Search Results

Back Up Next ISO/IEC 27701 ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition) Up Abstract “ISO/IEC 27701 is an international standard that sets out requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It also provides guidance to support organisations in putting these requirements into practice. The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII.” [Source: ISO/IEC 27701:2025 ] Introduction ISO/IEC 27701 applies the conventional ISO ‘management system’ structure and terminology (as laid out in the ISO Directives ) to privacy, or more precisely the protection of P ersonally I dentifiable I nformation. Whereas the first edition of this standard described a P rivacy I nformation M anagement S ystem as an extension to an I nformation S ecurity M anagement S ystem, the current second edition formally severed that dependency. A PIMS can now be an independent, standalone governance and management structure ... that just happens to resemble ISO’s other management systems. However it can still be aligned or integrated (to some extent) with an ISMS or indeed others, with pros (such as reducing unnecessary duplication) and cons (such as increasing complexity). Conformity to ISO/IEC 27701 can be assessed and certified using ISO/IEC 27706 . Scope The standard specifies a P rivacy I nformation M anagement S ystem applicable to both controllers and processors of P ersonally I dentifiable I nformation. Although the standard ostensibly concerns ‘privacy’, in practice it focuses primarily on protecting PII against risks, more precisely still it concerns cybersecurity risks and controls for personal data in the IT context. Other/peripheral aspects of privacy (such as ‘personal space’ and ‘freedom of expression’) are not covered. Structure Main clauses: 4: Context of the organization - understanding internal (corporate) and external stakeholder requirements 5: Leadership - governing, driving and controlling the organisation's privacy arrangements 6: Planning - PIMS objectives, privacy policy 7: Support - privacy administration and documentation 8: Operation - systematically managing privacy risks 9: Performance evaluation - metrics and assurance 10: Improvement - feedback driving maturity 11: Further information on annexes Annex A: PIMS reference control objectives and controls for PII controllers and PII processors - a generic privacy control catalogue similar to Annex A of ISO/IEC 27001 Annex B: Implementation guidance for PII controllers and PII processors - advice on building the PIMS Annex C: Mapping to ISO/IEC 29100 Annex D: Mapping to the General Data Protection Regulation Annex E: Mapping to ISO/IEC 27018 and ISO/IEC 29151 Annex F: Correspondence with ISO/IEC 27701:2019 Bibliography - further reading Status The first edition, published in 2019 , specified PIMS as an extension to an ISMS. The current second edition, published in 2025 , specifies PIMS as a standalone management system. Commentary ISO27k practitioners will surely recognise the cyclical, risk-based approach: Identify privacy-related risks; Assess and evaluate them; Decide how to treat them (what, if anything, to do about them); Treat them (implement the risk-treatment decisions); Lather, rinse, repeat. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27556 ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) Up Abstract ISO/IEC 27556 "provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.” [Source: ISO/IEC 27556:2022] Introduction The standard lays out a “user-centric framework” (an architecture) to handle personal information in a controlled manner in accordance with the privacy-by-design and other requirements of applicable privacy laws and regulations. The standard outlines a mechanism for organisations handling personal data to comply with data subjects’ privacy requirements, even as those organisations share and collaborate on processing the data. Scope The standard describes a generic high-level system architecture without specifying the content and format of privacy preference information. The architecture, in turn, informs the design and implementation of IT systems handling personal information and communicating it between organisations, while managing the privacy preferences of data subjects (known as ‘PII Principals’ in the standard i.e. the people whose personal information is being handled). The standard expands upon ISO/IEC 29100’s “Privacy framework ”. Structure Main clauses: 5: User-centric framework for handling PII 6: Requirements and recommendations for the P rivacy P reference M anager (defined as “component providing a capability allowing PII principals to express privacy preferences and a capability to monitor PII processing according to these privacy preferences” - normally an IT system component, not a person) 7: Further considerations for the PPM in a P rivacy I nformation M anagement S ystem Annex A: Use cases of PII handling based on privacy preferences Annex B: Identifying an actor serving as a component for each example service Annex C: Guidance on configuration of privacy preferences management Annex D: Supporting the design of a privacy preference management Status The current first edition was published in 2022 . Commentary I appreciate the intent to standardise the handling and management of users’ privacy consents, perhaps allowing the preferences to be shared among systems. However, given strong commercial incentives for social media and related systems and companies to exploit every scrap of personal information they can obtain, it may take even stronger pressure from regulators and legislators on behalf of private individuals to see this widely adopted in practice. So, watch this space. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TR 27550 ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) Up Abstract ISO/IEC TR 27550 "provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into system life cycle processes. ...” [Source: ISO/IEC TR 27550:2019] Introduction ‘Privacy engineering’ involves taking account of privacy during the entire cradle-to-grave lifecycle of IT systems and the associated processes, such that privacy is and remains an integral part of their function. Scope This is an IT security standard about engineering IT systems to satisfy privacy requirements relating to the protection of personal data. Structure Main clauses: 5: Privacy engineering 6: Integration of privacy engineering in ISO/IEC/IEEE 15288 Annex A: Additional guidance for privacy engineering objectives Annex B: Additional guidance for privacy engineering practice Annex C: Catalogues Annex D: Examples of risk models and methodologies The standard: Discusses how privacy engineering supports system and security engineering, information risk management, knowledge management etc. Elaborates on conceptual principles such as privacy-by-design and privacy-by-default , important design goals noted in GDPR and elsewhere; Elaborates on the processes for identifying, evaluating and treating privacy risks in the course of IT systems design; Explains how IT systems can be engineered to support and satisfy the OECD privacy principles which form the basis of most privacy laws and regulations. Status The current first edition was published as a T echnical R eport in 2019. Commentary The procedures for operating, using, monitoring, managing and maintaining IT systems and their privacy controls are just as important as the technical controls themselves, and also benefit from being systematically developed (specified, designed, documented, mandated, operated, monitored, maintained ...): it is a good thing this standard is not limited to the technology. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27050-4 ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness (first edition) Up Abstract ISO/IEC 27050 part 4 “provides guidance on the ways an organization can plan and prepare for, and implement, electronic discovery from the perspective of both technology and processes. [Part 4] provides guidance on proactive measures that can help enable effective and appropriate electronic discovery and processes. [Part 4] is relevant to both non-technical and technical personnel involved in some or all of the electronic discovery activities.” [Source: ISO/IEC 27050-4:2021 ] Introduction In 35 pages, part 4 describes "technical readiness" (defined as "having the knowledge, skills, processes and technologies needed to address a particular issue or challenge") in the context of eDiscovery and eForensics. It covers the selection, preparation and use of tools supporting each step of the electronic discovery process, including the retention/storage, production and eventual destruction of E lectronically S tored I nformation. Scope Guidance on preparing the technology (i.e. the forensic tools and systems supporting the collection, storage, collation, searching, analysis and production of ESI, plus the related processes) and the associated processes required for eDiscovery. Note: 'technical' and 'technological' are, technically, different words with different meanings. Structure Main clauses: 6: Technical readiness 7: Readiness for electronic discovery 8: Additional considerations 9: Electronic discovery cross-cutting aspects Annex A: ESI storage questionnaire Status The current first edition was published in 2021 . Commentary As usual for ISO standards, part 4 offers generic advice and does not specify or recommend specific tools for eDiscovery. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC TS 27100 ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) Up Abstract ISO/IEC TS 27100 "provides an overview of cybersecurity. [It]: describes cybersecurity and relevant concepts, including how it is related to and different from information security; establishes the context of cybersecurity; does not cover all terms and definitions applicable to cybersecurity; and does not limit other standards in defining new cybersecurity-related terms for use.” [Source: ISO/IEC TS 27100:2020] Introduction According to this T echnical S pecification: “[ISO/IEC TS 27100] defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security. Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.” Scope Overview of cybersecurity: the standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management. "Cybersecurity is a broad term used differently through the world ... Cybersecurity focuses on the risks in cyberspace, an interconnected digital environment that can extend across organizational boundaries, and in which entities share information, interact digitally and have responsibility to respond to cybersecurity incidents." [Source: ISO/IEC TS 27100:2020] Structure Main clauses: 4: Concepts 5: Relationship between cybersecurity and relevant concepts 6: Risk management approach in the context of cybersecurity 7: Cyber threats 8: Incident management in cybersecurity Annex A: A layered model representing cyberspace Status The current first edition of this T echnical S pecification was published in 2020 and confirmed unchanged in 2024. Commentary See ISO/IEC 27032 . It seems to me two ‘cyber’ worlds coexist on parallel planes: Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by highly capable and determined foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It could be a delaying tactic. However, I may be a semi-paranoid conspiracy theorist. Plain old IT security, network security and Internet security in particular : protecting digital data in general against deliberate attacks. This is the everyday world, a subset of information security in fact. Move along please, nothing much to see here. Rather than clarifying the concepts and terminology, advancing the field, the standard muddies the waters - possibly the desired outcome of #1 above. Thankfully, it is just 17 pages and I suspect is destined to become a little-known cul de sac off the information superhighway, despite the project team’s desire for ISO to promote it as a substantial contribution. They claimed “cybersecurity is simply an evolution of information security” and that the standard “provides much needed explanation in the environment of general confusion about the differences and similarities between cybersecurity and information security”: ‘in the environment of general confusion’ is a curious way of putting it. Ironic, that, for a standard that was meant to clarify things ... Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27006-1 ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) Up Abstract ISO/IEC 27006 part 1 "specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in [ISO/IEC 27006-1] are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in [ISO/IEC 27006-1] provides additional interpretation of these requirements for bodies providing ISMS certification. NOTE [ISO/IEC 27006-1] can be used as a criteria document for accreditation, peer assessment or other audit processes.” [Source: ISO/IEC 27006-1:2024] Introduction ISO/IEC 27006-1 is the accreditation standard that guides C ertification B odies on the formal processes they must follow when auditing their clients’ I nformation S ecurity M anagement S ystems against ISO/IEC 27001 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited CBs are valid, consistent and meaningful. ISO/IEC 27006-1 specifies requirements and provides guidance for conformity auditing specifically in the context of ISMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011 . The conformity assessment/certification process involves auditing the information security management system for conformity with ISO/IEC 27001 . The standard provides guidance specific to ISMS certifications where applicable - for example, in order to remain independent and objective, the CB cannot also provide information security reviews or internal audits of the client’s ISMS. [Since no exclusion period is specified in the standard, this could be interpreted as a permanent or indefinite exclusion, or it may mean contemporaneously or within a few months or ... whatever.] Scope The scope is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001 . It is primarily intended to support the accreditation of certification bodies providing ISMS certification.” Any duly-accredited CB providing ISO/IEC 27001 conformity certificates must fulfill the requirements in ISO/IEC 27006-1 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly. This is necessary to ensure that issued ISO/IEC 27001 certificates are meaningful, and truly indicate that the organisation has fully satisfied the stated requirements. Since literally anyone can issue certificates without necessarily following the certification processes specified in this standard, even substantially non-conformant organisations could conceivably purchase their ISMS certificates or simply ‘self-certify’ (assert rather than demonstrate conformity), potentially discrediting the whole certification structure. In other words, accreditation is an important control for certification. Structure The standard follows the structure of ISO/IEC 17021-1 clause-by-clause: 4: Principles 5: General requirements 6: Structural requirements 7: Resource requirements 8: Information requirements 9: Process requirements 10: Management system requirements Annex A: Knowledge and skills for ISMS auditing and certification Annex B: Further competence considerations Annex C: Audit time - putting sufficient effort into the conformity assessment Annex D: Methods for audit time calculations - determining how much effort is 'sufficient' Annex E: Guidance for review of implemented ISO/IEC 27001:2022, Annex A controls Status The first edition of ISO/IEC 27006 was published in 2007 . The second edition was published in 2011 . The third edition was substantially revised and published in 2015 , with minor wording changes as an amendment in 2020. The fourth edition was published as ISO/IEC 27006-1 in 2024 . It builds upon two normative references - ISO/IEC 17021-1:2015 and ISO/IEC 27001:2022 . Meanwhile, SC 27 is working on the structure of ISO/IEC 27006-1 and other issues, including concerns raised but not entirely resolved in exchanges with CASCO . See also ISO/IEC 27007 for further guidance on auditing an ISMS plus ISO/IEC TS 27008 for guidance on auditing information security controls. [Note: ISO/IEC 27006-2 was published in 2021 covering PIMS certification against ISO/IEC 27701 but was renumbered in 2025, becoming ISO/IEC 27706 .] Commentary Certification auditors have limited interest in the organisation’s information risks and information security controls that are supposedly being managed through the ISMS, needing to confirm "whether controls are implemented and effective and meet their stated information security objectives". It is largely assumed that any organisation with an operational ISMS in conformity with the standard is, in fact, determining its objectives and managing its information risks diligently. ISO/IEC 27001 gives organisations latitude on how they design and document their ISMS, and hence certification auditors cannot simply follow a straightforward conformity checklist: they need to understand both management systems and information risk and security concepts. As far as I’m concerned, that’s a good thing! The requirement to specify the S tatement o f A pplicability on ISO/IEC 27001 conformity certificates has the unfortunate side-effect of impeding maintenance updates to an ISMS if that would affect the SoA e.g. responding to newly-identified information risks or to incorporate additional controls. Since that hampers a fundamental principle or purpose of having a management system, it may constitute a substantive defect in ISO/IEC 27006-1 ... and perhaps other ISO management system standards too. In practice, however, it appears nobody (except me?) has noticed and is bothered by this. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27706 ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) Up Abstract ISO/IEC 27706 "specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in [ISO/IEC 27706] are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in [ISO/IEC 27706] provides additional interpretation of these requirements for bodies providing PIMS certification. NOTE [ISO/IEC 27706] can be used as a criteria document for accreditation, peer assessment or other audit processes.” [Source: ISO/IEC 27706:2025 ] Introduction This accreditation standard guides certification bodies on the formal processes they must follow when auditing clients’ P rivacy I nformation M anagement S ystems against ISO/IEC 27701 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27701 certificates issued by accredited organisations are valid, comparable, meaningful and hence commercially valuable. Scope This standard is primarily aimed at PIMS certification auditors ("conformity assessors"). It may also be used for peer assessment or other PIMS audit processes such as internal or supplier privacy audits. For consistency across the globe, any properly-accredited body providing ISO/IEC 27701 certificates must fulfill the requirements in this standard plus ISO/IEC 17021-1 . Their auditors’ competence, suitability and reliability to perform their work properly is necessary to ensure that issued ISO/IEC 27701 certificates are meaningful and valuable: if literally anyone issues PIMS certificates without necessarily following the certification processes specified by this standard, even substantially non-conformant organisations could conceivably buy their certificates or simply ‘self-certify’ (assert rather than demonstrate conformity). Accreditation of the certification bodies is an important assurance control for those who depend or rely upon the certificates - including, by the way, the certified organisations themselves. Structure The standard formally specifies requirements and offers guidance for conformity auditing specifically in the context of PIMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 plus ISO/IEC 17000 and ISO/IEC 27701 . ISO/IEC 27706 is firmly based on ISO/IEC 17021-1 , with the same structure. Main clauses: 4: Principles 5: General requirements 6: Structural requirements 7: Resource requirements 8: Information requirements 9: Process requirement 10: Management system requirements for certification bodies Annex A: audit time Annex B: methods for audit time calculations Annex C: required knowledge and skills Most sections repetitively and tediously state "The requirements of ISO/IEC 17021-1, [section number] apply”. Status The current first edition was published in 2025 to coincide with the 2025 update to ISO/IEC 27701. This standard updated and replaced ISO/IEC TS 27006-2:2021 , replacing references in the first edition to ISO/IEC 27001 with references to ISO/IEC 17021-1. ISO/IEC 27006-2 was officially withdrawn at this time. Commentary Just as ISO/IEC 27006-1 specifies requirements for certification of an ISMS against ISO/IEC 27001 , the PIMS certification process involves auditing the management system (specifically) for conformity to the mandatory requirements in ISO/IEC 27701 . Conformity assessors have only a passing interest in the actual privacy arrangements that are being managed by the management system, doing sufficient checks to confirm that the PIMS is operational. It is presumed that any organisation with a PIMS that conforms to the standard probably does in fact have suitable privacy controls in place, and will ensure they remain appropriate and functional due to the operation of said PIMS. More subtly, the standard does not demand particular, detailed privacy arrangements or controls that may be inappropriate or insufficient if implemented in some situations, and hopefully reduces the possibility of assertive certification auditors seeking to second-guess or override informed management decisions about how the organisation is addressing its privacy risks. The auditors’ job is simply to provide assurance by assessing conformity of the management system with the mandatory requirements of ISO/IEC 27701 . Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27007 ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) Up Abstract ISO/IEC 27007 "provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.” [Source: ISO/IEC 27007:2020] Introduction ISO/IEC 27007 provides guidance for internal auditors, external/third party auditors (e.g. those performing supplier security assessments) and others auditing ISMSs against ISO/IEC 27001 i.e. auditing the M anagement S ystem for conformity with the standard. For C ertification B odies' conformity assessors, it supplements or complements the mandatory accreditation requirements specified formally in ISO/IEC 27006-1 with additional discretionary advice. The standard covers the process of ISMS-specific conformity assessment or auditing, emphasising the 'management system' elements: Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement); Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups); Managing ISMS auditors (competencies, skills, attributes and evaluation). Scope "[ISO/IEC 27007] provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011 . [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme." [Source: ISO/IEC 27007:2020] Structure Main clauses: 4: Principles of auditing 5: Managing an audit programme 6: Conducting an audit 7: Competence and evaluation of auditors Annex A: Guidance for ISMS auditing practice - includes advice re the documentation required by ISO/IEC 27001:2013 such as the S tatement o f A pplicability. The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not-terribly-helpful explanatory comments (e.g . audits are likely to involve sensitive proprietary or personal information, hence auditors may need to be security-cleared to the appropriate level before auditing, and to secure audit evidence appropriately). However the more valuable annex describes specific audit tests concerning the organisation’s conformity with the requirements of ISO/IEC 27001 . Status The first edition was published in 2011 . The second edition was published in 2017 . The current third edition was published in 2020 . A fourth edition is in the works, belatedly reflecting ISO/IEC 27001:2022 and the imminent release of ISO 19011:2026 . ISO 19011 :2026 is expected to provide guidance on remote auditing (e.g . of virtual locations such as globally-distributed data centres providing cloud services) plus other editorial changes to the current version. Publication of the fourth edition of ISO/IEC 27007 is planned for 2027. It is at C ommittee D raft stage, coming along nicely. Reviewers seek to align the terminology and concepts more closely with ISO/IEC 27000 , 27001 , 27003 and 27005 , for example not implying, suggesting or stating additional requirements beyond those formally stated in 27001 . Additional approaches, guidance and options are fine so long as readers (implementers and auditors) are not led to believe that they must do a load of additional things in order to conform to 27001 . Flexibility is valuable for such a broadly-applicable approach. Additional constraints or demands are not. Commentary As with ISO/IEC 27006-1 , this standard primarily concerns conformity or compliance auditing , a particular form of auditing with a specific goal: to determine whether the audited organisation’s ISMS conforms with (i.e. fulfills all the mandatory requirements specified formally by) ISO/IEC 27001 . Such audits are primarily performed for certification purposes. Other types of audits have different assurance goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance/conformity auditors, or that all audits are compliance/conformity audits! Specifically in relation to information risk and security management, competent technology auditors might for instance: Evaluate the organisation’s strategies and policies relating to information and privacy risk management, incident management, fraud etc. for aspects such as strategic fit, currency, relevance, readability, coverage, suitability and quality (fitness for purpose); Audit workers’ conformity with organisational policies, procedures, directives, guidelines, employment contracts etc. , in the general area of information risk, information security and privacy; Delve into the root causes of ongoing issues and repetitive incidents, including near-misses and lesser events; Examine the governance arrangements in this area e.g. organisational structure, internal and external reporting relationships, information flows within and between management layers, accountabilities, roles and responsibilities ...; Audit the organisation’s compliance/conformity with other relevant obligations and expectations, apart from ISO/IEC 27001 e.g. privacy and data protection, intellectual property protection, health and safety, and employment laws and regulations; fire codes and building standards; technical security standards and protocols; supplier, partner and customer agreements and contracts; industry guidelines; ethical codes ... including the associated arrangements such as enforcement actions, and how the organisation stays up-to-date with changes in the requirements; Audit the effectiveness and efficiency of the ISMS, including aspects such as the net value (benefits less costs) it generates for the business, and releasing any unrealised potential; Examine ‘assurance’, ‘integrity’, ‘confidentiality’, ‘availability’, ‘risk’, ‘information risk management’, ‘compliance’, ‘privacy’ etc. in the broad, deliberately interpreting such words and phrases very widely to take in related aspects that are not usually considered in any depth; Review improvements made and explore further opportunities to improve the ISMS; Examine the organisation’s potential and actual exploitation of other standards, methods and frameworks relating to information risk and security management; Survey, compare and contrast various stakeholders’ opinions , comments and suggestions on the ISMS, teasing-out and addressing deeper, longstanding concerns and points of common interest that might otherwise remain hidden; Follow-up on previous ISMS audits, reviews, penetration tests, security assessments, post incident reports etc. , delving deeper into areas of concern, extending the scope and picking up on recurrent or widespread issues; Examining assurance management e.g. the manner in which various audits or assessments are scoped, approved, resourced, conducted, reported, actioned and closed off, treating ISMS or technology audits as important examples; Explore the management aspects of business continuity and resilience ; Look into the integration and interoperability of various management systems such as the ISMS; Audit the organisation’s information management as a whole, such as the integration of risk and security aspects with other business imperatives, and the proactive exploitation of information despite various risks; Benchmark the ISMS against comparable organisations or business units, or against other operational management systems e.g. quality assurance, environmental protection; Measure and comment on the organisation’s maturity in this general area; Review the organisation’s use of security metrics , reports and other management information. Although that is not even a complete list, there are clearly plenty of creative possibilities here, in addition to the basic conformity-assessment tick-n-bash approach. One of the best things about auditing is the chance to do something different for a change. Exploit the auditors’ independence, competence, experience, skills, focus, information access, rigorous methods, trustworthiness, access to senior management etc. to delve into aspects that are rarely if ever addressed as part of routine management and operations - potentially including those awkward politically-charged issues that are studiously avoided, and longstanding problems that seem destined to remain, forever. Some pessimists see audits as information threats to be avoided or minimised: speaking as a former (lapsed? Reformed!) IT auditor and optimist (realist!), I see audits as valuable business opportunities to be exploited to the max. Make the best of them. Milk the value. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27033-4 ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) Up Abstract ISO/IEC 27033 part 4 “gives guidance for securing communications between networks using security gateways (firewall, application firewall, Intrusion Protection System, etc.) in accordance with a documented information security policy of the security gateways, including: identifying and analysing network security threats associated with security gateways; defining network security requirements for security gateways based on threat analysis; using techniques for design and implementation to address the threats and control aspects associated with typical network scenarios; and addressing issues associated with implementing, operating, monitoring and reviewing network security gateway controls.” [Source: ISO/IEC 27033-4:2014] Introduction Part 4 gives an overview of security gateways , describing different architectures. Scope Guidance on securing communications between networks through gateways, firewalls, application firewalls, Intrusion Protection System [sic ] etc . in accordance with a policy. Includes identifying and analysing network security threats, defining security control requirements, and designing, implementing, operating, monitoring and reviewing the controls. Structure Main clauses: 6: Overview 7: Security threats 8: Security requirements 9: Security controls 10: Design techniques 11: Guidelines for product selection Status ISO/IEC 27033-4 revised and replaced ISO/IEC 18028-3 . The current first edition of part 4 was published in 2014 and confirmed unchanged in 2019. It is slightly more up to date than other parts of ISO/IDC 27033 in that it mentions 'cloud', twice, and even VoIP. Gosh. Denial-Of-Service attacks on corporate networks were evidently a big concern back in 2014, but ransomware was yet to make its big entrance stage right. Commentary The standard outlines how security gateways (a.k.a. firewalls) analyse and control network traffic through: Packet filtering; Stateful packet inspection; Application proxy (application firewalls); N etwork A ddress T ranslation; Content analysis and filtering. It guides the selection and configuration of security gateways, choosing the right type of architecture for a security gateway which best meets the security requirements of an organisation. It refers to various kinds of firewall as examples of security gateways. [Firewall is a commonplace term of art that is curiously absent from ISO/IEC 27000 and ISO/IEC 27002 , neither is it defined explicitly in this standard. I wonder if some ancient ISO standard had already 'taken' the term to describe a physical barrier impeding the spread of fire and smoke e.g. from the engine into the passenger compartments of a car?]. Up Up Up This page last updated: 23 February 2026

Back Up Next ISO/IEC 27011 ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) Up Abstract “The scope of this Recommendation | International Standard is to provide guidelines supporting the implementation of information security controls in telecommunications organizations. The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant information security property.” [Source: ISO/IEC 27011:2024/ITU-T X.1051] Introduction This I nformation S ecurity M anagement S ystem implementation guide for the telecoms industry was developed jointly by ITU-T and ISO/IEC JTC 1/SC 27, with the identical text being dual-numbered as both ISO/IEC 27011 and ITU-T X.1051 . Scope ISO/IEC 27011 guides telecoms organisations on the information security controls worth considering and adopting to mitigate their unacceptable information risks. As with ISO/IEC 27002 , the controls are discretionary, not mandatory. Telecoms organisations are free to determine whether the controls are or are not applicable ("necessary") according to their information risks, and they may prefer custom versions, bespoke controls or controls suggested by other sources. Ideally, they would do so using an I nformation S ecurity M anagement S ystem modeled on ISO/IEC 27001 , managing and overseeing the controls and risks systematically. Structure Aside from minor variations/explanations to a few of the ISO/IEC 27002 controls, the ‘extended control set’ suggests 14 additional information security controls specifically for telecoms organisations. Main clauses: 4: Overview 5: Organizational controls - with 8 supplementary controls 6: People controls - with no supplementary controls 7: Physical controls - with 5 supplementary controls 8: Technological controls - - with 1 supplementary control For example, control 5.42 TEL - Non-disclosure of communications indicates that telecoms organisations should, if appropriate, secure metadata relating to the messages they handle for customers, as well as the messages themselves, unless they are legally obliged to disclose. Status The first edition was published in 2008 . The second edition was published in 2016 with minor corrigendum (correction) in 2018. Having been updated and substantially restructured to align with the 2022 version of ISO/IEC 27002 , the current third edition was published in 2024 . Commentary It is good to see continued productive collaboration between these well-respected international standards bodies, despite the challenge and delays caused by batting the draft standard back and forth between their formal processes like a tennis ball at a Wimbledon final. Up Up Up This page last updated: 11 February 2026