Search Results

General info about the ISO27k standards as a whole - their scope and objectives, the core standards, that sort of thing Previous Back to FAQ summary Next ISO27k standards What use is ISO27k for my organisation? For more on this, see the free ISMS business case template , part of the ISO27k Toolkit . Organisations that use the ISO27k standards gain worthwhile business benefits such as: Protecting valuable information : more specifically, information security enhances the confidentiality, integrity and/or availability of the information content, plus the associated processes, IT systems, networks, services etc ., without imposing excessive security that would prevent it being exploited for legitimate business purposes. Reducing losses : cost-effective security controls minimise the probability and severity of incidents caused deliberately (e.g. hacks, frauds, disinformation) or accidentally (e.g . floods, equipment failures, misconfigurations, inadvertent disclosures). Increasing assurance and trust : conformity with ISO/IEC 27001 and ISO/IEC 27701 demonstrates the organisation’s commitment towards good practices for information security and privacy respectively, plus more broadly support for compliance, ethics etc . to interested parties such as its customers, employees, partners, investors and the authorities. Achieving and maintaining compliance : various laws, regulations and contractual terms impose requirements relating to information security, privacy, accuracy, completeness, timeliness etc. Enhancing resilience : adequately protecting the information, IT systems and processes that are vital to important operational activities and business objectives reduces the possibility of costly disruptive incidents, adverse publicity, customer defections etc. Bolstering brands : aside from merely claiming to protect information, certified conformity with ISO/IEC 27001 and ISO/IEC 27701 enhances the organisation’s reputation. It is increasingly being expected or demanded by discerning customers, partners, investors and regulators - in other words, it confers competitive advantage. To be clear, there are costs associated with sound governance, risk management, security, privacy, assurance, incident management and so on ... but the business benefits outlined above substantially exceed the costs. The risks and costs involved in not taking security and privacy seriously can be existential, as is clear from the news headlines : serious hacking, ransomware and fraud incidents have devastated companies such as Sony Pictures Entertainment, Travelex and Barings Bank. Government institutions, defence, charities and healthcare organisations are far from immune. With such limited resources, S mall to M edium-sized E nterprises stand little chance if targeted, or if mistakes are made in their accounting and tax processes, IT systems and networks. Protecting and exploiting computer data and other forms of information is critically important for business and vital for human safety. There's no need to design a completely bespoke approach for your particular organisation. ISO27k constitutes a suite of internationally-recognised good security practices to suit any organisation, a stable platform on which to build. Are these IT security (cybersecurity) standards? When assessing and treating information risks, focus primarily on risks affecting critical business activities and information - the organisation's crown jewels'. The related computer systems, services and data play a secondary, supporting or enabling role, but don't forget the associated processes, people and relationships. Yes, largely, but they are not limited to IT. The ISO27k standards are about protecting and exploiting valuable information in all forms, not just computer systems, services, networks and data. Aside from computer data, 'information' includes: Printed or written information such as completed forms, signed contracts and rough notes; Information expressed verbally and visually at meetings, videoconferences, phone calls, briefings, seminars, even casual water-cooler or corridor conversations; Policies, procedures and work instructions; Shared corporate culture expressed through attitudes, priorities and ethics, plus personal angles such as body language, prejudices and bias; Knowledge and expertise in workers' heads, plus concepts, ideas, strategies, thoughts ...; Proprietary, business, personal, shared and public information; Intellectual property such as trade secrets, patents, trademarks and copyright information. Various business units, departments and teams generate or acquire, use and benefit from valuable information. IT Department is a custodian for much but not all of it. People throughout the business are accountable for both protecting and (legitimately) exploiting information in support of the organisation’s strategic objectives, with the guidance and assistance of IT, risk, security and other specialists. Suppliers of telecommunications and cloud services, plus utilities such as power and water, all have parts to play in maximising the value of information, while information is an integral and important part of the organisation's products supplied to customers, partners and the authorities (e.g. company accounts and tax reports). Where can I obtain [name any ISO27k standard]? Google and shop around for the best deal. Published ISO27k standards may be purchased directly from the ISO store or from the various national standards bodies and commercial organisations (agents). A few popular ISO27k standards are available through Amazon and other retailers. It is worth checking for localised/national versions of the standards. Several national standards bodies release translated versions of the standards in their own languages. They go to great lengths to ensure that the translations remain true to the originals, although naturally this takes time. ISO27k standards can be purchased as electronic documents or printed hardcopies. In addition to single-user PDFs, standards bodies may license electronic versions of the standards for multi-user internal corporate use, making the definitive standards readily available to workers on the intranet. Are there qualifications for ISO27k professionals? Hands-on ISO27k ISMS implementation and audit experience, ideally with several organisations, is by far the best ‘qualification’ in the field. General information security and technology audit qualifications (such as CISSP, CISM and CISA) can help, and business/management qualifications (such as MBAs) are well worthwhile. Not exactly, but there are certifications or designations. Unlike some IT certifications, ISO27k certifications lack a universally-recognized governing body. Common designations include ISO/IEC 27001 Lead Auditor (LA) , with various paths from formal training and audits to experience-based qualification, and ISO/IEC 27001/27002 Lead Implementer (LI) , which focuses on implementing the ISO27k standards. However, the value of such course-completion certificates is questionable. Demonstrable experience and competence are worth far more. Refer to ISO/IEC 27021 for guidance on “Competence requirements for information security management systems professionals”. Where else can I find answers on ISO27k and information security? Whatever your current state of expertise, actively engaging in study and debate gets you onto the personal development fast-track. Besides the ISO27k standards themselves, consider participating in professional social groups such as: ACM SIG SAC CSA ISC2 ISACA ENGAGE ISO27k Forum ISSA LinkeDin OWASP What is ISO/IEC? “ISO” is not an abbreviation but is in fact derived from the Greek word isos meaning equal. ISO primarily coordinates, facilitates and encourages collaboration between the national standards bodies, driving global standardisation. ISO is the name of the Swiss-based standards body known in English as the International Organization for Standardization . IEC is an abbreviation for the I nternational E lectrotechnical C ommission, another international standards body working closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC” although in casual terms, we often shorten it to plain “ISO”. ISO/IEC also collaborate with other international organisations (both governmental and private sector) such as the ITU, the I nternational T elecommunication U nion. The ITU is primarily a trade body coordinating telecoms organisations and practices to enable worldwide communications. It allocates radio frequencies, for example, to minimise co-channel interference and encourage the manufacture of radio equipment that can be sold and used internationally. What are all those other obscure abbreviations? The processes are regimented - highly structured and consequently s-l-o-w. At several stages during the development of a standard, national standards body members are invited to vote and comment formally. The following abbreviations are used by the committee developing ISO27k standards: AG - A dvisory G roup AMD - Am end ment ARO - A pproved R S O riginator BRM - B allot R esolution M eeting CB - [IEC] C ouncil B oard CD - C ommittee D raft (1st CD, 2ndCD etc. , a quality-control phase, addressing editorial matters and typoos *) CDV - [IEC] C ommittee D raft for V ote COR - Technical Cor rigendum CS - [ISO] C entral S ecretariat DAM - D raft Am endment DCOR - D raft Technical Cor rigendum DIS - D raft I nternational S tandard (nearly there, down to proofreading, hold your breath *} DoC - D isposition o f C omments DR - Defect Report DTR - Draft Technical Report DTS - Draft Technical Specification FCD - F inal C ommittee D raft (ready for final approval (voting), but rarely used *) FDAM - Final Draft Amendment FDIS - F inal D raft/D istribution I nternational S tandard (just about ready to publish, final tweaks, pinch your nose and count to 100 *) HoD - H ead o f D elegation ICT - I nformation and C ommunications T echnology IEC - I nternational E lectrotechnical C ommission IPR - I ntellectual P roperty R ights IS - I nternational S tandard (published! Yay!) ISO - International Organization for Standardization ITTF - I nformation T echnology T ask F orce ITU - I nternational T elecommunication U nion ITU-R – ITU - R adiocommunications Sector ITU-T – ITU - T elecommunication Standardization Sector JCG - J oint C oordination G roup JTAB - J oint T echnical A dvisory B oard JTC 1 – [ISO + IEC] J oint T echnical C ommittee 1 JWG - J oint W orking G roup MB - (ISO) M ember B ody NB - N ational B ody NC - (IEC) N ational C ommittee NP - N ew P roject (the formal scoping phase, clarifying the proposal and formally seeking approval to proceed with the standards development project *) NWI - N ew W ork I tem OWG - O ther W orking G roup PAS - P ublicly A vailable S pecification PC - P roject C ommittee PDAM - P roposed D raft Am endment PDTR - P roposed D raft T echnical R eport PDTS - P roposed D raft T echnical S pecification PT - P roject T eam PWI - P reliminary W ork I tem - initial feasibility and outline scoping activities PWI - P reliminary W ork I tem RER - R eferencing E xplanatory R eport RG - R apporteur G roup RS - R eferenced S pecification SC - S ubC ommittee SD - S tanding D ocument - now known as Committee Document SG - S tudy G roup SMB - (IEC) S tandardization M anagement B oard SP - S tudy P eriod (preparing the NWIP …) SWG - S pecial W orking G roup TAG - (ISO) T echnical A dvisory G roup TC - T echnical C ommittee TMB - T echnical M anagement B oard TR - T echnical R eport (published! See next Q&A) TS - T echnical S pecification (published! See next Q&A) WD - W orking D raft (1st WD, 2ndWD etc . - content development “preparatory” drafting phase WG - W orking G roup Aside from international standards, what are TRs and TSs? See the ISO DIrectives for even more detail. ISO/IEC publishes a range of different types of standards, as well as covering a number of different subjects: An I nternational S tandard (IS) is the most common form of ISO/IEC standard, including product/technical standards, test methods, ‘codes of practice’ (good practices) and management standards. An IS “provides rules, guidelines or characteristics for activities or for their results, aimed at the achievement of the optimum degree of order in a given context”. Most aim to describe the final objective without prescribing the method of getting there (although they don’t all meet that aim!). The review cycle is 5 years (maximum). A T echnical S pecification (TS) is a standard on an immature subject that is still being developed, and is not quite ready to become a full IS. Feedback is encouraged in order to drive further development leading, eventually, to the release of an IS. Internally within the committee, final drafts are called PDTS P roposed D raft T echnical S pecifications. A T echnical R eport (TR) is informative rather than providing firm guidance. It may draw on surveys and reports, and may attempt to describe the state of the ar’. Final drafts of these are called PDTR P roposed D raft T echnical R eports. A P ublicly A vailable S pecification (PAS) responds to an urgent need to drive consensus on some emerging topic. Alternative and perhaps incompatible views may be expressed by parallel PASs from different expert streams. A PAS is supposed to be replaced by a TS or IS, or withdrawn, within 6 years. An I nternational W orkshop A greement (IWA) is a PAS produced outside of the ISO/IEC world - for example by some technical or industry body. It too has a maximum life of 6 years. What is JTC 1/SC 27 and what are WGs? Once you have ISMS experience, consider getting involved with SC27's standards work by contacting your national standards body and volunteering. ISO/IEC JTC 1/SC 27 is the J oint T echnical C ommittee 1 /S ubC ommittee 27 responsible for numerous information security, privacy and technological standards, including ISO27k series. SC 27 is spread across five W orking G roups focused in particular areas: · WG1 for I nformation S ecurity M anagement S ystems; · WG2 for cryptography; · WG3 for security evaluation; · WG4 for security controls and services; · WG5 for identity management and privacy technologies. How can I keep up with ISO27k? If you have ISO27k news, please share it with the user community via the ISO27k Forum. An easy way to keep in touch with developments is to bookmark this very website and call back every so often to see what's new. Another option is to Google ISO 27001 news or related terms. Professional information security-related organisations such as ISSA and ISACA often carry content on ISO27k. There are a few ISO27k groups on LinkeDin and other social media, of variable quality. Unfortunately most of them (other than the ISO27k Forum) are infested with spammers and well-meaning but inept commentators. Previous Up Next

Back Up Next ISO/IEC 27032 ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) Up Abstract ISO/IEC 27032 "provides: an explanation of the relationship between Internet security, web security, network security and cybersecurity; an overview of Internet security; identification of interested parties and a description of their roles in Internet security; high-level guidance for addressing common Internet security issues. [ISO/IEC 27032] is intended for organizations that use the Internet.” [Source: ISO/IEC 27032:2023] Introduction ISO/IEC 27032 addresses Internet security i.e. “protecting Internet-related services and related ICT systems and networks as an extension of network security”. Scope The abstract above covers the scope and purpose. The introduction notes that “[ISO/IEC 27032] does not specifically address controls that organizations can require for systems supporting critical infrastructure or national security. However, most of the controls mentioned in [ISO/IEC 27032] can be applied to such systems.” In other words it primarily concerns the ordinary everyday network security threats facing all Internet users, particularly businesses rather than the more extreme spooky threats of concern in the governmental and defence domain. Structure Main clauses: 5: Relationship between Internet security, web security, network security and cybersecurity. 6: Overview of Internet security. 7: Interested parties. 8: Internet security risk assessment and treatment. 9: Security guidelines for the Internet. Annex A: Cross-references between this standard and ISO/IEC 27002 . The annex cites a reasonable assortment of 50 controls from ISO/IEC 27002:2022 i.e.: 25 Organizational controls; 2 People controls; 0 Physical controls*; and 23 Technological controls. * It doesn't explicitly cover physical security for network cabling and equipment, nor the range and remote access concerns with wireless networking. Status The first edition was published in 2012 . The current second , thoroughly revised edition was published in 2023 . Commentary FWIW see also ISO/IEC TS 27100 . Since the term emerged in 1990, “cyber” as in “cybersecurity” has gradually become buzzword, buzzier than a hive fully of excited honeybees, and yet doubts and disagreements over what it actually means persists. SC 27 had the opportunity to clarify cyber-related terms when revising this standard but the second edition simply reproduces the definition of cybersecurity from ISO/IEC TS 27100:2020 vis “safeguarding of people, society, organizations and nations from cyber risks. Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.” ... but fails to define "cyber" or “cyber risk”, failing yet again to clarify what it is that we are supposedly being safeguarded against. Other cyber terms defined in the first edition were simply dropped. Meanwhile, the second edition remains myopically focused on deliberate attacks perpetrated via the Internet by hackers, malware, phishers and spammers. If those are your only concerns relating to the Internet, well it appears you have led a very sheltered life ... Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27036-3 ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) Up Abstract ISO/IEC 27036 part 3 “provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding: a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains; b) responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services; c) integrating information security processes and practices into the system and software life cycle processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting information security controls, as described in ISO/IEC 27002. [ISO/IEC 27036-3] does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and communication technology readiness for business continuity.” [Source: ISO/IEC 27036-3:2023 ] Introduction Part 3 guides both suppliers and acquirers of IT products (goods and services) on information risk management relating to complex supply chains, including risks such as malware and counterfeit products plus ‘organisational risks’, and the integration of information risk management into IT development lifecycles. Scope Part 3 concerns a wide range of security controls for IT supply chains, such as: Assurance; Avoiding the gray-market; Chain of custody (provenance and S oftware B ill o f M aterials); Code assessment and verification; Compliance management; Configuration and change management; Defined security expectations (specifications); HR management; IT implementation and transition; IT integration; ... and more .... Most of these controls are covered in general terms by ISO/IEC 27002 : this standard provides additional guidance for their application in the context of supply and acquisition of IT products e.g. maintaining a detailed SBoM (defined as an “inventory of software components, sub-components and dependencies with associated information ”) to keep up with vulnerabilities and patches even in obscure library functions etc . buried deep within end products. The bulk of the standard provides information security guidance for ICT suppliers and acquirers, as a set of processes for each stage of the typical ICT system lifecycle. Annexes reference applicable clauses from ISO/IEC 27002 and describe the essential elements of an SBoM. Structure Main clauses: 5: Key concepts 6: Hardware, software, and services supply chain security in life cycle processes Annex A: Correspondence between the controls in ISO/IEC 27002 and [ISO/IEC 27036-3] Annex B: Essential elements of a S oftware B ill o f M aterials Status The first edition was published in 2013 . The current second edition was published in 2023 . Commentary The standard is myopically focused on IT e.g. it concerns IT services, specifically, rather than professional services in general, even though they often have significant information content and substantial information risks. Organisations should therefore consider their supply chain information risks broadly (e.g. theft of intellectual property, misprepresentation, misappropriation, fraud ...) as well as commercial, financial and other kinds of risks (including business continuity aspects such as resilience to supply chain disruptions by minimising critical dependencies). Aside from supplier-acquirer relationships, information risks associated with business partners may also be of concern, where multiple organisations combine their efforts in the production process - for example, the use of contractors on an IT production line. There may be yet more information risks in the logistics parts of the supply chain, plus related services such as installation, configuration, support and maintenance of IT equipment, commercial data centre facilities, communications services and more. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Up Abstract ISO/IEC 27018 "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, [ISO/IEC 27018] specifies guidelines based on ISO/IEC 27002:2022, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services ... The guidelines in [ISO/IEC 27018] can also be relevant to organizations acting as PII controllers.” [Source: ISO/IEC 27018:2025] Introduction This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing P ersonally I dentifiable I nformation entrusted to them. See also ISO/IEC 27017 covering the wider information security angles of cloud computing, aside from privacy. The standard development project had widespread support from national standards bodies plus the C loud S ecurity A lliance . Scope ISO/IEC 27018 intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001 , or as a guidance document for organisations for implementing commonly accepted PII protection controls” . The standard is primarily concerned with public-cloud computing service providers processing PII . “A public cloud service provider is a 'PII processor' when it processes PII for and according to the instructions of a cloud service customer” [according to the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls. The standard interprets rather than duplicates ISO/IEC 27002 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors. ISO/IEC 27000 , ISO/IEC 27001 and ISO/IEC 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788:2014 “Cloud computing - overview and vocabulary” (withdrawn - replaced by ISO/IEC 22123-1:2023 , a legitimate free download from ISO) and ISO/IEC 29100 “Privacy framework” (another free download!). Structure Main clauses: 4: Overview 5: Organizational controls 6: People controls 7: Physical controls 8: Technological controls Annex A: Public cloud PII processor extended control set for PII protection Annex B: Correspondence between this document and the first edition ISO/IEC 27018:2019 Status The first edition was published in 2014 . The second edition (a minor revision) was published in 2019 . The current third edition was published in 2025 , having been updated to reflect ISO/IEC 27002:2022 and offering an ‘extended control set’ aligned with ISO/IEC 29100:2024 Commentary The standard builds on ISO/IEC 27002 , expanding on its generic advice in a few areas, and referring to the OECD privacy principles that are enshrined in several privacy laws and regulations around the globe. In most sections, it simply says: “The objectives specified in, and the contents of, clause [whatever] of ISO/IEC 27002 apply.” The expansions or additions are straightforward - no surprises here. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27050-1 ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) Up Abstract “Electronic discovery is the process of discovering pertinent Electronically Stored Information (ESI) or data by one or more parties involved in an investigation or litigation, or similar proceeding. [ISO/IEC 27050-1] provides an overview of electronic discovery ...” [Source: ISO/IEC 27050-1:2019 ] Introduction The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls in compliance with local laws, regulations and established practices, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions. Scope Part 1 gives an overview of eDiscovery, defines the terms, concepts, processes etc . (such as E lectronically S tored I nformation), and introduces this multi-part standard. Structure Main clauses: 5: Overall structure and overview of the ISO/IEC 27050 series 6: Overview of electronic discovery 7: E lectronically S tored I nformation (ESI ) 8: Electronic discovery process 9: Additional considerations Status The first edition was published in 2016 . The current second edition was published in 2019 . Commentary This multi-part standard concerns the discovery phase, specifically the discovery of E lectronically S tored I nformation, a legal term-of-art meaning (in essence) forensic evidence in the form of digital data. Electronic discovery (eDiscovery) involves the following main steps: Identification: ESI that is potentially relevant to a case is identified, along with its locations, custodians, sizes/volumes etc. This can be more complex than it may appear, for instance involving information assets belonging not just to the individual suspects but also their employers, friends and other organisations such as phone companies and the suppliers of services such as email and Internet access (ISPs), even social media. Operational/online data, backups and archives may all contain relevant data. Often, this phase is time-critical since potential evidence (especially ephemeral operational data) may be spoiled or destroyed before it has been captured and preserved; Preservation: the identified, potentially relevant ESI is placed under a legal hold, starting the formalized forensic process designed to ensure, beyond doubt, that they are protected through the remaining steps against threats such as loss/theft, accidental damage, deliberate interference/manipulation and replacement/substitution, any of which might spoil, discredit and devalue the data, perhaps resulting in the ESI being ruled inadmissible or simply becoming unusable. The legal hold is essentially a formal obligation on the custodian not to interfere with or delete the ESI. Note: this may have implications on live systems since their continued operation may spoil the ESI; Collection: the ESI is collected from the original custodian, typically by physically removing the original digital storage media (hard drives, memory sticks and cards, CDs, DVDs, whatever) and perhaps associated physical evidence (such as devices, media storage cases, envelopes etc . that might have fingerprints or DNA evidence linking a suspect to the crime) into safe custody. In the case of Internet, cloud or other dispersed and ephemeral data including RAM on a running system, it may be impracticable or impossible to secure the data by capturing physical media, hence the data rather than the media may need to be captured directly in a forensically sound manner. Note: the original evidence may later be produced in court hence all subsequent forensic analysis must be performed in such a way that there is no credible possibility that it might have been spoiled e.g. by analysing bit-copies made with suitable forensic tools and methods rather than the original evidence itself. Note also that physically removing systems and media into the custody of a third party could itself be classed as an information security incident with clear implications on the confidentiality, integrity and availability of the information, particularly since, at this stage, the case is not proven: in other words, liabilities may be accumulating; Processing: forensic bit-copies are stored in a form that allows them to be searched or analysed for information that is relevant to the case, using suitable forensic tools and platforms. Sifting out the few vital bits of data from a much larger volume typically collected is the crux of this step; Review: forensic bit-copies are searched or analysed for information that is relevant to the case; Analysis: the information is further analysed and assessed as to its relevance, suitability, weight, meaning, implications etc. Useful information is gleaned from the selected data; Production: relevant information from the analysis, plus the original storage media etc. , is formally presented to the court as evidence. This inevitably involves demonstrating and explaining the meaning of the evidence in terms that make sense to the court. Hopefully, something along the lines of “I state, under oath, that we complied fully with ISO/IEC 27050” will, in future, side-step a raft of challenges concerning the eDiscovery processes! Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27050-3 ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) Up Abstract ISO/IEC 27050 part 3 “provides requirements and recommendations on activities in electronic discovery, including, but not limited to, identification, preservation, collection, processing, review, analysis and production of electronically stored information (ESI). In addition, this document specifies relevant measures that span the lifecycle of the ESI from its initial creation through to final disposition. [Part 3] is relevant to both non-technical and technical personnel involved in some or all of the electronic discovery activities. It is important to note that the user is expected to be aware of any applicable jurisdictional requirements.” [Source: ISO/IEC 27050-3:2020 ] Introduction Part 3 of ISO/IEC 27050 identifies requirements and offers guidance on the seven main steps of eDiscovery noted in part 1 i.e . ESI: Identification - what information from/at a crime scene might be relevant and useful? Preservation - starting the chain of evidence. Collection - removing physical media etc, Processing - forensic bit-copies. Review - searching evidence for relevant info. Analysis - picking out the most weighty bits for court. Production - preparing to present evidence+analysis in court. Scope The structured processes involving E lectronically S tored I nformation. Structure Main clauses: 5: Electronic discovery background 6: Electronic discovery requirements and guidance Status The first edition was published in 2017 . The current second edition was published in 2020 . Commentary Part 3 is, essentially, a basic, generic how-to-do-it guide laying out the key elements that will no doubt form the basis of many digital forensics manuals. While full-time forensics specialists have their own well-practiced procedures, training, forms, tools etc. , corporate information security pro's who only get involved occasionally in this area may benefit from preparing the basics to get the process started properly, even if the management decision is soon made to call in eForensics specialists. If things are fouled-up at the beginning, they are unlikely to be recoverable later on, compromising potentially valid cases. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27557 ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) Up Abstract ISO/IEC 27557"provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. [ISO/IEC 27557] provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: organizational consequences of adverse privacy impacts on individuals; and organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. [ISO/IEC 27557] assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization.” [Source: ISO/IEC 27557:2022] Introduction This standard advises on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organisation and/or individuals (data subjects) as an integral part of the organisation’s overall risk management . It supports the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards - particularly ISO 31000 of course plus ISO/IEC 29134 and ISO/IEC 27005 . The standard distinguishes information risks (with the potential to harm the organisation directly) from privacy risks (with the potential to harm individuals directly and the organisation indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps: ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information; Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities; Many privacy-related controls are information security controls e.g. identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability; Serious privacy breaches can materially harm the organisation’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence; Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organisation may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital). Scope The standard advises using ISO 31000 “Risk management - Guidelines” to manage privacy risks, aiding the integration of privacy risks into the organisation’s overall risk management. Structure Main clauses: 4: Principles of organizational privacy risk management 5: Framework 6: Risk management process Annex A: PII processing identification Annex B: Example privacy events and causes Annex C: Privacy impact and consequence examples Annex D: Template showing the severity scale for privacy impacts on individuals Status The current first edition was published in 2022 . Commentary When an organisation manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf in a custodianship role ... which differs from the usual solely corporate perspective of information risk management. There is an ethical dimension that goes beyond the organisation’s self-preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The standard does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Up Abstract “ISO/IEC TR 27016:2014 provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources. ISO/IEC TR 27016:2014 is applicable to all types and sizes of organisations and provides information to enable economic decisions in information security management by top management who have responsibility for information security decisions.” [Source: ISO/IEC TR 27016:2014] Introduction There are substantial economic, financial and resourcing aspects to the management of information risks and security controls. Scope The ISO catalogue says ISO/IEC TR 27016 “provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.” Structure Main clauses: 6: Information security economic factors - investment aspects 7: Economic objectives - asset values 8: Balancing information security economics for I nformation S ecurity M anagement - cost-benefit analysis Annex A: Identifcation of stakeholders and objectives for setting values Annex B: Economic decisions and key cost decision factors Annex C: Economic models appropriate for information security Annex D: Business cases calculation examples Status The current first edition was published in 2014 as a T echnical R eport since this was deemed a developing field of study. Evidently the field has not developed significantly (and I guess the first edition did such a good job) since work on a second edition ground to a halt due to lack of inputs from committee members. Commentary Some generic parts of the text may be more appropriate in the ISO27k overview sections of ISO/IEC 27000 . Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC TS 27115-2 ISO/IEC TS 27115-2 — Information security, cybersecurity and privacy protection — Cybersecurity of system of systems — Part 2: Security architecture evaluation Up Abstract ?? Introduction ?? Scope [ISO/IEC TS 27115-2] provides a framework to evaluate the cybersecurity of complex systems, including systems of systems, based on ISO/IEC TS 27115-1. The framework uses basic architecture concepts to support model-based, comprehensive and scalable security solutions and their evaluation. Structure ?? Status Part 2 is due out in 2028. It is currently at W orking D raft stage. Commentary TBA Up Up Up This page last updated: 2 April 2026