Search Results

Back Up Next ISO/IEC 27007 ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) Up Abstract ISO/IEC 27007 "provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.” [Source: ISO/IEC 27007:2020] Introduction ISO/IEC 27007 provides guidance for internal auditors, external/third party auditors (e.g. those performing supplier security assessments) and others auditing ISMSs against ISO/IEC 27001 i.e. auditing the M anagement S ystem for conformity with the standard. For C ertification B odies' conformity assessors, it supplements or complements the mandatory accreditation requirements specified formally in ISO/IEC 27006-1 with additional discretionary advice. The standard covers the process of ISMS-specific conformity assessment or auditing, emphasising the 'management system' elements: Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement); Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups); Managing ISMS auditors (competencies, skills, attributes and evaluation). Scope "[ISO/IEC 27007] provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011 . [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme." [Source: ISO/IEC 27007:2020] Structure Main clauses: 4: Principles of auditing 5: Managing an audit programme 6: Conducting an audit 7: Competence and evaluation of auditors Annex A: Guidance for ISMS auditing practice - includes advice re the documentation required by ISO/IEC 27001:2013 such as the S tatement o f A pplicability. The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not-terribly-helpful explanatory comments (e.g . audits are likely to involve sensitive proprietary or personal information, hence auditors may need to be security-cleared to the appropriate level before auditing, and to secure audit evidence appropriately). However the more valuable annex describes specific audit tests concerning the organisation’s conformity with the requirements of ISO/IEC 27001 . Status The first edition was published in 2011 . The second edition was published in 2017 . The current third edition was published in 2020 . A fourth edition is in the works, belatedly reflecting ISO/IEC 27001:2022 and the imminent release of ISO 19011:2026 . ISO 19011 :2026 is expected to provide guidance on remote auditing (e.g . of virtual locations such as globally-distributed data centres providing cloud services) plus other editorial changes to the current version. Publication of the fourth edition of ISO/IEC 27007 is planned for 2027. It is at C ommittee D raft stage, coming along nicely. Reviewers seek to align the terminology and concepts more closely with ISO/IEC 27000 , 27001 , 27003 and 27005 , for example not implying, suggesting or stating additional requirements beyond those formally stated in 27001 . Additional approaches, guidance and options are fine so long as readers (implementers and auditors) are not led to believe that they must do a load of additional things in order to conform to 27001 . Flexibility is valuable for such a broadly-applicable approach. Additional constraints or demands are not. Commentary As with ISO/IEC 27006-1 , this standard primarily concerns conformity or compliance auditing , a particular form of auditing with a specific goal: to determine whether the audited organisation’s ISMS conforms with (i.e. fulfills all the mandatory requirements specified formally by) ISO/IEC 27001 . Such audits are primarily performed for certification purposes. Other types of audits have different assurance goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance/conformity auditors, or that all audits are compliance/conformity audits! Specifically in relation to information risk and security management, competent technology auditors might for instance: Evaluate the organisation’s strategies and policies relating to information and privacy risk management, incident management, fraud etc. for aspects such as strategic fit, currency, relevance, readability, coverage, suitability and quality (fitness for purpose); Audit workers’ conformity with organisational policies, procedures, directives, guidelines, employment contracts etc. , in the general area of information risk, information security and privacy; Delve into the root causes of ongoing issues and repetitive incidents, including near-misses and lesser events; Examine the governance arrangements in this area e.g. organisational structure, internal and external reporting relationships, information flows within and between management layers, accountabilities, roles and responsibilities ...; Audit the organisation’s compliance/conformity with other relevant obligations and expectations, apart from ISO/IEC 27001 e.g. privacy and data protection, intellectual property protection, health and safety, and employment laws and regulations; fire codes and building standards; technical security standards and protocols; supplier, partner and customer agreements and contracts; industry guidelines; ethical codes ... including the associated arrangements such as enforcement actions, and how the organisation stays up-to-date with changes in the requirements; Audit the effectiveness and efficiency of the ISMS, including aspects such as the net value (benefits less costs) it generates for the business, and releasing any unrealised potential; Examine ‘assurance’, ‘integrity’, ‘confidentiality’, ‘availability’, ‘risk’, ‘information risk management’, ‘compliance’, ‘privacy’ etc. in the broad, deliberately interpreting such words and phrases very widely to take in related aspects that are not usually considered in any depth; Review improvements made and explore further opportunities to improve the ISMS; Examine the organisation’s potential and actual exploitation of other standards, methods and frameworks relating to information risk and security management; Survey, compare and contrast various stakeholders’ opinions , comments and suggestions on the ISMS, teasing-out and addressing deeper, longstanding concerns and points of common interest that might otherwise remain hidden; Follow-up on previous ISMS audits, reviews, penetration tests, security assessments, post incident reports etc. , delving deeper into areas of concern, extending the scope and picking up on recurrent or widespread issues; Examining assurance management e.g. the manner in which various audits or assessments are scoped, approved, resourced, conducted, reported, actioned and closed off, treating ISMS or technology audits as important examples; Explore the management aspects of business continuity and resilience ; Look into the integration and interoperability of various management systems such as the ISMS; Audit the organisation’s information management as a whole, such as the integration of risk and security aspects with other business imperatives, and the proactive exploitation of information despite various risks; Benchmark the ISMS against comparable organisations or business units, or against other operational management systems e.g. quality assurance, environmental protection; Measure and comment on the organisation’s maturity in this general area; Review the organisation’s use of security metrics , reports and other management information. Although that is not even a complete list, there are clearly plenty of creative possibilities here, in addition to the basic conformity-assessment tick-n-bash approach. One of the best things about auditing is the chance to do something different for a change. Exploit the auditors’ independence, competence, experience, skills, focus, information access, rigorous methods, trustworthiness, access to senior management etc. to delve into aspects that are rarely if ever addressed as part of routine management and operations - potentially including those awkward politically-charged issues that are studiously avoided, and longstanding problems that seem destined to remain, forever. Some pessimists see audits as information threats to be avoided or minimised: speaking as a former (lapsed? Reformed!) IT auditor and optimist (realist!), I see audits as valuable business opportunities to be exploited to the max. Make the best of them. Milk the value. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27551 ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) Up Abstract ISO/IEC 27551 "provides a framework and establishes requirements for attribute-based unlinkable entity authentication (ABUEA).” [Source: ISO/IEC 27551:2021] Introduction A ttribute-B ased U nlinkable E ntity A uthentication is a mechanism for authenticating unfamiliar parties through the services of a mutually-trusted third party, whilst maintaining privacy of the authenticated. ‘Unlinkable’ refers to the need to be able to handle and process personal information anonymously, in a way that precludes being able to identify the original data subjects from the information being communicated and processed. Scope The standard describes a framework and requirements for ABUEA - a way of avoiding the privacy leakage that can occur when (for instance) we use Internet sites, providing different information to each one or on each occasion, giving the possibility of linking our disparate disclosures back to us, specifically. Structure Main clauses: 5: General objectives of attribute-based entity authentication 6: Properties of attribute-based entity authentication protocols 7: Unlinkability properties of attribute-based entity authentication protocols 8: Attributes 9: Requirements for level N attribute-based unlinkable entity authentication Annex A: Formal definitions for security and unlinkability notions Annex B: Examples of attribute-based entity authentication protocols Annex C: ABUEA with OpenID & FIDO Annex D: Use cases for attribute-based unlinkable entity authentication Status The current first edition was published in 2021 . Commentary It would be a challenge to rewrite this standard in accordance with ISO’s version of plain English , given such a deep dive into the technology. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27003 ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) Up Abstract “ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.” [Source: ISO/IEC 27003:2017] Introduction ISO/IEC 27003 provides guidance for those implementing the ISO27k standards , covering the management system aspects in particular, as opposed to the information security controls which are summarised in ISO/IEC 27001 Annex A and explained more fully in ISO/IEC 27002. The standard supplements and builds upon other ISO27k standards (particularly ISO/IEC 27000 and ISO/IEC 27001 plus ISO/IEC 27004 , ISO/IEC 27005 and ISO/IEC 27014 ) and ISO 31000 . Scope The current edition of this standard primarily interprets or explains the requirements stated formally in ISO/IEC 27001:2013 . As a result of ISO’s intent to make all the M anagement S ystems S tandards consistent in structure, form and style, and in order for it to be usable for conformity assessment (ISMS certification) purposes, the language of ISO/IEC 27001 is inevitably formal, curt and stilted, leaving little room for interpretation. In contrast, ISO/IEC 27003 offers more pragmatic explanations of the requirements. Structure For convenience, ISO/IEC 27003 mirrors the structure of ISO/IEC 27001 , expanding clause-by-clause on ISO/IEC 27001 . The main clauses are therefore: 4: Context of the organisation 5: Leadership 6: Planning 7: Support 8: Operation 9: Performance evaluation 10: Improvement Annex: Policy framework [NOTE: this annex does not reflect or expand on the information security controls listed in ISO/IEC 27001 Annex A, since ISO/IEC 27002 already does that]. For each ISO/IEC 27001 clause and subclause, ISO/IEC 27003: Re-states the requirement/s; Explains the implications; and Offers a little practical guidance and supporting information including examples, to help implementers implement. For example, this is what ISO/IEC 27001 says in section 4.1, ‘Understanding the organisation and its context’: “The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. NOTE Determining these issues refers to establishing the external and internal context of the organisation considered in Clause 5.3 of ISO 31000:2009.” Section 4.1 of ISO/IEC 27003 first succinctly re-states the ‘required activity’: “The organisation determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) of the information security management system (ISMS).” Then it expands on the reasons why it is appropriate and necessary to ‘determine external and internal issues’, providing a page of explanation to supplement the succinct and somewhat hard to understand text from ISO/IEC 27001 . It explains, for instance, that the ‘internal issues’ include the organisation’s culture; its policies, objectives, and the strategies to achieve them; its governance, organisational structure, roles and responsibilities; and lists a further seven ‘internal issues’ to consider. It also identifies/cross-references other clauses that use this information. That alone would be a valuable expansion on ISO/IEC 27001 section 4.1 but ISO/IEC 27003 doesn’t stop there: it goes on to provide a further page of explanation, practical guidance and real-world examples in this area - 3 pages in total concerning that one short subclause. The end result is that the reader gains a better understanding of the formal requirements from the main body clauses of ISO/IEC 27001 and a clearer idea of how to go about satisfying them. Status The first edition was published in 2010 . It included implementation guidance. A substantially revised second edition, with more explanation but less implementation guidance, was issued in 2017. Work is under way now on a third edition. The third edition was due to be published in 2027 but has been delayed to 2028. The revision project is presently entering third C ommittee D raft stage. A new title is likely: “Information security, cybersecurity and privacy protection — Information security management systems — Guidance for the application of ISO/IEC 27001:2022”. An amended scope is also likely, appending “and the ISO/IEC 27001:2022/AMD 1:2024” , to acknowledge that climate change is to be considered. Work started in 2025 on another standard (either a second part to '27003 or a completely separate standard), with the development of a P reliminary W ork I nstruction. Whereas the second and third editions of ISO/IEC 27003 focus on explaining the formal ISMS requirements from ISO/IEC 27001 , ISO/IEC 27003-2 (or whatever number it is given) is intended to offer practical guidance on implementing an ISMS , for example ”setting up an implementation project, suitable top management involvement in the steering committee, setting a clear ambition level, appointment of a suitable project manager, etc.” It will hopefully rejuvenate and update the implementation advice from the 2010 first edition that has been eroded and largely lost. Commentary It takes years to prepare and release each new edition. Meanwhile , the ISO27k ISMS implementation guideline is a plain-English explanation of the requirements from ISO/IEC 27001 (based on the ISO Directives Part 1 Annex SL Appendix 2 concerning the wording and intent of the boilerplate text for all ISO’s management systems) plus pragmatic guidance for implementers (based on actual experience). The guideline is not an official ISO/IEC standard but, hey, it’s free of charge ... and available now ! To my eyes, the proposed ISO/IEC 27003-2 resembles phase 3 of the current revision project ... so it is possible that the revision might stop and release the third edition after completing phase 2’s plain English rewording (which I suspect will involve a lot more work than was planned), deferring phase 3 to the new 'part 2;' project. Maybe. We shall see. Although excluded from the current revision project, the scope and purpose of ISO/IEC 27003 could - at some distant future point perhaps - usefully extend beyond the ISMS design, implementation and certification phase to offer pragmatic advice on the operation, management, monitoring and systematic improvement of the ISMS. Certification of an ISMS is, after all, merely a milestone on the never-ending journey towards security maturity. As information security becomes an integral and valuable part of the organisation’s routine business/operational activities and management, changes are bound to occur. Potentially ’27003 might distinguish, encourage and support beneficial ISMS changes while discouraging counterproductive or detrimental ones. Alternatively, developing a separate ISO27k standard in parallel with the ongoing revision of ISO/IEC 27003 might be a quicker (less glacial) option, hinting at the possibility of a part 3 to this standard. Up Up Up This page last updated: 13 March 2026

Detailed answers to a bunch of Frequently Asked Questions about the ISO/IEC 27000-series information security standards ISO27k FAQ This unusually detailed FAQ poses and addresses F requently A sked Q uestions regarding ISO27k, the ISO/IEC 27000 standards. There is a lot to say, lots of pragmatic advice to offer. FAQ topics About the ISO27k standards Implementing the standards Managing information risks ISO27k documentation Assurance ISMS maturity A gentle introduction to the information security standards Guidance on interpreting and applying the standards in practice Tips on identifying, analysing, evaluating and treating the risks Required documents - SoA, RTP, policies, procedures, records ...? Guidance on auditing and certification for confidence and trust Ideas on using continual improvement to embed and mature your ISMS

Back Up Next ISO/IEC 27555 ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) Up Abstract ISO/IEC 27555 "contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organisations by specifying: a harmonized terminology for PII deletion; an approach for defining deletion rules in an efficient way; a description of required documentation; a broad definition of roles, responsibilities and processes. ...” [Source: ISO/IEC 27555:2021] Introduction This standard gives guidance on the deletion of P ersonally I dentifiable I nformation using a systematic approach supporting ISO/IEC 29100 ’s “Privacy framework”. Scope The standard is intended for organisations that store and process PII “and other personal data”, in particular PII Controllers who are primarily accountable for compliance with privacy laws. It does not address: Specific provisions in laws and contracts (although it does reflect the general thrust of GDPR and other privacy laws and regulations based on the OECD privacy principles ); Specific deletion rules for particular types (“clusters”) of PII; Deletion mechanisms such as those for cloud storage; Security of the deletion mechanisms; nor Specific techniques for de-identification (anonymisation) of data. Standardising the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data. Structure Main lauses: 5: Framework for deletion 6: Clusters of PII 7: Specification of deletion periods 8: Deletion classes 9: Requirements for implementation 10: Responsibilities ~30 pages Status The current first edition was published in 2021 . It is currently being revised with publication of the second edition planned for mid-2027. Changes are mostly for readability and consistency, with minor technical updates e.g . PII clusters can include PII within or inferred from Machine Learning/AI models. Commentary The standard discusses deletion of “clusters” of PII, an intriguing yet complex concept relating to how PII is used for various business purposes. Up Up Up This page last updated: 26 March 2026

Back Up Next ISO/IEC TS 27103 ISO/IEC TS 27103:20 26 — Cybersecurity — Guidance on using ISO and IEC standards in a cybersecurity framework (first edition*) Up Abstract ISO/IEC TS 27103 "provides guidance on how to leverage existing ISO and IEC standards in a cybersecurity framework.” [Source: ISO/IEC TS 27103:20 26] Introduction "The concepts behind information security can be used to assess and manage cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured manner, and ensure that processes, governance and controls are addressed. This can be done through a management systems approach. An Information Security Management system (ISMS) as described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity. [ISO/IEC TS 27103] demonstrates how a cybersecurity framework can utilize current information security standards to achieve a well-controlled approach to cybersecurity management." [Source: ISO/IEC TS 27103:2026] Scope The standard offers guidance on using existing ISO and IEC standards (not just ISO27k ) in a "risk-based, prioritized, flexible, outcome-focused, and communications-enabling framework for cybersecurity". The 'cybersecurity framework and programme' is described as a set of five 'activities' relating to the 'target state for cybersecurity' (in other word, objectives), applying the conventional systematic ISO27k approach to the management of 'cybersecurity risk': Describe the organization’s current cybersecurity status; Describe the organization’s target state for cybersecurity; Identify and prioritize opportunities for improvement; Assess progress toward the target state; and Communicate among internal and external stakeholders about cybersecurity risk Somewhat confusingly, the 'framework and programme' also revolves around five 'functions' relating to the incident timescale - basically NIST's C yber S ecurity F ramework : Identify - business context, resources and risks relating to critical [business] functions; Protect - safeguard delivery of critical infrastructure services; Detect - activities to identify cybersecurity events, promptly; Respond - react to and contain identified events; Recover - resilience and restoration of impaired capabilities or services. The 'functions' are further divided into 'categories' and 'subcategories' which are cross-referenced to relevant clauses in ISO27k and other standards. Structure Main clauses: 5: Background - risk-based approach, stakeholders, framework and programme 6: Concepts - overview, framework functions Annex A: Sub-categories - identify, protect, detect, respond, recover Annex B: Three principles of the cybersecurity [plus ten essentials] for top management - an alternative to NIST's CSF, cross-referenced to ISO27k standards Status * This standard was initially published as a T echnical R eport in 2018 and confirmed unchanged in 2022 . It was updated, becoming the current first edition T echnical S pecification in 2026 . Commentary See also ISO/IEC TS 27110 . In ISO-land, a T echnical S pecification is a standard for an immature or developing technical subject. In theory, that means it should be formally reviewed within three years, becoming an I nternational S tandard if there is consensus ... otherwise continuing unchanged or being withdrawn. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27036-4 ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) Up Abstract ISO/IEC 27036 part 4 “provides cloud service customers and cloud service providers with guidance on (a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and (b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services. [Part 4] does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity. [Part 4] does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017. The scope of [part 4] is to define guidelines supporting the implementation of information security management for the use of cloud services” [Source: ISO/IEC 27036-4:2016 ] Introduction There are numerous information risks involved in the supply of cloud computing services: this standard encourages suppliers and customers to identify and address them, collaboratively in some cases. Scope Part 4 guides the suppliers and customers of cloud services on information security management for cloud services. Structure Main clauses: 5: Key cloud concepts and security threats and risks 6: Information security controls in cloud service acquisition lifecycle 7: Information security controls in cloud service providers Annex A: Information security standards for cloud providers Annex B: Mapping to ISO/IEC 27017 controls Status The current first edition of part 4 was published in 2016 and confirmed unchanged in 2022. Commentary Part 4 explicitly describes the information risks that it addresses. Full marks! Various security controls are recommended to mitigate unacceptable risks so, in order for an organisation to choose appropriate controls, it helps to know what those risks are. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27033-2 ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) Up Abstract ISO/IEC 27033 part 2 “gives guidelines for organizations to plan, design, implement and document network security.” [Source: ISO/IEC 27033-2:2012] Introduction Part 2 revised and replaced ISO/IEC 18028 part 2. Defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. Scope Planning, designing, implementing and documenting network security. Objective: “to define how organisations should achieve quality network technical security architectures, designs and implementations that will ensure network security appropriate to their business environments, using a consistent approach to the planning, design and implementation of network security, as relevant aided by the use of models/frameworks. (In this context, a model/framework is used to outline a representation or description showing the structure and high level workings of a type of technical security architecture/design)” . Structure Main clauses: 6: Preparing for design of network security 7: Design of network security 8: Implementation Annex A: Cross-references between ISO/IEC 27001:2005 /ISO/IEC 27002:2005 network security-related controls and ISO/IEC 27033-2:2012 clauses Annex B: Example documentation templates Annex C: ITU-T X.805 framework and ISO/IEC 27001:2005 control mapping Status ISO/IEC 27033-2 revised and replaced ISO/IEC 18028-2. The current first edition of part 2 was published way back in 2012 and confirmed unchanged in 2018. It is now seriously out of date, referring to old editions of other standards and missing out on current networking security issues such as cloud security and virtual networking. Commentary Defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. Serves as a foundation for detailed recommendations on end-to-end network security. Covers risks, design, techniques and control issues. Refers to other parts of ISO/IEC 27033 for more specific guidance. Up Up Up This page last updated: 23 February 2026

Back Up Next ISO/IEC 27102 ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) Up Abstract ISO/IEC 27102 "provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organisation's information security risk management framework. ...” [Source: ISO/IEC 27102:2019] Introduction There is a global market for ‘cyber-insurance’, providing options for the transfer of some information/commercial risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber-incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organisation. Scope This standard explains: Essential insurance concepts to information risk and security professionals; Essential cybersecurity concepts to insurance professionals; What the insurers and customers of cyber-insurance typically expect of each other; How to scope, determine, specify and procure appropriate cyber-insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process; The advantages and disadvantages, costs and benefits, constraints and opportunities in this area. Structure Main clauses: 5: Overview of cyber-insurance and cyber-insurance policy 6: Cyber-risk and insurance coverage 7: Risk assessment supporting cyber-insurance underwriting 8: Role of ISMS in support of cyber-insurance Annex A: Examples of ISMS documents for sharing Status The current first edition was published in 2019 . The second edition is at W orking D raft stage, refocusing on how cyber insurance can both support and draw upon an ISMS, and updating to reflect the current 2022 versions of ISO/IEC 27001 and 27002. A new title has been approved (“Guidelines for the use of ISMS in support of cyber insurance” ) plus a revised scope (“This document provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organization’s information security risk management framework, as well as leveraging the organization’s ISMS when sharing relevant data and information with an insurer. This document gives guidelines for: a) considering the purchase of cyber insurance as a risk treatment option to share cyber risks; b) leveraging cyber insurance to assist in managing the impact of a cyber incident; c) sharing of data and information between the insured and an insurer to support underwriting, monitoring and claims activities associated with a cyber insurance policy; d) leveraging an ISMS when sharing relevant data and information with an insurer. This document is applicable to organizations that intend to purchase cyber insurance, regardless of type, size or sector.” ). Commentary The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered. It concerns what I would call everyday [cyber] incidents, a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various kinds of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance depends on the policy wording and interpretation. Insurers are well aware of their dependence on integrity and credibility, plus the ability to pay out on rare but severe events. This standard is a basis for mutual understanding, supporting full and frank discussions between cyber-insurers and their clients on the terms and conditions leading to appropriate insurance cover. Meanwhile both insurers and insured share a common interest in avoiding, preventing or mitigating all kinds of incident involving valuable yet vulnerable information (including the digitals), which is where the remaining ISO27k standards shine. Up Up Up This page last updated: 22 February 2026