. Whereas trusted computing generally involves some form of H ardware S ecurity M odule (e.g. an ISO/IEC 11889 T rusted P latform M odule) providing various cryptographic functions and key storage in a physically secure tamper-resistant enclosure, that architecture is not well suited to cloud computing. In the cloud, systems are virtualised, hence they cannot readily access and rely directly upon hardware-based RoT in the conventional manner. Scope The standard specifies functional requirements and information security controls supporting the provision of trustworthy foundations for cloud computing environments, where V irtual M achines are dynamically created to provide cloud services. Structure Main clauses: 5: Functional view - describes the architecture in functional/modular terms 6: Activity view - describes how the functional modules deliver the desired level of trusted computing. Annex A: relationship between activity and functional views Status The current first edition was published in 2021 . Commentary The trust, risk and security implications of this are, frankly, above my pay grade. As my withered little old brain understands it, the standard aims to establish a rock-solid foundation on which to build the house of cards delivering cloud computing services. Regardless of all the information risks and security controls at higher levels (of which there are many), providing a sound, trustworthy platform makes RoT a fundamental security requirement. Otherwise, we’re erecting skyscrapers in the swamp. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC TR 27024 ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] Up Abstract ISO/IEC TR 27024 "provides a list of national regulations that reference ISO/IEC 27001 as a requirement.” [Source: ISO/IEC JTC 1/SC 27 Committee Doc 11, May 2025] Introduction This T echnical R eport is meant to help management determine which of the ISO27k standards are recommended or required of their organisations for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management. Scope The draft standard identifies a number of national laws, regulations and guidelines that depend and build upon the ISO27k standards , and explicitly concern: Information security Privacy/data protection Digitalization and electronic archiving. It does not (explicitly) cover numerous other areas of law less directly concerned with the confidentiality, integrity or availability of information such as: Governance Contracts Product quality/fitness for purpose Cryptography Digital signatures Defence Official secrets Classified information Health and safety Financial data integrity, reporting and accounting Medical records Misinformation Fraud Forensics ... and more besides. Structure The central chapter is expected to contain just 18 clauses, each listing a selection of relevant laws and regulations from a different country or region (such as the EU). Status A T echnical R eport is being developed from ISO/IEC JTC 1/SC 27 S tanding D ocument 7 - an internal committee reference document. Since SD7 is mature, the standard progressed rapidly to D raft T echnical R eport stage and was planned for release back in 2023. Patently, however, compiling and checking details on relevant laws and regs around the globe, along with editorial changes required by ISO, have substantially delayed release. The title may become “Government and regulatory use of ISO/IEC 27001, ISO/IEC 27002 and other information security standards ”. It is at C ommittee D raft stage and was due to be published last year (2025). Maybe it wil surface in 2026? Maybe not. We shall see. Commentary Depending on how one ineterprets part 2 of the ISO Directives , this standard may be stillborn: "A document does not in itself impose any obligation upon anyone to follow it. However, an obligation can be imposed, for example, by legislation or by a contract which makes reference to the document. A document shall not include contractual requirements (e.g. concerning claims, guarantees, covering of expenses), or legal or statutory requirements." [clause 4] If this remained as a S tanding D ocument without the formalities of becoming a standard, it would be easier, quicker and cheaper to update it as the referenced standards, laws and regs change, with the bonus of being freely available to those who need the information ... but in its infinite wisdom, the committee decided to publish (and consequently maintain) it as a T echnical R eport. Taking a broad perspective, there are loads of laws and regs that have some relevance to the c onfidentiality, i ntegrity or a vailability of information. In the extreme, virtually every law involves forensic evidence with strong cia implications. Laws and regs relating to human safety are important to protect the valuable knowledge and competencies in our heads, while those relating to mental health affect our information processing capabilities. Laws and regs on tax and financial reporting and corporate governance all have information security implications. The standard is unlikely even to mention these, reflecting its arbitrary nature. This standards project faces a similar conundrum to ISO/IEC 27002 . It would be wonderful if the standard was truly comprehensive and up-to-date and could be relied upon as such, but ultimately that is infeasible. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching which laws and regs are in fact applicable - hopefully not you though, having read this cautionary note! Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27019 ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) Up Abstract ISO/IEC 27019 "provides information security controls for the energy utility industry, based on ISO/IEC 27002:2022, for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices; digital controllers and automation components such as control and field devices or programmable logic controllers (PLCs), including digital sensor and actuator elements; all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes; communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote-control technology; Advanced metering infrastructure (AMI) components, e.g. smart meters; measurement devices, e.g. for emission values; digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms; energy management systems, e.g. for distributed energy resources (DER), electric charging infrastructures, and for private households, residential buildings or industrial customer installations; distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations; all software, firmware and applications installed on above-mentioned systems, e.g. distribution management system (DMS) applications or outage management systems (OMS); any premises housing the abovementioned equipment and systems; remote maintenance systems for abovementioned systems.” [Source: ISO/IEC 27019:2024] Introduction This standard is intended to help organisations in “the energy utility industry” (such as conventional/non-nuclear electricity generators, plus suppliers of gas, oil and heating) to interpret and apply ISO/IEC 27002 in order to secure their industrial process control systems i.e. their O perational T echnology as opposed to I nformation T echnology. Scope Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems plus their associated safety and environmental criticality make some aspects particularly challenging for energy utilities. The standard therefore provides additional, more specific guidance on information security controls than the generic advice provided by ISO/IEC 27002 , tailored to the specific context of process control systems used by energy utilities for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. Note: given their unique and extreme risks, the scope of ISO/IEC 27019 explicitly excludes process control in nuclear facilities. See instead (for example) IEC 63096:2020 “Nuclear power plants - Instrumentation, control and electrical power systems - Security controls” . Structure ISO/IEC 27019 complements and must be read in conjunction with ISO/IEC 27002:2022 since it does not incorporate the content of ISO/IEC 27002. A dozen additional controls are offered for the energy sector. Main clauses: 5: Organizational controls - with 2 supplementary controls 6: People controls 7: Physical controls - 4 supplementary controls 8: Technological controls - 6 supplementary controls Annex A: Energy utility industry specific controls reference Annex B: Correspondence between this document and the first edition (ISO/IEC 27019:2017) The standard notes in clause 0.4: “In addition to the controls provided by a comprehensive information security management system, [ISO/IEC 27019] provides additional assistance and sector-specific measures for the process control systems used by the energy utility sector, taking into consideration the special requirements in these environments. If necessary, further controls can be developed to fulfil particular requirements. The selection of controls depends upon the decisions taken by the organization on the basis of its own risk acceptance criteria, the options for dealing with the risk and the general risk management approach of the organization. NOTE National and international law, legal ordinances and regulations can apply.” Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching I nformation S ecurity M anagement S ystem that encompasses process control/OT as well as general commercial systems, networks and processes, plus ISO/IEC 27005 concerning the management of information risk. Status A preliminary edition was published as a T echnical R eport in 2013 by fast-tracking the German standard DIN SPEC 27009:2012-04 based on ISO/IEC 27002:2005. The first International Standard was published in 2017, based on ISO/IEC 27001:2013 and ISO/IEC 27002:2013, plus IEC TC 57 standards, IEC TC 65 standards (IEC 62443-2-1) and IEC SC45A standards (IEC 62645). A corrigendum to replace a stray “should” with a “shall” in the annex was published to critical acclaim in 2019. Hurrah! Crisis averted! The corrected standard was confirmed unchanged in 2022 ... but then was revised anyway to reflect the themed restructure and controls resequence of ISO/IEC 27002:2022 adding 12 suggested “ENR” controls to ISO/IEC 27022’s 96. The current second edition was published in 2024 . Commentary The global energy industry has long had a strong safety culture since the devastating physical impacts caused by explosions, oil and chemical spills, radioactive releases etc. are painfully apparent (Bhopal , Three Mile Island , Chernobyl , Exxon Valdiz , Deepwater Horizon , Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental obligations both in terms of its own operations, the upstream primary industries (e.g. mining) and the downstream impacts of some of its products. F Furthermore, the industry has a strong culture of physical and information security due to the substantial risks arising from: Threats such as natural disasters and deliberate attacks (sabotage) from hackers, A dvanced P ersistent T hreats, spies and spooks, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, electromechanical failures, malware/ransomware, social engineers etc .; Vulnerabilities inherent in their systems and processes. Process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks are vulnerable to a panopoly of cyber-threats, including those resulting from design flaws and bugs in software especially if they are not well designed, managed and maintained (e.g . security patching is distinctly challenging on safety-critical systems, given the need for assurance that patches do not harm safety); and Impacts , particularly limited availability and/or integrity of business- or safety-critical information leading to supply interruptions (power cuts), out-of-specification supplies (e.g . over/under-voltage supplies), safety incidents (e.g . the catastrophic release of vast amounts of energy) and environmental incidents (e.g. oil/gas/chemical leaks). Energy utilities, both public and private, are generally classed as part of the critical national infrastructures (e.g. under NIS 2 in Europe) due to their obvious strategic significance. With an extremely high level of automation, the energy industry relies heavily on OT, principally electronic process control systems such as P rogrammable L ogic C ontrollers, I ndustrial I nternet o f T hings, I ndustrial C ontrol S ystems and S upervisory C ontrol A nd D ata A cquisition, plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend heavily on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup or emergency override functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely, sometimes very remotely, making physical access, monitoring and access control challenging and costly. In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27551 ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) Up Abstract ISO/IEC 27551 "provides a framework and establishes requirements for attribute-based unlinkable entity authentication (ABUEA).” [Source: ISO/IEC 27551:2021] Introduction A ttribute-B ased U nlinkable E ntity A uthentication is a mechanism for authenticating unfamiliar parties through the services of a mutually-trusted third party, whilst maintaining privacy of the authenticated. ‘Unlinkable’ refers to the need to be able to handle and process personal information anonymously, in a way that precludes being able to identify the original data subjects from the information being communicated and processed. Scope The standard describes a framework and requirements for ABUEA - a way of avoiding the privacy leakage that can occur when (for instance) we use Internet sites, providing different information to each one or on each occasion, giving the possibility of linking our disparate disclosures back to us, specifically. Structure Main clauses: 5: General objectives of attribute-based entity authentication 6: Properties of attribute-based entity authentication protocols 7: Unlinkability properties of attribute-based entity authentication protocols 8: Attributes 9: Requirements for level N attribute-based unlinkable entity authentication Annex A: Formal definitions for security and unlinkability notions Annex B: Examples of attribute-based entity authentication protocols Annex C: ABUEA with OpenID & FIDO Annex D: Use cases for attribute-based unlinkable entity authentication Status The current first edition was published in 2021 . Commentary It would be a challenge to rewrite this standard in accordance with ISO’s version of plain English , given such a deep dive into the technology. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27003 ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) Up Abstract “ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.” [Source: ISO/IEC 27003:2017] Introduction ISO/IEC 27003 provides guidance for those implementing the ISO27k standards , covering the management system aspects in particular, as opposed to the information security controls which are summarised in ISO/IEC 27001 Annex A and explained more fully in ISO/IEC 27002. The standard supplements and builds upon other ISO27k standards (particularly ISO/IEC 27000 and ISO/IEC 27001 plus ISO/IEC 27004 , ISO/IEC 27005 and ISO/IEC 27014 ) and ISO 31000 . Scope The current edition of this standard primarily interprets or explains the requirements stated formally in ISO/IEC 27001:2013 . As a result of ISO’s intent to make all the M anagement S ystems S tandards consistent in structure, form and style, and in order for it to be usable for conformity assessment (ISMS certification) purposes, the language of ISO/IEC 27001 is inevitably formal, curt and stilted, leaving little room for interpretation. In contrast, ISO/IEC 27003 offers more pragmatic explanations of the requirements. Structure For convenience, ISO/IEC 27003 mirrors the structure of ISO/IEC 27001 , expanding clause-by-clause on ISO/IEC 27001 . The main clauses are therefore: 4: Context of the organisation 5: Leadership 6: Planning 7: Support 8: Operation 9: Performance evaluation 10: Improvement Annex: Policy framework [NOTE: this annex does not reflect or expand on the information security controls listed in ISO/IEC 27001 Annex A, since ISO/IEC 27002 already does that]. For each ISO/IEC 27001 clause and subclause, ISO/IEC 27003: Re-states the requirement/s; Explains the implications; and Offers a little practical guidance and supporting information including examples, to help implementers implement. For example, this is what ISO/IEC 27001 says in section 4.1, ‘Understanding the organisation and its context’: “The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. NOTE Determining these issues refers to establishing the external and internal context of the organisation considered in Clause 5.3 of ISO 31000:2009.” Section 4.1 of ISO/IEC 27003 first succinctly re-states the ‘required activity’: “The organisation determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) of the information security management system (ISMS).” Then it expands on the reasons why it is appropriate and necessary to ‘determine external and internal issues’, providing a page of explanation to supplement the succinct and somewhat hard to understand text from ISO/IEC 27001 . It explains, for instance, that the ‘internal issues’ include the organisation’s culture; its policies, objectives, and the strategies to achieve them; its governance, organisational structure, roles and responsibilities; and lists a further seven ‘internal issues’ to consider. It also identifies/cross-references other clauses that use this information. That alone would be a valuable expansion on ISO/IEC 27001 section 4.1 but ISO/IEC 27003 doesn’t stop there: it goes on to provide a further page of explanation, practical guidance and real-world examples in this area - 3 pages in total concerning that one short subclause. The end result is that the reader gains a better understanding of the formal requirements from the main body clauses of ISO/IEC 27001 and a clearer idea of how to go about satisfying them. Status The first edition was published in 2010 . It included implementation guidance. A substantially revised second edition, with more explanation but less implementation guidance, was issued in 2017. Work is under way now on a third edition. The third edition was due to be published in 2027 but has been delayed to 2028. The revision project is presently entering third C ommittee D raft stage. A new title is likely: “Information security, cybersecurity and privacy protection — Information security management systems — Guidance for the application of ISO/IEC 27001:2022”. An amended scope is also likely, appending “and the ISO/IEC 27001:2022/AMD 1:2024” , to acknowledge that climate change is to be considered. Work started in 2025 on another standard (either a second part to '27003 or a completely separate standard), with the development of a P reliminary W ork I nstruction. Whereas the second and third editions of ISO/IEC 27003 focus on explaining the formal ISMS requirements from ISO/IEC 27001 , ISO/IEC 27003-2 (or whatever number it is given) is intended to offer practical guidance on implementing an ISMS , for example ”setting up an implementation project, suitable top management involvement in the steering committee, setting a clear ambition level, appointment of a suitable project manager, etc.” It will hopefully rejuvenate and update the implementation advice from the 2010 first edition that has been eroded and largely lost. Commentary It takes years to prepare and release each new edition. Meanwhile , the ISO27k ISMS implementation guideline is a plain-English explanation of the requirements from ISO/IEC 27001 (based on the ISO Directives Part 1 Annex SL Appendix 2 concerning the wording and intent of the boilerplate text for all ISO’s management systems) plus pragmatic guidance for implementers (based on actual experience). The guideline is not an official ISO/IEC standard but, hey, it’s free of charge ... and available now ! To my eyes, the proposed ISO/IEC 27003-2 resembles phase 3 of the current revision project ... so it is possible that the revision might stop and release the third edition after completing phase 2’s plain English rewording (which I suspect will involve a lot more work than was planned), deferring phase 3 to the new 'part 2;' project. Maybe. We shall see. Although excluded from the current revision project, the scope and purpose of ISO/IEC 27003 could - at some distant future point perhaps - usefully extend beyond the ISMS design, implementation and certification phase to offer pragmatic advice on the operation, management, monitoring and systematic improvement of the ISMS. Certification of an ISMS is, after all, merely a milestone on the never-ending journey towards security maturity. As information security becomes an integral and valuable part of the organisation’s routine business/operational activities and management, changes are bound to occur. Potentially ’27003 might distinguish, encourage and support beneficial ISMS changes while discouraging counterproductive or detrimental ones. Alternatively, developing a separate ISO27k standard in parallel with the ongoing revision of ISO/IEC 27003 might be a quicker (less glacial) option, hinting at the possibility of a part 3 to this standard. Up Up Up This page last updated: 13 March 2026

Detailed answers to a bunch of Frequently Asked Questions about the ISO/IEC 27000-series information security standards ISO27k FAQ This unusually detailed FAQ poses and addresses F requently A sked Q uestions regarding ISO27k, the ISO/IEC 27000 standards. There is a lot to say, lots of pragmatic advice to offer. FAQ topics About the ISO27k standards Implementing the standards Managing information risks ISO27k documentation Assurance ISMS maturity A gentle introduction to the information security standards Guidance on interpreting and applying the standards in practice Tips on identifying, analysing, evaluating and treating the risks Required documents - SoA, RTP, policies, procedures, records ...? Guidance on auditing and certification for confidence and trust Ideas on using continual improvement to embed and mature your ISMS

Back Up Next ISO/IEC 27555 ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) Up Abstract ISO/IEC 27555 "contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organisations by specifying: a harmonized terminology for PII deletion; an approach for defining deletion rules in an efficient way; a description of required documentation; a broad definition of roles, responsibilities and processes. ...” [Source: ISO/IEC 27555:2021] Introduction This standard gives guidance on the deletion of P ersonally I dentifiable I nformation using a systematic approach supporting ISO/IEC 29100 ’s “Privacy framework”. Scope The standard is intended for organisations that store and process PII “and other personal data”, in particular PII Controllers who are primarily accountable for compliance with privacy laws. It does not address: Specific provisions in laws and contracts (although it does reflect the general thrust of GDPR and other privacy laws and regulations based on the OECD privacy principles ); Specific deletion rules for particular types (“clusters”) of PII; Deletion mechanisms such as those for cloud storage; Security of the deletion mechanisms; nor Specific techniques for de-identification (anonymisation) of data. Standardising the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data. Structure Main lauses: 5: Framework for deletion 6: Clusters of PII 7: Specification of deletion periods 8: Deletion classes 9: Requirements for implementation 10: Responsibilities ~30 pages Status The current first edition was published in 2021 . It is currently being revised with publication of the second edition planned for mid-2027. Changes are mostly for readability and consistency, with minor technical updates e.g . PII clusters can include PII within or inferred from Machine Learning/AI models. Commentary The standard discusses deletion of “clusters” of PII, an intriguing yet complex concept relating to how PII is used for various business purposes. Up Up Up This page last updated: 26 March 2026

Back Up Next ISO/IEC TS 27103 ISO/IEC TS 27103:20 26 — Cybersecurity — Guidance on using ISO and IEC standards in a cybersecurity framework (first edition*) Up Abstract ISO/IEC TS 27103 "provides guidance on how to leverage existing ISO and IEC standards in a cybersecurity framework.” [Source: ISO/IEC TS 27103:20 26] Introduction "The concepts behind information security can be used to assess and manage cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured manner, and ensure that processes, governance and controls are addressed. This can be done through a management systems approach. An Information Security Management system (ISMS) as described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity. [ISO/IEC TS 27103] demonstrates how a cybersecurity framework can utilize current information security standards to achieve a well-controlled approach to cybersecurity management." [Source: ISO/IEC TS 27103:2026] Scope The standard offers guidance on using existing ISO and IEC standards (not just ISO27k ) in a "risk-based, prioritized, flexible, outcome-focused, and communications-enabling framework for cybersecurity". The 'cybersecurity framework and programme' is described as a set of five 'activities' relating to the 'target state for cybersecurity' (in other word, objectives), applying the conventional systematic ISO27k approach to the management of 'cybersecurity risk': Describe the organization’s current cybersecurity status; Describe the organization’s target state for cybersecurity; Identify and prioritize opportunities for improvement; Assess progress toward the target state; and Communicate among internal and external stakeholders about cybersecurity risk Somewhat confusingly, the 'framework and programme' also revolves around five 'functions' relating to the incident timescale - basically NIST's C yber S ecurity F ramework : Identify - business context, resources and risks relating to critical [business] functions; Protect - safeguard delivery of critical infrastructure services; Detect - activities to identify cybersecurity events, promptly; Respond - react to and contain identified events; Recover - resilience and restoration of impaired capabilities or services. The 'functions' are further divided into 'categories' and 'subcategories' which are cross-referenced to relevant clauses in ISO27k and other standards. Structure Main clauses: 5: Background - risk-based approach, stakeholders, framework and programme 6: Concepts - overview, framework functions Annex A: Sub-categories - identify, protect, detect, respond, recover Annex B: Three principles of the cybersecurity [plus ten essentials] for top management - an alternative to NIST's CSF, cross-referenced to ISO27k standards Status * This standard was initially published as a T echnical R eport in 2018 and confirmed unchanged in 2022 . It was updated, becoming the current first edition T echnical S pecification in 2026 . Commentary See also ISO/IEC TS 27110 . In ISO-land, a T echnical S pecification is a standard for an immature or developing technical subject. In theory, that means it should be formally reviewed within three years, becoming an I nternational S tandard if there is consensus ... otherwise continuing unchanged or being withdrawn. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27036-4 ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) Up Abstract ISO/IEC 27036 part 4 “provides cloud service customers and cloud service providers with guidance on (a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and (b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services. [Part 4] does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity. [Part 4] does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017. The scope of [part 4] is to define guidelines supporting the implementation of information security management for the use of cloud services” [Source: ISO/IEC 27036-4:2016 ] Introduction There are numerous information risks involved in the supply of cloud computing services: this standard encourages suppliers and customers to identify and address them, collaboratively in some cases. Scope Part 4 guides the suppliers and customers of cloud services on information security management for cloud services. Structure Main clauses: 5: Key cloud concepts and security threats and risks 6: Information security controls in cloud service acquisition lifecycle 7: Information security controls in cloud service providers Annex A: Information security standards for cloud providers Annex B: Mapping to ISO/IEC 27017 controls Status The current first edition of part 4 was published in 2016 and confirmed unchanged in 2022. Commentary Part 4 explicitly describes the information risks that it addresses. Full marks! Various security controls are recommended to mitigate unacceptable risks so, in order for an organisation to choose appropriate controls, it helps to know what those risks are. Up Up Up This page last updated: 22 February 2026