Search Results

Back Up Next ISO/IEC 27573 ISO/IEC 27573 — Privacy protection of user avatar and system avatar interactions in the metaverse [DRAFT] Up Abstract ?? Introduction ?? Scope ISO/IEC JTC 1/SC 27/WG 5 intends to offer guidance on addressing the privacy challenges associated with the metaverse as people increasingly engage with virtual worlds through personal avatars projecting various aspects of their personality. Structure ?? Status The standard developmnet project is currently at W orking D raft stage. Publication is planned for 2028. Commentary This is an innovative, forward-looking proposal to prepare privacy guidance at this early, formative stage in the lifecycle of the metaverse. There’s an opportunity to explore and address the privacy implications as an integral and supportive part of the ongoing developments in the field, from the outset, hopefully avoiding the difficulties and costs of having to retro-fit privacy controls to already-established norms later on. Up Up Up This page last updated: 5 January 2026

General info about the ISO27k standards as a whole - their scope and objectives, the core standards, that sort of thing Previous Back to FAQ summary Next ISO27k standards What use is ISO27k for my organisation? For more on this, see the free ISMS business case template , part of the ISO27k Toolkit . Organisations that use the ISO27k standards gain worthwhile business benefits such as: Protecting valuable information : more specifically, information security enhances the confidentiality, integrity and/or availability of the information content, plus the associated processes, IT systems, networks, services etc ., without imposing excessive security that would prevent it being exploited for legitimate business purposes. Reducing losses : cost-effective security controls minimise the probability and severity of incidents caused deliberately (e.g. hacks, frauds, disinformation) or accidentally (e.g . floods, equipment failures, misconfigurations, inadvertent disclosures). Increasing assurance and trust : conformity with ISO/IEC 27001 and ISO/IEC 27701 demonstrates the organisation’s commitment towards good practices for information security and privacy respectively, plus more broadly support for compliance, ethics etc . to interested parties such as its customers, employees, partners, investors and the authorities. Achieving and maintaining compliance : various laws, regulations and contractual terms impose requirements relating to information security, privacy, accuracy, completeness, timeliness etc. Enhancing resilience : adequately protecting the information, IT systems and processes that are vital to important operational activities and business objectives reduces the possibility of costly disruptive incidents, adverse publicity, customer defections etc. Bolstering brands : aside from merely claiming to protect information, certified conformity with ISO/IEC 27001 and ISO/IEC 27701 enhances the organisation’s reputation. It is increasingly being expected or demanded by discerning customers, partners, investors and regulators - in other words, it confers competitive advantage. To be clear, there are costs associated with sound governance, risk management, security, privacy, assurance, incident management and so on ... but the business benefits outlined above substantially exceed the costs. The risks and costs involved in not taking security and privacy seriously can be existential, as is clear from the news headlines : serious hacking, ransomware and fraud incidents have devastated companies such as Sony Pictures Entertainment, Travelex and Barings Bank. Government institutions, defence, charities and healthcare organisations are far from immune. With such limited resources, S mall to M edium-sized E nterprises stand little chance if targeted, or if mistakes are made in their accounting and tax processes, IT systems and networks. Protecting and exploiting computer data and other forms of information is critically important for business and vital for human safety. There's no need to design a completely bespoke approach for your particular organisation. ISO27k constitutes a suite of internationally-recognised good security practices to suit any organisation, a stable platform on which to build. Are these IT security (cybersecurity) standards? When assessing and treating information risks, focus primarily on risks affecting critical business activities and information - the organisation's crown jewels'. The related computer systems, services and data play a secondary, supporting or enabling role, but don't forget the associated processes, people and relationships. Yes, largely, but they are not limited to IT. The ISO27k standards are about protecting and exploiting valuable information in all forms, not just computer systems, services, networks and data. Aside from computer data, 'information' includes: Printed or written information such as completed forms, signed contracts and rough notes; Information expressed verbally and visually at meetings, videoconferences, phone calls, briefings, seminars, even casual water-cooler or corridor conversations; Policies, procedures and work instructions; Shared corporate culture expressed through attitudes, priorities and ethics, plus personal angles such as body language, prejudices and bias; Knowledge and expertise in workers' heads, plus concepts, ideas, strategies, thoughts ...; Proprietary, business, personal, shared and public information; Intellectual property such as trade secrets, patents, trademarks and copyright information. Various business units, departments and teams generate or acquire, use and benefit from valuable information. IT Department is a custodian for much but not all of it. People throughout the business are accountable for both protecting and (legitimately) exploiting information in support of the organisation’s strategic objectives, with the guidance and assistance of IT, risk, security and other specialists. Suppliers of telecommunications and cloud services, plus utilities such as power and water, all have parts to play in maximising the value of information, while information is an integral and important part of the organisation's products supplied to customers, partners and the authorities (e.g. company accounts and tax reports). Where can I obtain [name any ISO27k standard]? Google and shop around for the best deal. Published ISO27k standards may be purchased directly from the ISO store or from the various national standards bodies and commercial organisations (agents). A few popular ISO27k standards are available through Amazon and other retailers. It is worth checking for localised/national versions of the standards. Several national standards bodies release translated versions of the standards in their own languages. They go to great lengths to ensure that the translations remain true to the originals, although naturally this takes time. ISO27k standards can be purchased as electronic documents or printed hardcopies. In addition to single-user PDFs, standards bodies may license electronic versions of the standards for multi-user internal corporate use, making the definitive standards readily available to workers on the intranet. Are there qualifications for ISO27k professionals? Hands-on ISO27k ISMS implementation and audit experience, ideally with several organisations, is by far the best ‘qualification’ in the field. General information security and technology audit qualifications (such as CISSP, CISM and CISA) can help, and business/management qualifications (such as MBAs) are well worthwhile. Not exactly, but there are certifications or designations. Unlike some IT certifications, ISO27k certifications lack a universally-recognized governing body. Common designations include ISO/IEC 27001 Lead Auditor (LA) , with various paths from formal training and audits to experience-based qualification, and ISO/IEC 27001/27002 Lead Implementer (LI) , which focuses on implementing the ISO27k standards. However, the value of such course-completion certificates is questionable. Demonstrable experience and competence are worth far more. Refer to ISO/IEC 27021 for guidance on “Competence requirements for information security management systems professionals”. Where else can I find answers on ISO27k and information security? Whatever your current state of expertise, actively engaging in study and debate gets you onto the personal development fast-track. Besides the ISO27k standards themselves, consider participating in professional social groups such as: ACM SIG SAC CSA ISC2 ISACA ENGAGE ISO27k Forum ISSA LinkeDin OWASP What is ISO/IEC? “ISO” is not an abbreviation but is in fact derived from the Greek word isos meaning equal. ISO primarily coordinates, facilitates and encourages collaboration between the national standards bodies, driving global standardisation. ISO is the name of the Swiss-based standards body known in English as the International Organization for Standardization . IEC is an abbreviation for the I nternational E lectrotechnical C ommission, another international standards body working closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC” although in casual terms, we often shorten it to plain “ISO”. ISO/IEC also collaborate with other international organisations (both governmental and private sector) such as the ITU, the I nternational T elecommunication U nion. The ITU is primarily a trade body coordinating telecoms organisations and practices to enable worldwide communications. It allocates radio frequencies, for example, to minimise co-channel interference and encourage the manufacture of radio equipment that can be sold and used internationally. What are all those other obscure abbreviations? The processes are regimented - highly structured and consequently s-l-o-w. At several stages during the development of a standard, national standards body members are invited to vote and comment formally. The following abbreviations are used by the committee developing ISO27k standards: AG - A dvisory G roup AMD - Am end ment ARO - A pproved R S O riginator BRM - B allot R esolution M eeting CB - [IEC] C ouncil B oard CD - C ommittee D raft (1st CD, 2ndCD etc. , a quality-control phase, addressing editorial matters and typoos *) CDV - [IEC] C ommittee D raft for V ote COR - Technical Cor rigendum CS - [ISO] C entral S ecretariat DAM - D raft Am endment DCOR - D raft Technical Cor rigendum DIS - D raft I nternational S tandard (nearly there, down to proofreading, hold your breath *} DoC - D isposition o f C omments DR - Defect Report DTR - Draft Technical Report DTS - Draft Technical Specification FCD - F inal C ommittee D raft (ready for final approval (voting), but rarely used *) FDAM - Final Draft Amendment FDIS - F inal D raft/D istribution I nternational S tandard (just about ready to publish, final tweaks, pinch your nose and count to 100 *) HoD - H ead o f D elegation ICT - I nformation and C ommunications T echnology IEC - I nternational E lectrotechnical C ommission IPR - I ntellectual P roperty R ights IS - I nternational S tandard (published! Yay!) ISO - International Organization for Standardization ITTF - I nformation T echnology T ask F orce ITU - I nternational T elecommunication U nion ITU-R – ITU - R adiocommunications Sector ITU-T – ITU - T elecommunication Standardization Sector JCG - J oint C oordination G roup JTAB - J oint T echnical A dvisory B oard JTC 1 – [ISO + IEC] J oint T echnical C ommittee 1 JWG - J oint W orking G roup MB - (ISO) M ember B ody NB - N ational B ody NC - (IEC) N ational C ommittee NP - N ew P roject (the formal scoping phase, clarifying the proposal and formally seeking approval to proceed with the standards development project *) NWI - N ew W ork I tem OWG - O ther W orking G roup PAS - P ublicly A vailable S pecification PC - P roject C ommittee PDAM - P roposed D raft Am endment PDTR - P roposed D raft T echnical R eport PDTS - P roposed D raft T echnical S pecification PT - P roject T eam PWI - P reliminary W ork I tem - initial feasibility and outline scoping activities PWI - P reliminary W ork I tem RER - R eferencing E xplanatory R eport RG - R apporteur G roup RS - R eferenced S pecification SC - S ubC ommittee SD - S tanding D ocument - now known as Committee Document SG - S tudy G roup SMB - (IEC) S tandardization M anagement B oard SP - S tudy P eriod (preparing the NWIP …) SWG - S pecial W orking G roup TAG - (ISO) T echnical A dvisory G roup TC - T echnical C ommittee TMB - T echnical M anagement B oard TR - T echnical R eport (published! See next Q&A) TS - T echnical S pecification (published! See next Q&A) WD - W orking D raft (1st WD, 2ndWD etc . - content development “preparatory” drafting phase WG - W orking G roup Aside from international standards, what are TRs and TSs? See the ISO DIrectives for even more detail. ISO/IEC publishes a range of different types of standards, as well as covering a number of different subjects: An I nternational S tandard (IS) is the most common form of ISO/IEC standard, including product/technical standards, test methods, ‘codes of practice’ (good practices) and management standards. An IS “provides rules, guidelines or characteristics for activities or for their results, aimed at the achievement of the optimum degree of order in a given context”. Most aim to describe the final objective without prescribing the method of getting there (although they don’t all meet that aim!). The review cycle is 5 years (maximum). A T echnical S pecification (TS) is a standard on an immature subject that is still being developed, and is not quite ready to become a full IS. Feedback is encouraged in order to drive further development leading, eventually, to the release of an IS. Internally within the committee, final drafts are called PDTS P roposed D raft T echnical S pecifications. A T echnical R eport (TR) is informative rather than providing firm guidance. It may draw on surveys and reports, and may attempt to describe the state of the ar’. Final drafts of these are called PDTR P roposed D raft T echnical R eports. A P ublicly A vailable S pecification (PAS) responds to an urgent need to drive consensus on some emerging topic. Alternative and perhaps incompatible views may be expressed by parallel PASs from different expert streams. A PAS is supposed to be replaced by a TS or IS, or withdrawn, within 6 years. An I nternational W orkshop A greement (IWA) is a PAS produced outside of the ISO/IEC world - for example by some technical or industry body. It too has a maximum life of 6 years. What is JTC 1/SC 27 and what are WGs? Once you have ISMS experience, consider getting involved with SC27's standards work by contacting your national standards body and volunteering. ISO/IEC JTC 1/SC 27 is the J oint T echnical C ommittee 1 /S ubC ommittee 27 responsible for numerous information security, privacy and technological standards, including ISO27k series. SC 27 is spread across five W orking G roups focused in particular areas: · WG1 for I nformation S ecurity M anagement S ystems; · WG2 for cryptography; · WG3 for security evaluation; · WG4 for security controls and services; · WG5 for identity management and privacy technologies. How can I keep up with ISO27k? If you have ISO27k news, please share it with the user community via the ISO27k Forum. An easy way to keep in touch with developments is to bookmark this very website and call back every so often to see what's new. Another option is to Google ISO 27001 news or related terms. Professional information security-related organisations such as ISSA and ISACA often carry content on ISO27k. There are a few ISO27k groups on LinkeDin and other social media, of variable quality. Unfortunately most of them (other than the ISO27k Forum) are infested with spammers and well-meaning but inept commentators. Previous Up Next

Answers to common questions and concerns about managing information risks and security controls under ISO27k Up Up Up Information risks What are 'information risks'? Simply put, information risk is 'risk pertaining to information' . Breaking it down: Information is the valuable meaning or knowledge that we derive from data, the content of computer files, paperwork, conversations, expertise, intellectual property and so forth. Risks , in this context, are the uncertain prospect of harmful incidents. So, stitching it back together, information risk can be laboriously defined as 'Uncertainty involving or affecting information, normally the deliberate, incidental or accidental action of threats exploiting exposed vulnerabilities, causing harmful impacts'. To put that more succinctly, I define information risk as 'risk pertaining to information' . While the ISO27k standards neither define nor use 'information risk', and 'information security risk' is not actually defined, two notes to the definition of 'risk' in ISO/IEC 27000 mention it: 'information security risks can be expressed as effect of uncertainty on information security objectives [and] Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization'. I prefer a business perspective: reducing the number and severity of adverse business impacts to an accceptable level is the primary objective of information security. Is there a list of information risks? The suggested resources are all generic, useful reminders of the general types of risk worth considering. Pore over your organisation’s incident records and past risk assessments for further inspiration, and work with management to identify and consider information risks in your particular business context. Yes, several e.g. : IT Grundschutz Catalogue (the baseline IT protection manual) includes an extensive threat catalogue, exhausting if not exhaustive; ISO/IEC 27002 , NIST SP 800-53 and various other information security and privacy standards, laws and regulations are, in effect, incomplete information security control catalogues that may mention threats, vulnerabilities and impacts; ISO/IEC 27005 identifies a few threats and vulnerabilities in an annex; Mitre’s CVE ( C ommon V ulnerabilities and E xposures) is a useful, well-regarded catalogue of cybersecurity (meaning primarily technological/IT system) vulnerabilities. Again, not totally comprehensive but close enough for government work; Mitre’s CAPEC ( C ommon A ttack P attern E numeration and C lassification) is a structured catalog of cybersecurity ‘attacks’ i.e . how some threat agents exploit some vulnerabilities. Most information risk analysis and management support tools, systems, methods and advisories include examples or lists of stuff to consider. There are books, websites and articles on this topic. And finally, don't forget Google and AI. What is information risk management? This is a complex, busy process, liable to go badly wrong. ISO27k provides a sensible management structure or framework to help keep it on-track. ' Management' indicates someone proactively addressing information risks on an ongoing basis, along with related governance aspects such as direction, control, authorisation and resourcing of the processes. The first stage is to Identify potential information risks. Several factors or information sources feed-in to that: Vulnerabilities are the inherent weaknesses within our facilities, technologies, processes (including information risk management itself!), people and relationships, some of which are probably unrecognised or not fully appreciated; Threats are the external actors and natural events that might cause incidents if they acted on vulnerabilities causing impacts [Note: malicious, fraudulent, inept, coerced or misled insiders can present threats: we are not purely concerned about evil hackers, malware and terrorists roaming the Interwebs!]; Assets are, specifically, information assets - valuable information content plus, to a lesser extent, the associated storage media, computer hardware devices etc. ; Impacts are the harmful effects or consequences of incidents affecting assets, damaging the organisation and its business interests, often also third parties; Incidents range in scale from minor, trivial or inconsequential events up to disasters and outright catastrophes; Advisories, standards etc. offer relevant warnings and guidance from organisations such as CERT, the FBI and NSA, ISO/IEC, journalists, bloggers and podcasters, technology vendors plus information risk and security professionals. Threat and vulnerability intelligence services can be useful, along with security advisories and patch notifications from software, hardware, service and information suppliers. Next, the evaluate risks stage involves considering all that information in order to determine the significance of various risks, which in turn drives priorities for the next stage. The organisation’s appetite for risks is a major concern here, reflecting corporate strategies and policies as well as broader cultural drivers and personal attitudes of the people engaged in risk management activities. Treat risks involves avoiding, mitigating, sharing and/or accepting them. This stage involves both deciding what to do and doing it (implementing the risk treatment decisions). Handle changes might seem obvious but it is called out due to its importance. Information risks are constantly in flux, partly as a result of the risk treatments, partly due to various other factors both within and without the organisation. The ISO27k way is risk-driven, such that the most significant risks at any point should be in hand … but there is always more to do, so this is an endless journey across shifting sands. Finally, a reminder that the organisation often has to respond to external obligations such as legal and regulatory compliance plus market pressures, customer expectations, commercial contracts etc . These also change from time to time, and should be actively monitored. What risk analysis method should we use? Determine your own risk analysis, risk management and/or governance requirements and evaluate the methods, tools, products etc. carefully. There is further advice on how to select specific methods/tools in the next FAQ. Since neither ISO/IEC 27001 nor ISO/IEC 27005 specify or require a particular risk analysis method, you can select whichever method or (better still) methods align with your organisation’s expertise and situation. Risk analysis methods are broadly categorised as quantitative (based on mathematical modelling and statistical analysis) or qualitative (experiential, subjective). ISO/IEC 27005 offers general advice on selection and use of methods in the ISMS context but does not insist on any specifics. It is perfectly acceptable, and often beneficial, to mix-n-match multiple methods. For instance, a high-level overview method might identify broad areas of concern (such as privacy), which can then be examined in detail using focused methods (e.g. privacy impact assessments). Leverage the expertise of business departments such as Internal Audit, Risk Management, Health and Safety, Finance, Project or Programme Management and Operations, as their methods can often be applied to information risks. There is no need to abandon familiar tools simply for ISO27k. However, be mindful of discrepancies in results from different methods. Avoid simplistic approaches like choosing the least costly controls or addressing only the most obvious 'key' risks. Instead, use the analyses as decision support tools for management. Managers need to determine appropriate security investments, risk appetite and improvement timelines. This requires a combination of vision, expert advice and practical judgment. Below is a very brief introduction to a number of information risk analysis and management methods, standards, guidelines and tools, plus some aimed at supporting G overnance, R isk and C ompliance and even S ecurity I nformation and E vent M anagement. Analog Risk Assessment (ARA) is a deceptively straightforward and quick method to analyse, discuss and consider risks subjectively and simplistically according to their relative probabilities of occurrence and levels of impact; Calabrese’s Razor is a method developed by Chris Calabrese to help the C enter for I nternet S ecurity prioritise technical controls in their security configuration guides. It helps evaluate and compare the costs and benefits for each control on an even footing; COBIT from ISACA is a comprehensive model guiding the implementation of sound IT governance processes/systems, including to some extent information security controls; COSO ERM (C ommittee O f S ponsoring O rganisations of the Treadway Commission's E nterprise R isk M anagement framework) is a general structured approach for managing all forms of organisational risk; Delphi is a forecasting technique involving successive rounds of anonymous predictions with consolidation and feedback to the participants between each round; DIY (D o I t Y ourself) methods offer a genuine alternative, not just a straw man. DIY involves using risk analysis methods with which you or your organisation are already familiar, perhaps home-grown methods or even those that are not normally used to examine information risks. With the same underlying principles, can your existing risk analysis methods, processes and tools be adapted for information risks?; FMEA (F ailure M ode and E ffects A nalysis) is commonly used in engineering design. It focuses on the possible ways in which a system might possibly fail, almost regardless of the causes; The UK’s IRM (I nstitute of R isk M anagement), AIRMIC (Association of Insurance and Risk Managers) and ALARM (The National Forum for Risk Management in the Public Sector) jointly released A Risk Management Standard way back in 2002, for all forms of organisational risk, not just information risk; ISO 31000 offers guidance on the principles and implementation of risk management in areas such as finance, chemistry, environment, quality, information security etc .; ISO/IEC 27005 isn’t really a risk assessment or management method as such, more of a meta-method, an approach to choosing methods that are appropriate for your organisation; Mehari is a free open-source risk analysis and management method in several European languages developed by CLUSIF (Clu b de la S écurité de l'I nformation F rançais) and CLUSIQ ; NIST SP 800-30 “Risk Management Guide for Information Technology Systems” is a free PDF download from NIST . An accompanying guideline is also available and also free; NIST SP 800-39 “Managing Risk from Information Systems - An Organisational Perspective” is another freebie from NIST; OCTAVE (O perationally C ritical T hreat, A sset, and V ulnerability E valuation) is CERT ’s risk-based strategic assessment and planning technique for security. It takes a business rather than technology-centric view of security risks. OCTAVE Allegro is a quick version of OCTAVE; Risk IT from ISACA complements their other excellent tools COBIT and ValIT ; Stochastic modelling methods using Markov chains , stochastic Petri nets , Monte Carlo simulation , Bayesian or other statistical techniques and probability theory are commonly applied to estimate uncertain risk values from incomplete data in the financial industry; Verinice is a free open-source tool supporting the BSI IT-Grundschutz standards . It’s very nice. We are not selling, recommending or endorsing any of them. We haven’t even used all of them, personally, and we don't know your requirements except in very general terms. OK, how should we select risk analysis methods? Don’t get completely hung-up on this: go with what you have and make it work for you, learning, refining, moving ahead. This is classic opportunity for 'continual ISMS improvement'. Read ISO/IEC 27005 for starters and think carefully about what you want. What do you expect the method or tool to achieve for you? Which factors and/or features are most important? Are there any things the method or tool should not do (e.g. gobble-up excessive amounts of limited resources)? Determine your requirements such as: Quantitative or qualitative : opinions vary on the relative value of quantitative versus qualitative methods. Few information security or risk management professionals would recommend truly quantitative analysis of information risks in all circumstances due to the shortage of reliable data on incidents (probabilities and impacts), although they are potentially useful in some more narrowly-defined situations. One solution to this dilemma is to use quick/simple qualitative risk assessments followed by risk analyses on selected ‘high risk’ areas using more detailed qualitative or quantitative methods; Scope : are you purely looking at “information risks” or risks in a broader sense, and what do you really understand by “information risks” anyway: are you in fact concerned about risks to information assets, or business risks that happen to involve information, or something else? Furthermore, which information assets are you concerned with? What will happen with the out-of-scope risks that could be just as significant for the organisation, especially if they remain unrecognised, unanalysed and untreated? Scalability : are you looking to support a relatively simple analysis of risks for a single process or IT system, an organisation-wide analysis, or all of the above? Will you be completing the analysis just once or repeatedly, and if so how often? Maintainability and support : some methods use AI/decision support software, whereas others are procedural or can be supported by generic tools such as spreadsheets. Clearly, therefore, they vary in the amount of technical expertise required to install, configure and maintain them. Home-grown tools can be more easily and cheaply developed and modified in light of your experiences whereas commercial tools tend to be slicker and more polished; Usability : some methods and tools lead the user through the risk analysis process a step at a time, whereas others are more free-form but arguably assume more knowledge and expertise of the users. Some attempt to reduce the information gathering phase to simplistic self-completion questionnaires for risk non-specialists, others require competent risk analysts; Value : simply put, value means the business benefits of the tool less the associated costs . Purchase price is not the only factor here. Can you explain the SoA and RTP? Don’t get hung up on the names and acronyms. Concentrate on their purpose, which is to clarify the relationship between your organisation's information risks and their treatments. Let's assume that, despite studying ISO/IEC 27001 , you are unsure. The S tatement o f A pplicability is a formal definition of the controls employed by your ISMS. There needs to be some rationale to explain your reasoning and persuade the auditors that important decisions to include or exclude controls from Annex A or from elsewhere were made not arbitrarily but rationally, according to the risks. Be ready for some robust audit discussions if you decide not to implement common controls at all, blithely accepting significant risks. Likewise, be ready for some robust management discussions if you decide to implement all of Annex A simply simply because it’s an ISO standard, not because the controls are appropriate and necessary to mitigate (reduce) unacceptable risks. The R isk T reatment P lan lists the risks identified and evaluated in your risk assessment, along with the associated treatments: unacceptable risks may be mitigated with controls listed in the SoA, or avoided, or shared with other organisations. Small risks may be willingly accepted if they fall within management’s risk appetite or if the controls would cost more than the anticipated incidents, while various other risks (such as the possibility of erroneous assumptions within, and hence decisions based upon, your risk analysis) are implicitly and necessarily accepted. How should we handle our client 's information risks? This may be an opportunity to sell your client some security/risk consultancy services! Either way, have your pet lawyer take a very careful look at any contracts or SLAs relating to third party information assets in your care, to be crystal clear about your information security obligations and liabilities. The managers of, say, commercial shared data centre services should ideally involve (key) clients directly in (part of) the risk analysis. Helping client managers understand and elaborate the information risks relating to their assets should clarify what they expect and enables the supplier to appreciate what is expected – the priorities, for example. What comes first, and why? If clients are unwilling or unable to engage fully with the risk analysis, managers should at least assess the information risks relating to the contracts and services from the supplier’s perspective, including the risk that clients may have unrealistic or inappropriate expectations about the information security services provided. A serious information security incident involving the supplier would almost certainly damage customer relations, might lead to legal arguments over the contract/SLA and could either put clients out of business or see them defect to another supplier. Similar considerations apply in other circumstances where the organisation handles information assets belonging to third parties - customers’ personal data and credit card details, for instance. What is the difference between risk assessment and audit? Challenging the status quo can be a valuable, if cathartic experience. At the end of the day, just remember that the primary aim of both activities is to improve the organisation, stimulating management to make changes for the better. These are change catalysts, opportunities to improve. Risk assessment identifies and analyses potential risks, while an audit typically evaluates the effectiveness of existing controls at keeping risks within the corporate risk appetite. Risk assessment tends to be a theoretical 'what if' exercise, often involving workshops, discussions and models to identify and explore inherent and residual risks. It is conducted by those familiar with the area, including risk managers and security experts. An audit, on the other hand, is a more practical, hands-on 'show me' activity. Among other things, auditors examine and validate the controls in place to determine if they adequately address various risks – both in theory (if they worked as designed and documented, would they be sufficient?) and in practice (are they, in fact, working as designed and documented?). A key distinction is independence: audits can only be conducted by independent auditors, providing an unbiased perspective. Auditors bring fresh eyes, challenge assumptions and identify blind spots. Compliance audits, such as ISO/IEC 27001 certification audits, specifically assess adherence to regulations and standards. They also consider the risk of non-conformity: significant issues can not only prevent certification but underline the ISMS, potentially putting the organisation’s entire approach at risk. Finally, the risk assessment process itself is auditable, while auditors must also manage audit risks, such as failing to identify, evaluate and report critical issues appropriately. Which compliance obligations are relevant to ISO27k? The obligations or rules expressed formally in legal language tend to be minimalist, meaning that compliance alone may not protect the organisation’s business interests. Compliance is necessary but not sufficient. You may prefer to handle this separately from the ISMS. The organisation's compliance with various obligations can be an important driver to implement an ISMS, not least because the ISMS can take some of the weight off management’s shoulders. Managers generally either accept the need to comply, or can be persuaded to do so in order to avoid the personal adverse consequences (typically fines, prison time and career limitations). As to which obligations are relevant, there are loads of them! Although I A m N ot A L awyer, here is an incomplete listing of the general types or categories of laws, regulations etc . that have some relevance to information, information risk, information security and thus potentially the ISMS: Building codes – structural integrity, resistance to fires, floods, earthquakes, fire exits … Business records – financial reporting, tax, credit, banking, money laundering, company accounts … Business continuity – critical infrastructure, resilience … Classified information – governmental and military, spying, official secrets, terrorism, organised crime … Commercial contracts – N on D isclosure A greements, digital signatures, maintenance and support agreements, Internet/distance selling, invoicing, credit and payment, PCI-DSS , plus various other obligations on or towards business partners, suppliers, customers, advisors, owners … Community relations – being a good neighbour, supporting the underprivileged … Consumer protection – product designs, advertising, branding, warranties, fitness for purpose, merchantability, quality and security ... Corporate governance – company structure, ownership and control, obligations of Officers, independent oversight/audits … Cryptography – standards, laws and regs e.g. restrictions on use and export of strong crypto … Defamation – libel, slander ... Employment – disciplinary process, pre-employment screening/background checks, contracts of employment, codes of conduct … Environmental – pollution, eco-friendliness, greenwashing … Ethics – morals, cultural and religious aspects e.g. Sharia law; Forensics – chain of custody, warrants and warrantless searches, admissibility ... Fraud – identity fraud, misrepresentation, embezzlement, malfeasance … Freedom of information – enforced disclosure, including ‘discovery’ in legal disputes; Hacking – malware, ransomware/coercion, denial of service, unauthorised access … Health and safety – safety-critical control systems, fire exits, building standards/codes, industrial control systems, working conditions, hazards … Industry-specifics – some industries are tightly regulated, others less so … Insurance – terms and conditions, excesses, disclosure of relevant facts ... Intellectual property – copyright, trademarks, patents, DMCA, trade secrets, publication/disclosure etc . protecting both the organisation’s IP and that of third parties; Permits – operating licenses in some industries and markets, software licenses … Pornography – paedophilia, discriminatory/offensive materials, blackmail … Privacy – data protection, personally identifiable information … Surveillance – spying, wiretapping, CCTV, monitoring, investigation, forensics … Technical – standards and interoperability e.g. ISO27k, TCP/IP, DNS, Windows compatibility … Telecommunications – networking, lawful/unlawful interception, mail fraud … Theft – of hardware and media … Trespass – right of access, right to exclude, ‘citizen’s arrest’ … International – as well as domestic laws and regulations, those in other countries might also be applicable if your business has an international presence or uses cloud and other services hosted overseas … ++ Others : speak to your Legal/Compliance team about this. By the way, beware changes to the legislation and ‘case law’ (where judges/courts interpret things in particular ways, sometimes setting legal precedents). Aside from being familiar with the obligations, someone needs to keep on top of the associated policies, contracts, agreements, standards and codes, plus awareness and training, compliance/conformity assessments and enforcement aspects. For example, do you have the policies and procedures in place for exceptions and exemptions ? Do you need to check compliance and perhaps enforce your organisation’s obligations on third parties e.g. confidentiality agreements with business partners and former employees? Warning : assuming you are an information security professional looking into this, be very wary of being expected or even perceived by colleagues and management as a legal expert. Even professional lawyers specialise because the field is too broad for anyone to be entirely competent across the board. Senior managers generally own and are accountable for corporate compliance. Don’t take on their mantle! By all means offer general advice and guidance but leave them fair and square with the compliance burden. For your and their protection, explicitly recommend that they seek the guidance of competent professionals. Once again, for good measure, IANAL and this FAQ is not legal advice. What should we do about exceptions? Key to this approach is the personal accountability of Information/Risk Owners for adequately protecting their information assets. If senior management doesn't understand or support concepts such as exceptions, exemptions, accountability, responsibility, ownership, information assets and risk, then patently the organisation has significant governance issues to address first! First understand the vital difference between exceptions and exemptions*: Exceptions are un authorised noncompliance/nonconformity with requirements, typically identified by audits, management reviews, during the system design phase when developing software and processes, or revealed by information security incidents; Exemptions are authorised noncompliance/nonconformity. Exemptions are the way to formalise risk management decisions when Information/Risk Owners explicitly accept specific identified risks on behalf of the organisation for legitimate business reasons. For example, imagine that an IT systems audit has identified that system A is configured to accept passwords of at least 6 characters, while the corporate password standard mandates at least 8 characters. This is an exception that should be brought to the attention of the Information/Risk Owner for system A. The owner then considers the situation, considers the risk to the organisation and to the information asset, takes advice from others and decides how to treat the risk. The preferred response is to bring the system into line with the policies. However that is not always possible. If instead the decision is to accept the risk, an exemption to the specific policy requirement is granted, but - and this is the important bit - the Information/Risk Owner is held personally accountable by management for any security incidents relating to that exemption by simple extension of their accountability for protecting their information assets. Exemptions should be formalised e.g. : The Information/Risk Owner should be required to sign a crystal-clear statement regarding their understanding and acceptance of the risk to their asset if the exemption is granted, acknowledging that they are personally accountable if the risk materialises; The exemption should be granted by being countersigned on behalf of management by an authoritative figure such as the CEO or CISO; Optionally, the exemption may specify compensating controls (such as explicit guidance to users of system A to choose passwords of at least 8 characters in this case); All exemptions should be formally recorded on a controlled corporate register; All exemptions should be reviewed by the owners and management periodically (e.g. every year) and, if still required and justified, renewed using the same formal process as the initial authorisation. Typically exemptions may be renewed and continue indefinitely just so long as the owner is prepared to continue accepting the risk and management is prepared to accept the situation, but some organisations may impose limits (e.g. an exemption automatically expires after one or two years and cannot be renewed without a majority vote in favour by the Board of Directors). If there are loads of exceptions and especially exemptions to what are supposedly mandatory requirements, management really ought to reconsider whether the requirements are truly mandatory. If in fact they are, any current exemptions should be set to expire at some future point, forcing owners to select risk treatments other than ‘accept the risk’. Information Security should take up the challenge to help improve conformity. If the requirements are not in fact mandatory after all, the policies etc . should be revised accordingly. * Note: organisations use different words for these two concepts, such as exceptions and waivers, or exemptions and waivers, or even exemptions and exceptions with their meanings reversed. The specific terms don’t particularly matter provided they are clearly defined, the distinction is clearly understood and they are used consistently in practice. I’m confused about ‘residual risk’ … Proactively and systematically managing residual risks indicates a mature or maturing ISMS. It suggests the organisation already has a grip on its unacceptable risks and is taking a sensible, realistic approach. Residual literally means 'of the residue' or 'left over'. So, residual risk is the left-over risk remaining once risk treatments have been applied. So, for example, suppose after risk assessment there are 3 risks (A, B and C): risk A is acceptable, B and C are not acceptable. After risk treatment, B becomes acceptable but C is still not acceptable. Which is the residual risk: just C? Or B and C? It’s a trick question. In fact, A, B and C all leave some (residual) risk behind ... Accepted risks are still risks: they don't cease to have the potential for causing impacts simply because management decides not to do anything about them! Acceptance merely means management doesn't believe they are worth reducing further. Management may be wrong (Shock! Horror!) - the risks may not be as they believe, or things may change; Mitigated or controlled or managed risks are still risks: they are reduced but not eliminated, usually, and the controls may fail in action (e.g. antivirus software that does not recognise and block 100% of all malware, or that someone accidentally disables one fateful day); Eliminated risks are probably no longer risks, but what if the risk analysis was mistaken or the risks aren’t in fact 100% totally eliminated? What if the situation changes? Avoided risks are probably no longer risks, but again the risk analysis may have been wrong, or someone may deliberately or inadvertently take the risk anyway, especially if there are weak or missing administrative controls and awareness of the decision to avoid the risk; Shared risks are reduced but are still risks, since the sharing may not turn out well in practice (e.g. if an insurance company declines a claim for some reason) and may not be adequate to completely negate the impacts (e.g. the insurance 'excess' charge, or denial of claims). Remember that the manager/s who elected to share risks are personally accountable for those decisions if it all turns to custard, goes pear-shaped or hits the fan ... Previous Up Next

Back Up Next ISO/IEC TR 27109 ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] Up Abstract ?? None yet Introduction It appears the standard intends to address the claimed dire global shortage of cybersecurity professionals, hopefully increasing the supply of newly-minted professionals to the market by suggesting standard curricula for educators offering college and university courses etc. Maybe. Scope ?? Too early to say Structure The standard may: Cover cybersecurity awareness (?), training and education; Suggest common/standard education and training curricula in this area; List/mention applicable national guidance, strategies or regulations. Status A T echnical R eport is in preparation. It was originally to be published in 2024 but the project was extended to 2026 for ‘additional technical work’. The standard development project missed its extended deadlines and so was cancelled in September 2025 ... but was magically rejuvenated as another 3-year project (I have no idea how that works!) Commentary The standard will hopefully complement rather than replace ISO/IEC 27021 concerning competencies required of ISMS professionals. ISO/IEC JTC 1/SC 27 is collaborating with another committee on ‘cybersecurity competence’. If national guidelines are to be listed in this standard, the details will need to be collated and managed indefinitely, implying a stream of maintenance updates to keep the standard reasonably accurate and current. Why is such an approach even being considered? Most other international standards don’t attempt to list national aspects except perhaps as examples. Up Up Up This page last updated: 26 January 2026

Join the global self-help community of >5,000 ISO27k/infosec professionals, lurk and chip-in if you feel inspired. It's FREE! The ISO27k Forum The Forum is a Google Group/email reflector for ISO27k practitioners, a supportive global community of peers-helping-peers. The back story Since its launch back in 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of more than 5,000 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their experience, expertise and wisdom freely with others. Membership of the Forum is free for those with a genuine professional interest in the ISO27k standards , particularly those with practical implementation experience and knowledge they are willing to share with the community. We also welcome students and newbies taking their first baby steps, studying and in time maybe adopting the standards. The Forum and this website demonstrate our support for the liberal social principles on which the Web was founded - our way to give a little back to the online world that gives us so much. Purpose and vision This is a practitioners’ group with a practical focus, where (almost!) every contribution is treasured and every member valued. We mostly discuss matters of interest and concern to those interpreting and applying the ISO27k standards in genuine real-world situations (see the typical topics ). Typical ISO27k Forum members: Are generally interested in information security standards; May have relevant professional qualifications, having completed ISO/IEC 27001 Lead Auditor or ISO27k Lead Implementer training, CISSP, CISM, CISA, CRISC, GIAC and similar; May be CISOs, ISMs, CROs, Compliance Managers, Cybersecurity Managers, Infosec Consultants, IT Security Specialists, Security Analysts or whatever; May be students, academic researchers and teachers; Would like more information about applying the standards in real life, beyond that available on this website and elsewhere; Are planning to implement, actively implementing, fully conformant with or simply using the ISO27k standards , or are auditing organisations against the standards, or are advising others about the standards; May work for organisations that have been certified conformant with ISO/IEC 27001 or are working towards that point; Would like to help promote the standards more widely; May be involved in the standards bodies and committees responsible for developing the standards, or have an interest in this aspect; Wish to discuss information security management standards, practices, methods etc. with the community of professional peers; Are here to give and to take, to contribute knowledge and learn new stuff. Sharing is important to us. As a member put it, “We are a TEAM - T ogether E veryone A chieves M ore”. Sign me up! Our favourite topics The Forum is a low-volume high-quality group. We discuss anything and everything ISO27k-related, such as: Assurance - ISMS internal audits, management reviews, certification, surveillance, accreditation, supplier security audits, trust centres ...; B usiness C ontinuity M anagement including resilience, recovery and contingency planning, and ISO 22301; Business cases : reasons to embrace the ISO27k standards in furtherance of business objectives, going beyond mere conformity, and gaining executive/board-level support; Concepts and terms-of-art in risk and security e.g. threats, vulnerabilities, probabilities, impacts, exposure, incidents, CIA, preventive, detective, corrective controls, people, process, physical, technology controls, inherent and residual risks, risk appetite, risk tolerance, risk vs opportunity, protecting and exploiting information ...; Control attributes - using the parameters, characteristics or features to select and make the most of security controls; Documentation - mandatory vs discretionary, audiences, purposes, content, document controls ...; Governance of information, information risk, information security etc ., including organisation structures, reporting lines, direction, oversight, monitoring and conformity, management support and involvement, integrating management systems; How to implement the standards - pragmatic advice from those who have been there, done that; Information risk management methods such as B usiness I mpact A nalysis, threat intelligence, risk modelling; Information security controls for software, system, network and service development, provision and acquisition, for cloud, privacy, safety, IT, OT, AI, IoT ...; I nformation S ecurity M anagement S ystems, of course, plus viable strategies, implementation plans, resourcing, timescales, priorities, options, shortcuts, tips; Metrics for measuring information risk and security, for monitoring, reporting and management; News about ISO27k and related standards; Policies , procedures, rules, guidelines, laws and regulations, content, structure, purpose and value, compliance, conformity, enforcement and reinforcement; Preventive and corrective actions , continual improvement, maturity, post-incident reviews ... and incident management; Privacy , data protection, safety, quality and other obligations; Risk analysis tips e.g. common information security threats to consider, methods and tools, ‘where to start’ advice; Scope , S tatement o f A pplicability and R isk T reatment P lans - what they are, how they differ, what they do, what they are supposed to contain ...; Security awareness - why it’s needed, how to do it, making it cost-effective; 'The ISO27k way ' - a systematic, structured, information risk-driven approach underpinning all the ISO27k standards; Tools and resources supporting busy CISOs, ISMs, SOCs, analysts, trainers, documenters and consultants. This is just a potted selection to give you a flavour of the discussion. As well as the FAQ , we have accumulated a huge amount of worthwhile content in the group’s archive so it's worth getting to grips with Google’s search syntax . Projects Occasionally, ISO27k Forum members collaborate in crowdsourcing topical issues, such as drafting new materials for the ISO27k Toolkit. We have also contributed to the promotion and further development of the ISO27k standards. Privacy If you join the ISO27k Forum, you will obviously receive ISO27k-related emails. We will not exploit, sell or give away your email address or other personal information. If you post a message to the Forum, your email address is shown in the message header. Other members may email you directly rather than the entire group. We actively discourage anyone from overtly advertising on the Forum or pestering members but vendors may contact you directly/off-list if you express an interest in their products. Feel free to create a unique email address solely for the Forum and please let us know if you receive spam. We utterly detest and actively fight spam. Any Forum members who spam other members will be fed limb-by-limb, organ-by-organ to the ravenous bugblatter beast of Traal or, under our environmental policy, may be gently composted back into mother Earth. Forum tips and etiquette (important!) Guidelines to keep the ISO27k Forum on track, and benefit the whole community: Please be professional and respectful at all times. The Forum is deliberately non-commercial: No advertising or promoting your organisations and products, no commercial offers, no vacancy notices etc. Definitely no spamming! Conventional email signatures are fine though. Just be discreet. Take commercial matters off-line with individuals, not via the Forum.. Add your name to your postings: what should we call you? The Forum’s primary language is plain English. Be considerate. Browse the archives (using the Google Groups search ) before posting. Glance back a few weeks at least to see where current threads arose. Read the ISO27k FAQ . Stay on-topic! This Forum is exclusively about the ISO/IEC 27000-series standards and closely related matters. Take a moment to explain your context: Why are you writing? Why does it matter? What have you already done in an attempt to find an answer? What type of organisation do you represent? Industry? Size? Location? How mature is your ISMS? What stage are you at? When responding to a post, don’t change the subject line unless you are deliberately heading off at a tangent. Gmail and other mailers string related messages into threads by the subject line. For further advice on asking questions intelligently, see here and here . Manage your subscription via the Google Groups web interface: Receive each message individually or as regular digests. Suspend Forum emails temporarily or permanently (access online instead). Change your email address. Unsubscribe and leave the Forum.. File Forum emails automatically in your email software. All emails contain “[ISO 27001 security]” in the subject line: set up a rule to move emails with that subject string into a suitable folder to browse, search and read at your leisure. Respect intellectual property rights and laws: Do not circulate copyright materials (such as ISO/IEC standards!) on the ISO27k Forum unless you are the copyright owner or have the copyright owner’s express permission. This is a hard and fast rule, no exceptions, no second chances. Don't risk the Forum's existence as well as prosecution. It is generally OK to share URLs for materials legitimately published on the Web, rather than sharing the content. Respect the copyright of Forum members too. Don't share Forum postings elsewhere without first getting the authors’ agreement. Finally, if you are unclear about the rules, bothered about recent exchanges or wary of posting something inappropriate, email the Forum Admin . If you have a keen interest in the ISO27k standards and intend to participate actively in the community, apply to join the ISO27k Forum . Membership is FREE but please make your case briefly when you apply to join: in just a few short words, persuade us that you are qualified and willing to share. If you ignore this request and leave the application blank, don’t be surprised if your application is rejected just as rudely. Aside from excluding spambots, we like to know what brought you here and what interests you.

Generic content to kick-start your ISMS - pretty basic but sound and FREE! These materials were kindly donated by members of the ISO27k Forum and website sponsors. ISO27k Toolkit The ISO27k Toolkit is a collection of generic ISMS-related materials contributed by members of the ISO27k Forum . We are very grateful for the generosity and community-spirit of the donors in allowing us to share them with you, free of charge. The materials have been donated by individuals with differing backgrounds, competence and expertise, working for a variety of organisations and contexts. They are models or templates, starting points if you will. Your information risks are unique, so it is incumbent on you to assess and treat your risks as you and your management see fit. Good luck! ISO27k Toolkit Everything here, in a zip file All FREE! DOWNLOAD ISMS implementation and cert process French Merci a Laurent Jaunaux, Integr'Action Conseil DOWNLOAD ISMS implementation project estimator Excel model to estimate how long it will take to implement an ISO/IEC 27001 ISMS DOWNLOAD Adaptive SME security executive summary An executive summary for busy SME owners, CEOs or managers DOWNLOAD 4.4 ISMS documentation Checklist for 14 types of ‘documented information’ plus additional discretionary materials DOWNLOAD 6.1 Information risk register Systematically ssess, evaluate, rank and decide how to treat your information risks DOWNLOAD 6.1 Plain SoA with metrics Generate and record your S tatement o f A pplicability, along with basic metrics DOWNLOAD 6.1.2 Information risk catalogue A checklist of 80 commonplace information risks for risk identification DOWNLOAD 7.3 Single-page FAQ awareness example Succinct set of F requently A sked Q uestions about "ISO 27001” DOWNLOAD 9.2 Audit exercise - crib sheet Suggested answers for the audit exercise, with tips on audit principles DOWNLOAD 9.2 ISMS internal audit procedure Describes the typical process for conducting ISMS internal audits DOWNLOAD A5.9 Information asset checkllist How can you protect your stuff if you don't know what you've got? DOWNLOAD A5.15 Policy on access control A skeleton to beef-up according to your needs DOWNLOAD A5.34 Policy on privacy Minimalist starting point for customisation DOWNLOAD A6.2 Policy on employment contracts Extreme minimalism - just 3 generic policy statements to elaborate on DOWNLOAD A7.4 Policy on physical security monitoring Bare bones, just 6 policy statements DOWNLOAD A7.14 Policy on secure disposal 8 policy statements about disposing of potentially valuable information DOWNLOAD A8.20 Policy on network security Just 9 policy statements scratch the surface of this deep topic DOWNLOAD ISO27k Toolkit terms and conditions A Creative Commons license covers most of the items DOWNLOAD ISMS implementation checklist Pragmatic guidance for ISO/IEC 27001 implementers DOWNLOAD ISMS gap analysis questionnaire Generic questionnaire on conformity to ISO/IEC 27001 DOWNLOAD 4 Generic cost-benefit analysis The basis for an ISO27k ISMS business case, proposal or budget request DOWNLOAD 5.2 Policy management process Splits the process into policy development and operation DOWNLOAD 6.1 Iterative risk analysis Double-sided guide to a cyclical risk analysis method that revolves around incidents DOWNLOAD 6.1 Plain SoA Español Cristian Celdeiro ayudó en la traducción a Español DOWNLOAD 6.3 Change management policy Addresses the requirement to mange changes to the ISMS DOWNLOAD 7.4 Introduction and gap analysis email Template for a kick-off message introducing the ISMS implementation project DOWNLOAD 9.2 Audit exercise - Português Brasileiro Audit exercise translated to Português Brasileiro DOWNLOAD 9.3 ISMS management review agenda Agenda items for a meeting to discuss an ISMS management review DOWNLOAD A5.9 Technology types, risks and controls 3 pages outlining 5 types of technology with the associated risks and controls DOWNLOAD A5.19 Policy on outsourcing Model policy on risks and controls in business process outsourcing DOWNLOAD A5.34 Briefing on ISO27k for GDPR Where information security and privacy requirements coincide, go for common controls DOWNLOAD A6.3 Policy on awareness and training Rolling programme of security awareness and training for managers, staff, contractors etc. DOWNLOAD A7.9 Policy on working offsite 7 generic policy statements to bootstrap a workable policy DOWNLOAD A8.12 Policy on data leakage prevention 4 crude policy statements to expand upon DOWNLOAD A8.32 Policy on change management Construct your own policy, elaborating on these 5 brief statements DOWNLOAD ISMS implementation and certification process One-page diagram on building, implementing and certifying an ISMS DOWNLOAD ISMS implementation guideline Explains the requirements in ISO/IEC 27001 with pragmatic implementation guidance DOWNLOAD Adaptive SME security Pragmatic approach to information risk and security for SMEs, even micro-orgs DOWNLOAD 4.4 Documentation mind map Just the mandatory ISMS docs required by main body clauses DOWNLOAD 6.1 Security control attributes Use ‘control attributes’ to specify, select and improve information security controls DOWNLOAD 6.1 Smart SoA with custom controls Customise Annex A controls to address your organisation's unique situation DOWNLOAD 6.1 Plain SoA Português Cristian Celdeiro ajudou na tradução para o Português Brasileiro DOWNLOAD 7.3 Prepare to be audited leaflet Awareness on being audited by ISMS internal, certification or technology auditors DOWNLOAD 9.2 Audit exercise A basic exercise or test for ISMS auditors DOWNLOAD 9.2 Audit exercise - crib - Português Brasileiro Crib sheet in Português Brasileiro DOWNLOAD A5.4 Policy on mgmt responsibilities A bare-bones policy skeleton to flesh out DOWNLOAD A5.10 Professional services infosec checklist Security activities for the start, middle and end of professional services engagements DOWNLOAD A5.32 Policy on intellectual property 3 basic policy statements to set you off on the right foot DOWNLOAD A6 Policy on HR A very basic HR security policy starter: lots worth adding! DOWNLOAD A7.1 Policy on physical controls Another skeletal policy starter with a dozen policy statements to set you thinking DOWNLOAD A7.12 Policy on cabling security Just 5 simple policy statements to expand into an actual security policy DOWNLOAD A8.13 Policy on backups An important topic for strategies, policies and procedures DOWNLOAD Not quite what you need? Willing to contribute? Get in touch! Further toolkit contributions are most welcome, whether to plug the many gaps (e.g. materials covering other clauses and controls from ISO/IEC 27001 and 27002 ), offer constructive criticism, translate these materials or provide additional examples. Case study materials would be great. Novel ways of satisfying the standards’ requirements, plus creative, inspirational and innovative approaches are particularly welcome, but so too are simplifications, checklists, diagrams and starting points. Please get in touch if you are willing to donate or seek other materials. We'll see what we can do to help. Given name Family name Email Message Send

Back Up Next ISO/IEC TS 27569 ISO/IEC TS 27569 — Personal identifiable information (PII) processing record information structure [PROPOSAL] Up Abstract ?? Introduction ?? Scope ?? Structure ?? Status An ISO/IEC JTC 1/SC 27/WG 5 project produced a P reliminary W ork I tem in 2025. However, the project subsequently appears to have been absorbed into the ongoing update of ISO/IEC 27560 , possibly. Commentary I'm confused. Sorry. I am not close enough to WG5 to know what's really going on here. Up Up Up This page last updated: 26 January 2026