Search Results

Up Up Up ISO/IEC 27000 ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) Up Abstract “ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. [ISO/IEC 27000] is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations). The terms and definitions provided in [ISO/IEC 27000]: cover commonly used terms and definitions in the ISMS family of standards; do not cover all terms and definitions applied within the ISMS family of standards; and do not limit the ISMS family of standards in defining new terms for use.” [Source: ISO/IEC 27000:2018] Introduction ISO/IEC 27000 gives an overview of I nformation S ecurity M anagement S ystems (and thus many of the ISO27k standards), plus a glossary that formally defines many (but not all) of the specialist terms as they are used within the ISMS standards. Scope ISO/IEC 27000 is focused on the 'core ISO27k standards' meaning ISO/IEC 27001 to 27008 . Other ISO27k standards are covered to a lesser extent and many are not mentioned at all (including, of course, new standards published after 2018). Structure Vocabulary A glossary of carefully-worded formal definitions covers many of the specialist information security-related terms used in the ISO27k standards. Information security, like most technical subjects, uses a complex web of terminology that continues to evolve. Several core terms in information security (such as “risk” and “cyber”) have different meanings or interpretations according to the context, the author’s intention and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but such ambiguity is distinctly unhelpful in the standards arena as it leads to confusion. Apart from anything else, it would be awkward to assess and certify conformity with ISO/IEC 27001 if the specialist terms meant different things to the assessors and the assessed! The vocabulary in ISO/IEC 27000 is applicable throughout the global information security profession although some individuals and groups differ, sometimes with good reason, creating occasional misunderstandings, clashes, and conceptual chasms. Even if you happen to disagree with the definitions here, it is worth becoming familiar with them as some of your professional contacts will implicitly expect the ISO/IEC versions. ISO/IEC 27000 supplements and largely supersedes ISO/IEC Guide 2 :2004 “Standardization and related activities – General vocabulary” , ISO Guide 73 :2009 “Risk management – Vocabulary – Guidelines for use in standards” (withdrawn), and ISO/IEC 2382-8 : “Information technology - Vocabulary Part 8: Security” . It also includes definitions taken from a few non-ISO27k ISO standards. Terms that are reproduced unchanged from other ISO standards such as ISO 9000 are not always entirely appropriate as such in the information security context. They are not necessarily used in the ISO27k standards in full accordance with the original definitions or intended meanings. However, as the definitions are gradually updated or superseded, the lexicon is evolving into a reasonably coherent and consistent state across the whole ISO27k suite - a remarkable achievement in its own right given the practical difficulties of coordinating the effort across a loose collection of separate committees, editing projects, editors and managers, developing the language and concepts as we go. ISMS overview An overview of I nformation S ecurity M anagement S ystems introduces information security, risk and security management, and management systems. It is a reasonably clear if rather wordy description of the ISO27k approach and standards, from the perspective of the committee that wrote them. There is only one diagram, unfortunately, and all that does is group similar types of ISO27k standards together, but, hey, that leaves room for supplementary guidance ... such as this website! Status The first edition was published in 2009 . It was updated in 2012 , 2014 , 2016 and 2018 . The current 2018 fifth edition is available legitimately from ISO for free . This was a minor revision of the 2016 fourth edition with a section on abbreviations, and a rationalisation of the metrics-related definitions following the 2016 rewrite of ISO/IEC 27004 . The sixth edition of ISO/IEC 27000 is a work-in-progress. In accordance with ISO directives, the current edition’s vocabulary will be moved to an annex containing a “definition and explanation of commonly used terms in the ISO/IEC 27000 family of standards” - more specifically, the glossary will apply to ISO27k standards belonging to ISO/IEC JTC 1/SC 27/WG 1 (ISO/IEC 27001 to ISO/IEC 27011 , ISO/IEC 27013 , ISO/IEC 27014 , ISO/IEC 27016 , ISO/IEC 27017 , ISO/IEC 27019 , ISO/IEC 27021 to ISO/IEC 27024 , ISO/IEC 27028 and ISO/IEC 27029 ). Terms will be grouped conceptually in the annex rather than alphabetically. However, various specialist terms used in ISO/IEC 27000 itself are to be defined in clause 3 as usual. The new sixth edition will be a lot shorter, halving the page count. Publication of the sixth edition is due by 2026. It is at D raft I nternational S tandard stage. The title is to become “Information security, cybersecurity and privacy protection — Information security management systems — Overview” . Commentary Clause 4 “Concepts and principles”, new to the sixth edition is intended to clarify the fundamentals underpinning information risk and security management. The information security controls in ISO/IEC 27001 Annex A , 27002 , 27010 , 27011 , 27017 and 27019 are to be termed “Candidate necessary information security controls ” - a curious and ambiguous turn of phrase reflecting the committee’s persistent difference of opinion in this area. ‘Necessary’ is for the organisation to determine according to its evaluation of information risks relative to its risk appetite. ‘Candidate’ is clearly not ‘required’ and is less than ‘suggested’, but still some readers and inept auditors may feel the controls have to be implemented by default: they don't. Given the chance, I would replace “information security risk” throughout the ISO27k standards with the shorter, simpler and more appropriate term “information risk”. “Information security risk” is not formally defined as a complete phrase and doesn’t even make sense: it is presumably trying to indicate that we are talking about risk in the context of information security, but it could be interpreted as “risk to information security” which I guess would including things such as failing to identify novel risks, and lack of management support for the function: those are indeed risks, but they are not the focus of ISO27k. “Information risk”, in contrast, is reasonably self-evident but, if the committee feels the desperate need for an explicit definition, I suggest something as simple as “risk relating to or involving information” or even “risk pertaining to information”, where both risk and information are adequately defined in dictionaries (whereas the current ISO27k definition of risk is unhelpful). Thus far, I have failed to persuade the committee to accept this terminological change, which admittedly would ripple through most of the ISO27k standards. However, the sixth edition's clause 4.1.2 is expected to include the following concerning information: “Information is an asset that, like other important business assets, is essential to an organization’s business and, consequently, needs to be suitably protected.” OK, yes it deserves adequate protection, but it also deserves legitimate exploitation for business purposes. That duality is something that management should address systematically using the ISMS as a framework. “It does not matter whether the information is owned by the organization or is entrusted to its care by a third party, e.g., a customer.” Patently ownership of information does matter, so that statement is plain wrong. Protection and exploitation of information matter to the owners of both business/commercial/proprietary and personal information (including that belonging to employees, by the way). Even public-domain information can be of value to society, groups or individuals, while inaccurate, outdated, incomplete, misleading, coercive, manipulative or malicious information is of concern regardless of who owns it. I suspect that second sentence was supposed to build upon the first but somehow the linkage has been lost in translation, with unintended consequences. Pressing ahead: “Information can be stored in many forms, including digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as information in the form of knowledge. Information can be transmitted by various means including courier, electronic or verbal communication. Whatever form information takes, or how it is transmitted, it always needs appropriate protection.” All good so far, but then ... “In many organizations, information is dependent on information and communications technology. This technology is often an essential element in the organization and assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information.” The final paragraph reveals the longstanding systemic bias towards technology (in particular, IT) throughout the ISO27k standards. While clearly it is true that information security controls based on technology (information, operational, communications, smart and virtual technologies in fact) play a large part in protecting digital data, technology alone will never completely replace the need for humans to protect information as well, including the use of physical and organisational controls (such as policies, contracts and assurance measures). And, last but not least, the controls are specified, designed, used and managed by humans, while security incidents affect humans. In short, it’s humans all the way down . Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Up Abstract ISO/IEC 27008 "provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation. [ISO/IEC 27008] offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organisations, including public and private companies, government entities, and not-for-profit organisations conducting information security reviews and technical compliance checks.” [Source: ISO/IEC TS 27008:2019] Introduction This standard (strictly speaking a T echnical S pecification) on “technical auditing” complements ISO/IEC 27007 . It is focused on auditing the information security controls (or rather the “technical controls”, which although undefined evidently means IT security or cybersecurity controls). In contrast, ISO/IEC 27007 concerns the management system . Scope ISO/IEC TS 27008 provides guidance for all auditors/assessors regarding “information security management systems controls” [sic ] selected through a risk-based approach (e.g . as presented in a S tatement o f A pplicability) for information security management. It supports the information risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the organisation’s "necessary ISMS controls” satisfy the control objectives. Furthermore, it supports any organisation using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for the governance and management of information risk and security. Structure Main sections: 5: Background 6: Overview of information security control assessments 7: Review methods 8: Control assessment process Annex A: Initial information gathering (other than IT) Annex B: Practice guide foir technical security assessments Annex C:Technical assessment guide for cloud services (Infrastructure as a Service) Status The first edition was published in 2011 as ISO/IEC TR 27008:2011, a Type 2 T echnical R eport. It set out to provide “Guidelines for auditors on information security controls”. The second edition was published in 2019 as ISO/IEC TS 27008:2019, a T echnical S pecification reflecting the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002 . The title morphed into “Guidelines for the assessment of information security controls”, dropping the explicit reference to auditing. The third edition is currently in preparation, being revised to reflect ISO/IEC 27002:2022 . It will revert to a T echnical R eport. It is at D raft T echnical R eport stage, likely to emerge during 2026. Commentary ISO/IEC TS 27008 gives technology auditors background knowledge to help them review and evaluate the information security controls being managed through an I nformation S ecurity M anagement S ystem. The current second edition: Is applicable to organisations of all types and sizes; Supports planning and execution of ISMS audits and the information risk management process; Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g . in the ISO27k user organisations, assessing security elements of business processes, IT systems and IT operating environments); Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002:2013 ; Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organisation and intangibles such as reputation and image of the organisation and privacy, skills and experience of people); Supports an ISMS-based assurance and information security governance approach and audit thereof [?? That strays from the standard’s scope into the area of management systems auditing]; Supports effective and efficient use of audit resources. Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001 , ISO/IEC TS 27008 focuses on checking the information security controls themselves, such as (for example) those as in Annex A of ISO/IEC 27001 . ISO/IEC TS 27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organisation. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004 , ISO/IEC 27005 or ISO/IEC 27007 respectively.” 'Technical compliance checking/auditing' is explained as a process of examining ‘technical’ security controls, interviewing those associated with the controls (managers, technicians, users etc. ), and testing the controls. The methods should be familiar to experienced technology auditors. ‘Technical’ controls, while not explicitly defined in the standard, appear to be what are commonly known as IT security or cybersecurity controls, in other words a subset of the information security controls listed in ISO/IEC 27001 Annex A and described in ISO/IEC 27002 . Furthermore, the correct term here is conformity, not compliance, since it is discretionary. But I digress. Liberal use of “technical” in phrases such as “technical compliance checking of information system controls”, “technical assessment” and “technical security controls”, indicates that this standard is concerned with technology , implying IT or cyber security, specifically, rather than information risk and security in general. While this standard is not intended to be used for certification, it remains inconsistent and ambiguous (frankly, unclear and confusing) in the use of key terms such as: review, assessment, test, validation, check and audit. For example, are “information security auditors” the same as “certification auditors”, “IT auditors”, “internal auditors”, “ISMS internal auditors”, “compliance auditors”, “conformity auditors”, or something else? There are no (zero) definitions in the second edition since all terms are supposedly defined in ISO/IEC 27000 : concerning that little list of terms, only “audit”, “information security” and “conformity” are defined, separately. “Risk assessment” is specifically defined but not “assessment” in general. So, conventional dictionary definitions presumably apply ... but don’t really help. For an international standard, it could hardly be more muddled. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27003 ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) Up Abstract “ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.” [Source: ISO/IEC 27003:2017] Introduction ISO/IEC 27003 provides guidance for those implementing the ISO27k standards , covering the management system aspects in particular, as opposed to the information security controls which are summarised in ISO/IEC 27001 Annex A and explained more fully in ISO/IEC 27002. The standard supplements and builds upon other ISO27k standards (particularly ISO/IEC 27000 and ISO/IEC 27001 plus ISO/IEC 27004 , ISO/IEC 27005 and ISO/IEC 27014 ) and ISO 31000 . Scope The current edition of this standard primarily interprets or explains the requirements stated formally in ISO/IEC 27001:2013 . As a result of ISO’s intent to make all the M anagement S ystems S tandards consistent in structure, form and style, and in order for it to be usable for conformity assessment (ISMS certification) purposes, the language of ISO/IEC 27001 is inevitably formal, curt and stilted, leaving little room for interpretation. In contrast, ISO/IEC 27003 offers more pragmatic explanations of the requirements. Structure For convenience, ISO/IEC 27003 mirrors the structure of ISO/IEC 27001 , expanding clause-by-clause on ISO/IEC 27001. The main sections are therefore: 4 - Context of the organisation 5 - Leadership 6 - Planning 7 - Support 8 - Operation 9 - Performance evaluation 10 - Improvement plus Annex - Policy framework [NOTE: this annex does not reflect or expand on the information security controls listed in ISO/IEC 27001 Annex A, since ISO/IEC 27002 already does that]. For each ISO/IEC 27001 clause, 27003: Re-states the requirement/s; Explains the implications; and Offers a little practical guidance and supporting information including examples, to help implementers implement. For example, this is what ISO/IEC 27001 says in section 4.1, ‘Understanding the organisation and its context’: “The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. NOTE Determining these issues refers to establishing the external and internal context of the organisation considered in Clause 5.3 of ISO 31000:2009[5].” Section 4.1 of ISO/IEC 27003 first succinctly re-states the ‘required activity’: “The organisation determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) of the information security management system (ISMS).” Then it expands on the reasons why it is appropriate and necessary to ‘determine external and internal issues’, providing a page of explanation to supplement the succinct and somewhat hard to understand text from ISO/IEC 27001 . It explains, for instance, that the ‘internal issues’ include the organisation’s culture; its policies, objectives, and the strategies to achieve them; its governance, organisational structure, roles and responsibilities; and lists a further seven ‘internal issues’ to consider. It also identifies/cross-references other clauses that use this information. That alone would be a valuable expansion on ISO/IEC 27001 section 4.1 but ISO/IEC 27003 doesn’t stop there: it goes on to provide a further page of explanation, practical guidance and real-world examples in this area - 3 pages in total concerning that one short subclause. The end result is that the reader gains a better understanding of the formal requirements from the main body clauses of ISO/IEC 27001 and a clearer idea of how to go about satisfying them. Status The first edition was published in 2010 . It included implementation guidance. A substantially revised second edition, with more explanation but less implementation guidance, was issued in 2017. Work is under way now on a third edition, a project supposedly in three phases but the first two have been blended together in practice: Update references and realign to the 2022 versions of ISO/IEC 27001 and ISO/IEC 27002 ; consolidate guidance into the Guidance sections for each clause; clarify the wording to avoid even hinting at additional ISMS requirements beyond those in ISO/IEC 27001 , following rumoured CASCO concerns about implied conformity aspects. Adopt ISO’s version of plain English meaning substantial wording changes throughout, and expand ISO/IEC 27003 to cover the whole main body of ISO/IEC 27001 (excluding the Annex A controls which are covered by ISO/IEC 27002 ). Expand the implementation guidance, including brief introductions and references to related standards such as ISO/IEC 27004 and ISO/IEC 27005 . The third edition is due to be published in 2027. The revision project is presently at C ommittee D raft stage, working on phases 1 and 2 (now merged, apparently). A new title is likely: “Information security, cybersecurity and privacy protection — Information security management systems — Guidance for the application of ISO/IEC 27001:2022”. An amended scope is also likely, appending “and the ISO/IEC 27001:2022/AMD 1:2024” , to acknowledge that climate change is to be considered. Work started in 2025 on another standard (either a second part to '27003 or a completely separate standard), with the development of a P reliminary W ork I nstruction. Whereas the second and third editions of ISO/IEC 27003 focus on explaining the formal ISMS requirements from ISO/IEC 27001 , ISO/IEC 27003-2 (or whatever number it is given) is intended to offer practical guidance on implementing an ISMS , for example ”setting up an implementation project, suitable top management involvement in the steering committee, setting a clear ambition level, appointment of a suitable project manager, etc.” It will hopefully rejuvenate and update the implementation advice from the 2010 first edition that has been eroded and largely lost. Commentary It takes years to prepare and release each new edition. Meanwhile , the ISO27k ISMS implementation guideline is a plain-English explanation of the requirements from ISO/IEC 27001 (based on the ISO Directives Part 1 Annex SL Appendix 2 concerning the wording and intent of the boilerplate text for all ISO’s management systems) plus pragmatic guidance for implementers (based on actual experience). The guideline is not an official ISO/IEC standard but, hey, it’s free of charge ... and available now ! To my eyes, the proposed ISO/IEC 27003-2 resembles phase 3 of the current revision project ... so it is possible that the revision might stop and release the third edition after completing phase 2’s plain English rewording (which I suspect will involve a lot more work than was planned), deferring phase 3 to the new 'part 2;' project. Maybe. We shall see. Although excluded from the current revision project, the scope and purpose of ISO/IEC 27003 could - at some distant future point perhaps - usefully extend beyond the ISMS design, implementation and certification phase to offer pragmatic advice on the operation, management, monitoring and systematic improvement of the ISMS. Certification of an ISMS is, after all, merely a milestone on the never-ending journey towards security maturity. As information security becomes an integral and valuable part of the organisation’s routine business/operational activities and management, changes are bound to occur. Potentially ’27003 might distinguish, encourage and support beneficial ISMS changes while discouraging counterproductive or detrimental ones. Alternatively, developing a separate ISO27k standard in parallel with the ongoing revision of ISO/IEC 27003 might be a quicker (less glacial) option, hinting at the possibility of a part 3 to this standard. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27004 ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) Up Abstract “ISO/IEC 27004:2016 provides guidelines intended to assist organisations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013, 9.1. It establishes: (a) the monitoring and measurement of information security performance; (b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls; [and] (c) the analysis and evaluation of the results of monitoring and measurement.” [Source: ISO/IEC 27004:2016] Introduction ISO/IEC 27004 concerns measurements or measures needed for information security management: these are commonly known as ‘security metrics’ in the profession (if not within ISO/IEC JTC 1/SC 27!). Scope The standard is intended to help an organisation evaluate the effectiveness and efficiency of its I nformation S ecurity M anagement S ystem, providing information necessary to manage and (where necessary) improve the ISMS systematically. It expands substantially on Clause 9.1 of ISO/IEC 27001 concerning ‘monitoring, measurement, analysis and evaluation’. Structure These are the main sections: Rationale - explains the value of measuring stuff e.g. to increase accountability and performance; Characteristics - what to measure, monitor, analyse and evaluate, when to do it, and who to do it; Types of measures - performance (efficiency) and effectiveness measures; Processes - how to develop, implement and use metrics. Annex A is where most of the theoretical measurement model from the first edition of the standard now languishes. Annex B catalogs 35 metrics examples of varying utility and quality, using a typical metrics definition form. Annex C demonstrates a pseudo-mathematical way to describe a metric, or rather an ‘effectiveness measurement construct’ (!). Status The first edition was published in 2009 . It had a distinctly academic/theoretical style. A substantially revised (rewritten) second edition was published in 2016 . It is more practical. Work is under way on a third edition. The committee plans to: Update the main body and appendix references to reflect the 2022 editions of ISO/IEC 27001 , ISO/IEC 27002 and ISO/IEC 27005 . Adopt ISO’s version of plain English . This may involve extensive wording changes to make the standard easier to understand and apply. Provide additional metrics examples to suit organisations of all sizes. If all goes to plan, the third edition will be published before 2028. Commentary Since a management system is literally worse than useless without suitable metrics, it is appropriate for ISO/IEC 27001 to list this standard as a normative or essential standard. More than that, information security metrics are of value in all organisations regardless of whether or not they have an ISO27k ISMS in place. I understand why ISO/IEC 27004 and several other ISO27k standards are aligned specifically to ISO/IEC 27001 : the narrow scope and tight focus increases the chances of the standards being completed and published in a reasonable timeframe (a problem that plagued the first edition of ISO/IEC 27004). That leaves a gap for broader-scope standards, including a general purpose information risk and security metrics standard ... or indeed an entire book . The example metrics in Annex B of the current second edition are a mixed bunch, poorly described. Please don’t think that you ought to be using them in your ISMS, unless they happen to address your specific management information needs. There are lots of moving parts to an ISMS, numerous objectives and hence plenty of measurable aspects. For example, the incident management process has numerous measureable parameters or factors at each of its phases: Prepare : policies and procedures; team size, competencies; salaries. Identify : call-out rate; near-misses reported; Assess : incident breakdowns by type, severity etc .; Contain : investigation costs; business disruption; Investigate : incident root causes; causative factors; Resolve : impacts; time from occurrence to closure; repair costs; Learn : PIRs completed; recurrent issues; actions arising; Overall : process effectiveness; process efficiency. The German standards body, DIN, suggested introducing the GQM (G oal-Q uestion-M etric) approach into the standard - an excellent idea raised too late for the second edition. Unfortunately, it seems the current revision is once again missing the opportunity for this worthwhile improvement. Meanwhile, Lance Hayden’s book “IT Security Metrics ” ably explains using GQM to identify possible metrics, while “PRAGMATIC Security Metrics ” by Brotby and Hinson describes a systematic method to evaluate and improve their quality. Various obscure metrics-related terms from the first edition of the standard are defined in ISO/IEC 27000 but are mostly irrelevant now. Hopefully they will be dropped when ISO/IEC 27000 is updated. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27005 ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) Up Abstract ISO/IEC 27005 "provides guidance to assist organizations to: fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; [and] perform information security risk management activities, specifically information security risk assessment and treatment ...” [Source: ISO/IEC 27005:2022] Introduction The ISO27k standards are overtly risk-aligned, meaning that organisations are supposed to identify and assess risks to their information (called “information security risks ” in the ISO27k standards, despite that term being undefined) as a prelude to dealing with (“treating ”) them in various ways. Dealing with the most significant information risks as priorities makes sense from the practical implementation and management perspectives. Turning that on its head, failing to prioritise addressing the most significant risks represents a governance failure, arguably negligence or mismanagement. Scope The standard guides organisations interpreting and fulfilling ISO/IEC 27001 ’s requirements to address (identify, evaluate and treat) their information [security] risks. It can also be used independently of ISO/IEC 27001: it is a worthwhile approach to managing information risks regardless of the framework. Structure This is a substantial, weighty standard offering ~70 pages of copious, detailed advice on: Information security risk management - describes the iterative (ongoing, ‘whack-a-mole’) process of identifying, assessing and treating information [security] risks, comprising both strategic/long-term and operational/medium-short-term cycles. Context establishment - despite the heading, clause 6 largely concerns methods for determining risk criteria. The organisation’s business context for information risk and security management is covered in clause 10. Information security risk assessment process - another lengthy clause lays out the process of systematically identifying, analysing, evaluating and prioritising information [security] risks. Information security risk treatment process - described largely in terms of using information security controls to ‘modify’ (mitigate or maintain) information [security] risks, barely mentioning the other risk treatment options (avoidance, sharing and acceptance). Operation - a short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur. Leveraging related ISMS processes - this is basically a re-hash and amplification of ISO/IEC 27001 , offering implementation advice in a similar style to ISO/IEC 27003 . Annex - additional information on risk criteria and practical advice such as examples of threats and vulnerabilities. Status The first (2008 ), second (2011 ) and third (2018 ) editions are ancient history. The current fourth edition was published in 2022 . Commentary Given that the entire ISO27k approach is risk-aligned, identifying, evaluating and treating information risks is fundamental. With the fourth edition, ‘27005 tackles the thorny issue of how to use ISO/IEC 27001 Annex A . The annex is described as an incomplete set of possible controls to be checked for relevance to mitigate the organisation’s identified information [security] risks - in other words, a controls-based approach to information risk management, supplementing the scenario-, event- and asset-based approaches mentioned elsewhere. Adopting all four approaches may be costly but there are advantages in exploring information risks from various perspectives. ISO’s Technical Committee for Risk Management looks likely to review/clarify the somewhat unhelpful definition of ‘risk’ in ISO 31000 (“effect of uncertainty on objectives”), and may also offer guidance on ‘opportunities’. It is possible the two terms will be distinguished, rather than being portrayed as flip sides as at present. I hope that will eventually make things easier for ISO27k and the other management systems standards, but it may stir the already muddy waters. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27001 ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) Up Abstract ISO/IEC 27001 "specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. [It] also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization ...” [Source: ISO/IEC 27001:2022] Introduction ISO/IEC 27001:2022 (known colloquially as “ISO 27001”, “ISO27001”, “27001” or “two seven double-oh one”) formally specifies an I nformation S ecurity M anagement S ystem, a governance arrangement comprising a structured suite of organised activities with which to manage risks relating to the confidentiality, integrity and availability of information (called ‘information security risks’ in the standard). According to the ISO directives part 1 annex SL , an ISMS is a set of interrelated or interacting elements of an organisation to establish policies and objectives relating to the security of information, as well as processes to achieve those objectives. An ISMS is an overarching framework through which management identifies, evaluates and treats (addresses) the organisation’s information risks. The ISMS ensures that the security arrangements are appropriately designed and fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts. Adaptation is important in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as opposed to more prescriptive and rigid approaches such as PCI-DSS. Flexibility allows the standard to apply to all types of organisations (e.g . commercial enterprises, government agencies, non-profits, clubs) of all sizes (from micro-businesses to sprawling multinationals) in all industries (e.g . retail, banking, defence, healthcare, education and government), worldwide. Given such a huge brief, the standard is necessarily generic, specifying only the bare minimum, the core ISMS requirements common to all organisations. ISO/IEC 27001 does not formally demand specific information security controls since the controls that are required vary markedly between organisations. The information security controls from ISO/IEC 27002 are summarised in annex A of ISO/IEC 27001, rather like a menu. Organisations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, perhaps but not necessarily drawing on those listed in the menu and potentially supplementing or replacing them with other a la carte options (known as extended or custom control sets). The way to select "necessary" (applicable) controls is to undertake a comprehensive assessment of the organisation’s information risks within scope of the ISMS: this is one vital and mandatory part of the ISMS. Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through information security controls - a risk treatment decision within the specified risk management process. Appropriate governance arrangements and management controls are also appropriate to direct, control and oversee the ISMS: the standard gives fairly rudimentary and circumspect guidance in these areas. Scope The standard applies to any organisation that needs to protect and legitimately exploit information, systematically. 'Information' may include: Business information belonging to the organisation itself, such as its financial, HR and operating info, trade secrets, intellectual property such as trademarks, designs, patents and brands, plus workers' knowledge and experience; Business information belonging to third parties , such as commercial software and content licensed or given to the organisation for custodianship, plus public or community-owned info; and Personal information belonging to individual people such as workers or supplier/customer contacts. Structure Introduction - the standard describes a process for systematically managing information risks. Scope - it specifies generic ISMS requirements suitable for organisations of any type, size or nature, in any location. Normative references - only ISO/IEC 27000 is considered absolutely essential reading for users of ’27001. Terms and definitions - see ISO/IEC 27000 . Context of the organisation - understanding the organisational/business context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 starkly states that “The organisation shall establish, implement, maintain and continually improve” the ISMS, meaning that it must be operational, not merely designed and documented. Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities. Planning - outlines the process to identify, analyse and plan to treat information risks, to clarify the objectives of information security, and to manage ISMS changes. Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled. Operation - more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they may be audited by certification auditors: certification is optional). Performance evaluation - monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary. Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), systematically refining the ISMS. Annex A Information security control reference : this does little more than name the controls in ISO/IEC 27002 - one sentence summaries of the one page descriptions. The annex is ‘normative’ meaning that certified organisations are expected to use it to check their ISMS for completeness (according to clause 6.2), but that does not mean they are required to implement the controls: given their particular information risks, they may prefer other controls or risk treatments. Refer to ISO/IEC 27002 for lots more detail on the security controls, including useful implementation guidance, and ISO/IEC 27005 to understand information risk management. Bibliography: points readers to related standards, plus part 1 of the ISO/IEC Directives , for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as 'normative' (i.e. essential reading for users of this standard) standard there are several references to ISO 31000 on risk management. Status The first edition, based on BS 7799 Part 2 (1999), was published in 2005 . The second edition, completely revised with substantial changes to align with other ISO management systems standards, was published in 2013 , followed by two corrigenda. The third edition, published in 2022 , has some wording changes to the main-body clauses to reflect the revised ISO directives part 1 annex SL common structure/boilerplate for all the ISO management systems standards, plus a completely restructured and revised Annex A reflecting ISO/IEC 27002:2022 . An amendment to ISO/IEC 27001:2022 was published in February 2024 , formally clarifying that, in clauses 4.1 and 4.2, the ‘relevance of climate change should be considered ’ - a timely reminder to think broadly when considering the context and purpose of the ISMS. Take a look at "Secure the planet " for clues about potential touch points between information security and climate change. Commentary Whereas ISO/IEC 27001 does not use the word ‘governance’, a ‘management system’ combines a governance structure with a number of management controls to ensure management’s strategic intent is put into effect, becoming an integral part of the organisation. In the case of an ISMS, the system enables management to direct, oversee, control and gain assurance in information risk, security, privacy and related areas. Other ISO management systems standards based on the same ISO boilerplate text presumably avoid the word ‘governance’ as well. This could be considered a systematic flaw in ISO’s management systems approach. However, companion standards such as ISO/IEC 27014 provide guidance in that area. Planning for updates to any certification standard is tricky because of the need to allow time for the accreditation and certification bodies to plan and enact their transition arrangements, although ISO deliberately and pointedly stays clear of accreditation and certification so, in theory , it should not really matter. In practice , it does, meaning a delicate and ambiguous relationship between standards and certification. An ISMS documented almost entirely in the form of thought-provoking diagrams, mindmaps or motivational videos rather than the usual boring, wordy, static documents would be novel, radical, creative, perhaps even brilliant ... if only someone was willing to give it a go ... Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27002 ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) Up Abstract ISO/IEC 27002 "provides a reference set of generic information security controls including implementation guidance. [ISO/IEC 27002] is designed to be used by organisations: (a) within the context of an information security management system (ISMS) based on ISO/IEC27001; (b) for implementing information security controls based on internationally recognized best practices; [and] (c) for developing organisation-specific information security management guidelines.” [Source: ISO/IEC 27002:2022] Introduction ISO/IEC 27002 is a popular international standard describing a generic selection of ‘good practice’ information security controls, typically used to mitigate unacceptable risks to the confidentiality, integrity and availability of information. It was based on British Standard BS 7799 in the mid-1990s, itself based on an oil company's proprietary information security manual. ISO/IEC 27002 is an advisory document, a guideline or recommendation rather than a formal specification such as ISO/IEC 27001 . Organisations are advised to identify and evaluate their own information risks, selecting and applying suitable information security controls to mitigate unacceptable risks using ISO/IEC 27002 and other relevant standards and sources for guidance. Scope Like governance and risk management, information security management is a broad topic with ramifications for all organisations. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, clubs, government departments and quasi-autonomous bodies - in fact any organisation that handles and depends on information. The specific information risks and hence control requirements differ in detail between organisations but there is a lot of common ground, for instance most organisations need to address information risks relating to their employees plus contractors, consultants and third party suppliers of various information and IT services such as networking and cloud computing. The standard is explicitly concerned with information security, meaning the security of all forms of information (e.g. computer data, documentation, knowledge and intellectual property) - not just IT/systems/network/cyber/digital security. It includes those, of course, but there's more to secure. Structure The standard lays out a ‘reference set’ of 93* generic information security controls with guidance, categorised into 4 clauses based on these 4 ‘themes’: Organisational controls - a large and misleadingly-named catch-all group of 37* controls that don’t fit neatly into the remaining themes; People controls - 8* controls involving or relating to people e.g. individuals’ behaviors, activities, roles and responsibilities, terms and conditions of employment etc .; Physical controls - 14* tangible controls to secure tangible information assets; Technological controls - 34* controls involving or relating to technologies, IT in particular. The 93* controls are each tagged with one or more values for each of 5 ‘attributes’ so they can be grouped, selected or filtered in other ways too. The attributes and values are: Control type : preventive, detective and/or corrective - relating to stages of incidents at which the controls act; Information security properties : confidentiality, integrity and/or availability - which of these information characteristics they protect; Cybersecurity concepts : identify, protect, detect, respond and/or recover - a more detailed breakdown of the incident timeline; Operational capabilities : governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships securit, legal and compliance, information security event management, and information security assurance - reflecting the structure used in the previous edition of this standard; Security domains : governance and ecosystem, protection, defence and resilience - another way to classify controls. The control attribute tagging reflects these complexities: A given control may have several worthwhile applications (e.g. backups help protect against malware, hacks, bugs, accidents, mechanical breakdowns, fires etc. , and can include deputies and multi-skilled replacements for critical people, and alternative suppliers/sources of necessary information services, as well as data backups); An unacceptable risk typically requires several controls (e.g. malware can be mitigated using backups, awareness, antivirus, network access controls plus IDS/IPS, authentication, patching, testing, system integrity controls etc ., while avoiding infection can be a powerful approach if bolstered with controls such as policies and procedures, blacklisting etc .); Many of the ‘controls’ identified in the standard are not atomic, being composed of several smaller elements or pieces (e.g. backups involve strategies, policies and procedures, software, hardware, testing, incident recovery, physical protection of backup media etc. ). Some of the themes and attributes are arbitrarily assigned: for example, a commercial card access lock on a building entrance may fall into any, arguably all four of the themes listed above, but if it and other such controls were covered several times, the standard would become unwieldy. More likely, it would be categorised as - primarily - a physical control, possibly with references to other elements. Organisations can usefully define and use their own attributes as well. ISO/IEC 27028 will provide guidance on that when released. * Note: there are 21 fewer control clauses in the third edition than the second despite adding 11 new ones since several second edition control clauses were updated or merged. Each clause is in fact comprised of or incorporates numerous ‘atomic’ controls at a still more detailed level of analysis. ISO/IEC 27002 notes or implies hundreds of detailed information security controls , in fact, way more than the nominal total of “93”. Status The first edition was published in 2005 . The second edition was published in 2013 . The completely restructured and updated third edition was published in 2022 . At its September 2025 meeting, ISO/IEC JTC 1 SC 27 WG1 agreed to look into offering guidance on information security controls tailored for small organisations, starting with the development of a P reliminary W ork I tem clarifying the scope and purpose of such an SME infosec guideline. Commentary In my considered opinion, one of the most distinctive, innovative and valuable features of the original Shell policy manual, the UK DTI Code of Practice/DISC standard PD003 and British Standard BS 7799 was that they explicitly addressed information security, recommending approaches and controls to secure information in any form - not just computer data, systems, apps, networks and technologies. The focus was clearly on protecting the intangible, vulnerable and valuable information content. Over the decades since ISO/IEC adopted it as an international standard, it has gradually evolved into a tech-centric IT, ICT or cyber-security standard. The third edition of ‘27002 continues along the same trajectory. The third edition misses numerous opportunities to encourage users to consider their “information risks” in order to determine whether various controls are even needed to avoid or mitigate the risks, and if so what controls are appropriate, taking account of their effectiveness, costs, value, reliability etc . It is as if the controls laid out in the standard are not merely good practices worth considering under various circumstances, but required or mandatory to the extent that not implementing them might perhaps be considered inept, unprofessional or bad practice. There is a subtle presumption that most if not all the controls should be employed by all organisations, regardless of the diversity of organisations in scope and their differing information risks. This is misleading, and has remained an issue for several years. I miss the ‘control objectives ’ from BS 7799: these succinctly explained what the controls were expected to achieve, giving them a business-related purpose that was readily interpreted in the particular context of an individual organisation. If management accepted that an objective was valid, the controls were worth considering not in the sense of being obligatory or even recommended, so much as examples of the kinds of things that could be put in place to achieve the objective. In the third edition, the risk-based control objectives have become watered-down and often self-serving ‘purposes’, with little to no explicit reference to the organisation’s information risks that the suggested controls are supposed to mitigate - a retrograde step as far as I’m concerned ... potentially presenting an opportunity to fill in the gaps (watch this space!). However, some experts complained of ‘challenging conversations’ between auditors and management: I suspect the underlying issue there was a failure to understand the true nature of information risk and risk treatment options. While the restructured third edition is readable and usable on paper, the tagging and cross-linking strongly of controls favours database applications (even something as simple as Excel) allowing users to filter or select and sort the controls by whatever criteria or questions they pose - for instance, “Which physical security controls are relevant to privacy?” or “What preventive controls do not involve technology?”. Given a suitable database application, the sequence is almost irrelevant compared to the categorisation, tagging and description of the controls. It will be interesting to see how this turns out. I am dismayed that the standard has been infected with the “cyber” virus, begging questions about definition and interpretation. Some contributors wanted the standard to cover both information security and cybersecurity controls, implying that they consider those to be distinct domains, while others first want to understand the differences before classifying controls ... and I must say I‘m in the second group. What is the true meaning and scope of “cybersecurity”, in fact ? Similarly, the committee hoped to resolve confusion over the meaning of “policy” in the second edition by distinguishing three variants or hierarchical levels in the third : “Information security policy ” refers to the overall, high-level corporate policy at the peak of the classical policy pyramid, approved by ‘top management’. ‘Strategy’ might have been a better term for this, at the risk of creating yet more confusion, but the ISO management systems standard boilerplate requires 'policy', so 'policy' (singular) it is; “Topic-specific policy ” refers to mid-level policies e.g. topic-specific policies on access control and clear desk and clear screen” (the latter sounds, to me, more like a rule than a mid-level policy ... and indeed, as expressed by the project team, the topic-specific policy concept includes guidelines and rules, making this layer a blend, transition or link between the upper and lower levels). These are aligned with and support the high level policy, approved by ‘the appropriate management level’, and [within reason] may be adapted/interpreted locally by departments, business units etc . where their specific contexts (information risks, security requirements, business situations, locations etc .) differ from the overall corporate context; “Rule ” is the lowest, most detailed/specific level, defined as an “accepted principle or instruction that states the organisation’s expectations on what should be done, what is allowed or not allowed” (I’m not sure an organisation, per se , can ‘expect’ anything, or should have expectations on rather than of something: in a corporate context, rules are generally imposed by management on behalf of the organisation and its stakeholders ... but this definition was a bone of contention within SC 27 so a compromise is needed). Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC TS 27564 ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] Up Abstract ISO/IEC TS 27564 "provides guidance on how to use modelling in privacy engineering. It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references, including International Standards on privacy engineering and on modelling. It provides high-level use cases describing how models are used.” [Source: ISO/IEC TS 27564:2025] Introduction Modelling and other systems engineering approaches are useful when designing complex systems, such as IT systems plus their associated operating environments and processes. This standard is focused on using modelling and engineering to specify, design and embed suitable privacy arrangements/controls into complex [IT] systems that handle personal information. Determining requirements and incorporating privacy into the product lifecycle from the outset should reduce the issues that arise if privacy is neglected until later. Bolting-on privacy (or security or safety) late in the day is less than ideal (suboptimal), albeit still better than nothing. Scope Guidance on applying the M odel-B ased S ystems and S oftware E ngineering approach (as per ISO/IEC/IEEE 24641:2023 - Systems and Software engineering - Methods and tools for model-based systems and software engineering ) to design-in appropriate privacy controls for complex systems using conceptual models. Structure Main sections: 5: Engineering with models (particularly MBSSE) 6: Privacy engineering with models (more MBSSE) 7: Guidance on the use of privacy models (and standards) Annex A: examples of using models for privacy engineering Status The current first edition was published in 2025 . Commentary This standard explains the use of others such as ISO/IEC/IEEE 24641 , ISO/IEC 27555 (models for deletion of personal information), ISO/IEC 27556 (models for managing privacy preferences), ISO/IEC 27559 (models for de-identification) and ISO/IEC 27561 (POMME), for privacy engineering. The systems engineering approach involves determining and taking account of the context in which a complex system is to be used, as well as the complexities within, to develop a definitive model. The architectural model, in turn, drives a coordinated approach to the system development, with updates as things progress to keep everything aligned - in this case, aligned around privacy, specifically. It is published as a T echnical S pecification rather than a full International Standard, presumably because the subject matter is still in development. As such, it should (according to the ISO Directives ) be reviewed within just three years of the agreed “stability date” rather than the usual five years after publication. Up Up Up This page last updated: 10 December 2025

Up Up Up ISO/IEC 27565 ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] Up Abstract ISO/IEC 27565 "provides guidelines on using zero-knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing information disclosure. It includes several ZKP functional requirements relevant to a range of different business use cases, then describes how different ZKP models can be used to meet those functional requirements securely.” [Source: ISO/IEC 27565 FDIS] Introduction Z ero K nowledge P roofs are mathematical techniques (families of cryptographic protocols) allowing someone (the prover) to prove to someone else (the verifier) that they are in possession of a secret, without actually disclosing the secret to the verifier or to some trusted third party. The secret is often a credential used for authentication (such as a password, biometric or personally identifiable information) but could equally be some other piece of sensitive/valuable information which is to remain confidential/private during the verification process. The process involves the prover (who knows the secret) convincing the verifier (who needs to check it) that the verifier’s statement/s or assertion/s concerning the secret (e.g. “The person is older than 18 years”) are either true or false, without revealing additional information (their birthday). At the same time, the process substantially prevents malicious interference such as replay attacks (e.g. repeating a previous age-verification sequence that applied to a different person) and collusion between the parties. Scope This standard principally concerns the use of ZKP for privacy protection (e.g . someone checking the claimed identity or age of a person known to an authority, without the authority having to disclose or reveal that personal information), although other use cases are noted (e.g . digital wallets). Structure Main sections (in draft): 5: Introduction to ZKPs 6: Considerations of implementing ZKPs for attribute verification 7: Use cases of ZKPs 8: Privacy preservation using ZKPs 9: Functional use cases 10: Business use examples Annex A: Factors facilitating or hindering ZKP developments Annex B: Subject binding Annex C: Example of a consistency check between two documents Annex D: Example of ZKP for selective disclosure Annex E: Examples of slective disclosure without using ZKP Annex F: Example of secure comparison of two numbers Annex G: Implementing digital credentials with ZKP Status The standard development project commenced in 2021. The standard is at F inal D raft I nternational S tandard stage, heading for release at the end of 2025 or early 2026. Commentary Some 32 specialist terms are defined - a clue as to the complexity of ZKP. ZKP is an evolving/cutting edge technique. Up Up Up This page last updated: 9 December 2025

Up Up Up ISO/IEC TS 27115 ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) Up Abstract ISO/IEC TS 27115 "provides the foundations and concepts for the cybersecurity evaluation of complex systems. Two frameworks are defined: The first is used to specify the cybersecurity of a complex system, including system of systems. The second is used to evaluate the corresponding cybersecurity solutions. The frameworks use basic architecture concepts: to enable description of reference or solution cybersecurity architectures; to support model-based, comprehensive and scalable security solutions and their evaluation; and to allow for the definition of architecture-based cybersecurity profiles (ACP) and hierarchies of profiles.” [Source: ISO.org info page ] Introduction The standard attempts to explain how to (a) develop a security architecture (or design) for a complex system, and (b) evaluate a complex system against the architecture, using concepts and terms borrowed from the C ommon C riteria such as T arget o f E valuation and security profile. Scope The formal definition of "complex system" as "a system or system of systems" is self-referential and unhelpful. The introduction refers somewhat obtusely to complex system as: The complexity of security and legislation for privacy, cybersecurity or AI (hinting, perhaps, at 'the complex system' being a computer system of some sort plus its associated security arrangements and compliance framework); 'Scaling up towards' ecosystems, or socio-technical systems (your guess is as good as mine on that one!); Systems of systems ... which apparently means subsystems or discrete systems that interact to provide services, within an environment. Structure Main sections: 5 - Overview 6 - Security architecture description - "concepts and elements supporting the framework for constructing a security architecture description" 7 - Security architecture evaluation - evaluating systems against criteria declared in their security profiles 8 - Architecture-based security profiles 9 - Composed security profiles (compilation of security profiles from individual systems comprising system-of-systems) Annex A - Architecture foundations Annex B - Guidance for elaborating a security architecture Annex C - Guidance for evaluating a security architecture Annex D - Security example for a network infrastructure Status The standard development project commenced in 2023. It is now at W orking D raft stage. It is due to be published in 2026 or 2027. Commentary This is all Greek to me, patently not my area of expertise. It is theoretical or adademic rather than pragmatic. It doesn't help that the W orking D raft has hardly any usable references, most being replaced by "Error: Reference source not found ", while what I presume are internal references within the text to particular figures (e.g. "Figure 11) or tables are completely missing (e.g. "The security process can be iterative, as shown on step H in ,"). So no clues there either. Up Up Up This page last updated: 9 December 2025