Search Results

Back Up Next ISO/IEC 27400 ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines (first edition) Up Abstract ISO/IEC 27400 "provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT) solutions.” [Source: ISO/IEC 27400:2022] Introduction The standard provides guidance on the principles, [information] risks, and the corresponding information security and privacy controls to mitigate those risks associated with the I nternet o f T hings. Insecure things can impact security and privacy in ways that differ from more conventional IT systems (e.g. desktops, laptops and servers). Therefore, appropriate security and privacy controls are needed to mitigate unacceptable risks. Things can be considered both as discrete electronic devices, and as components in larger, more complex ‘ecosystems’ potentially including: The operating systems and applications they run, delivering various services; The network infrastructure (personal, local and wide area networks); The physical world with which they interact through sensors and actuators; The people who specify, acquire, configure, use and manage them; The organisations that design and manufacture, use/operate and manage them; Society at large since things are ‘everywhere’. Challenges and information risks in the context of IoT include: Huge variety, innovation and ubiquity with things penetrating ever deeper into our businesses, homes, vehicles and lives; Vulnerabilities in the systems, applications and networks, plus the associated processes and activities (e.g. simply compiling, let alone maintaining and using, an inventory of things is tricky and costly - as we discovered during the Y2k crisis); Threats, both deliberate (e.g. hackers and malware) and natural (e.g . adverse physical operating conditions, power cuts, static discharge, design flaws, bugs/coding errors, user accidents and ineptitude); Impacts, potentially including safety hazards and property damage as well as the usual information security and privacy incidents (e.g . data corruption, disclosure, loss); Lifecycle implications (e.g. cheap, disposable, unmanaged and/or deeply embedded things may hang around for years and are unlikely to be supported or patched, ever); Ordinary users may not have an interest in or understand the security and privacy of their things , while even IT professionals may not have the time, leaving fit-and-forget things largely unmanaged, unmonitored and unmaintained; Concerns around interoperability, interaction and dependencies between things, and with other networked devices; Individually, most things have limited functionality, accessibility (e.g. minimalist human-machine interfaces) and computing performance (e.g. little processing and storage capacity); Mobility, dynamics and complexity verging on chaos and anarchy; Applications/use cases and situations may not have been anticipated by their designers/manufacturers (e.g . when things are re-purposed, combined or customised for novel applications); Things may change hands over time, affecting the context and raising the possibility of insecure configurations and inappropriate disclosure of stored information (e.g . when casually sold-on, lost or discarded). IoT designers/manufacturers and users, both individuals and organisations, may be oblivious to the information risks and appropriate/necessary controls, hence the standard (and this website!) has a role in raising awareness and trustworthiness, driving up maturity on both the supply (vendor) and the demand (customer) sides. Scope The standard is specific to IoT, covering both information security and privacy. Structure Main clauses: 5: IoT concepts 6: Risk sources for IoT systems 7: Security and privacy controls Annex A: IoT monitoring camera sample risk scenario Status The current first edition was published in 2022 . It was proposed to change this standard into a “horizontal deliverable” spanning several ISO/IEC committees with common interests in IoT, becoming a foundational standard defining the underlying concepts or principles. [I don’t know if that was accepted.] Commentary The standard strikes me as idealistic - a stretch goal for the IoT market as a whole, a reasonable strategy for an international standard. It may get traction in the area of industrial and safety-critical IoT. As to consumer grade things, it’s hard to predict much progress on security and privacy given the cost constraints and present lack of demand for security and privacy - a classic example of the need for pragmatic standards. The standard identifies some generic ‘risk sources’ and ‘risk scenarios’ relevant to IoT, essentially a selection of examples for consideration. I have some concerns about the selection and the wording, and the lack of direct linkages between the IoT security controls recommended elsewhere in the standard and the identified risks that they are presumably intended to mitigate. However, discussing relevant [information] risks in an ISO27k standard is, I feel, a positive move in its own right. Most ISO27k standards leap directly to recommending a bunch of information security controls, barely even mentioning the information risks. This standard goes a step beyond the “Just do this:” style, albeit a small step. It’s a start, a prompt for users of the standards to identify, consider and evaluate the information risks in their own contexts. I hope the information risk-aligned approach will spread to all the ISO27k standards in due course ... although so far I have seen no hint of strategic intent expressed by SC 27 along these lines, and such a change would undoubtedly take decades. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TS 27115 ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) Up Abstract ISO/IEC TS 27115 "provides the foundations and concepts for the cybersecurity evaluation of complex systems. Two frameworks are defined: The first is used to specify the cybersecurity of a complex system, including system of systems. The second is used to evaluate the corresponding cybersecurity solutions. The frameworks use basic architecture concepts: to enable description of reference or solution cybersecurity architectures; to support model-based, comprehensive and scalable security solutions and their evaluation; and to allow for the definition of architecture-based cybersecurity profiles (ACP) and hierarchies of profiles.” [Source: ISO.org info page ] Introduction Using concepts and terms borrowed from the C ommon C riteria such as T arget O f E valuation and security profile, this T echnical S pecification intends to explain how to: (a) develop a security architecture (or design) for a complex system; and (b) evaluate a complex system against the architecture. Scope The W orking D raft's formal definition of "complex system" as "a system or system of systems" is self-referential and unhelpful, especially with two of those "Error: Reference source not found " citations embedded. The WD introduction refers somewhat obtusely to complex system: The complexity of security and legislation for privacy, cybersecurity or AI (hinting, perhaps, at 'the complex system' being a computer system of some sort plus its associated security arrangements ... and perhaps the associated compliance framework/s?); 'Scaling up towards' ecosystems, or socio-technical systems (your guess is as good as mine on that one!); Systems of systems ... which apparently means subsystems or discrete systems that interact to provide services, within an environment. "System" is defined in the WD as "arrangement of parts or elements that together exhibit a stated behaviour or meaning that the individual constituents do not Note 1 to entry: A system is sometimes considered as a product or as the services it provides. Note 2 to entry: In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g. aircraft system. Alternatively, the word “system” is substituted simply by a context-dependent synonym (e.g. aircraft), though this potentially obscures a system principles perspective. Note 3 to entry: A complete system includes all of the associated equipment, facilities, material, computer programs, firmware, technical documentation, services, and personnel required for operations and support to the degree necessary for self-sufficient use in its intended environment. Structure Main clauses: 5: Overview 6: Security architecture description - "concepts and elements supporting the framework for constructing a security architecture description" 7: Security architecture evaluation - evaluating systems against criteria declared in their security profiles 8: Architecture-based security profiles 9: Composed security profiles - compilation of security profiles from individual systems comprising system-of-systems Annex A: Architecture foundations Annex B: Guidance for elaborating a security architecture Annex C: Guidance for evaluating a security architecture Annex D: Security example for a network infrastructure Status The standard development project commenced in 2023. I think it is now at W orking D raft stage ... although the WD file name says CD so maybe it is at the end of drafting. It is due to be published in 2026, more likely 2027. Commentary This is all Greek to me, patently not my area of expertise. It is theoretical or adademic rather than pragmatic. It doesn't help that the W orking D raft has hardly any usable references, most being replaced by "Error: Reference source not found ", while what I presume are internal references within the text to particular figures (e.g. "Figure 11) or tables are completely missing (e.g. "The security process can be iterative, as shown on step H in ,"). So no clues there either. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TS 27110 ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development guidelines (first edition) Up Abstract “[ISO/IEC TS 27110] specifies guidelines for developing a cybersecurity framework. It is applicable to cybersecurity framework creators regardless of their organisations' type, size or nature.” [Source: ISO/IEC TS 27110:2021)] Introduction This T echnical S pecification offers guidance for those within organisations who are creating cybersecurity frameworks, defined as “basic sets of concepts used to organize and communicate cybersecurity activities” . Scope The standard “specifies guidelines for developing a cybersecurity framework.” Structure Main clauses: 5: Overview 6: Concepts 7: Creating a cybersecurity framework Annex A: Considerations in the creation of a cybersecurity framework - outlines some inputs, activities and outputs for each of the identify, protect, detect, respond and recover stages Annex B: considerations in the integration of a cybersecurity framework - concerns its 'integration into practice' a.k.a. implementation Status The current first edition was published as a T echnical S pecification in 2021 and confirmed unchanged in 2024. Commentary The intended audience and purpose of this standard is hard to fathom. Who is it for, and what is a “cybersecurity framework” anyway? Whose ‘burden’ is it seeking to lighten, and what is the nature of their burden? According to the introduction, “business groups, government agencies, and other organisations produce documents and tools called cybersecurity frameworks to help organize and communicate cybersecurity activities of organisations” . My toolbox contains no “cybersecurity frameworks” so I guess this standard is not aimed at me; The standard makes no attempt to explain what it means by ‘cybersecurity’. This is yet another ISO27k ‘cybersecurity’ project that studiously avoids defining the term, using woolly language to confuse instead of clarify. So much for international standards pushing back the frontiers; The distinction between “creators” and “implementors” of “cybersecurity frameworks” implies a conventional waterfall approach i.e. someone first identifies requirements, designs and develops a solution (the “framework”) which someone else then puts into operation. There is no hint presently that the process might be iterative, or that both phases would need to be governed and managed appropriately. However, I’m guessing here since the standard does not elaborate: it simply states that framework creators are its intended audience; The ‘concepts’ that (according to the standard) “should be included in a cybersecurity framework” simply reflect the usual pre-, para- and post-incident stages, another simplistic linear timeline. This is hardly rocket surgery. However, the standard makes no attempt to justify why these specific ‘concepts’ ‘should’ be ‘included’, and completely ignores the possibility of other potential ‘concepts’ or framework structures (such as ISO/IEC 27001 to name but one of several); The examples listed in Annex C suggest a “cybersecurity framework” might be a strategic approach for dealing with (presumably IT and Internet-related information) risks to critical national infrastructures, implying therefore that the ‘cybersecurity framework creators’ would be government officials. But I’m guessing again, pecking between the lines like a hungry chicken for tiny crumbs of sense. The relationship between a “cybersecurity framework” and a conventional ISMS remains unclear at this point. Those “documents and tools” sound to me suspiciously like the embodiment of a management system, despite the draft standard stating categorically “This document is not intended to supersede or replace the requirements of an ISMS given in 27001” [sic] . To my cynical, perhaps jaundiced eye, this looks suspiciously like an attempt to align ISO27k with - or perhaps amend ISO27k to embody - NIST’s C yber S ecurity F ramework specifically. Organisations that prefer the CSF are of course free to adopt it, so why change ISO27k, especially while “cybersecurity” remains a solid-gold buzzword that consistently defies definition? Oh I despair! Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TS 27103 ISO/IEC TS 27103:20 26 — Cybersecurity — Guidance on using ISO and IEC standards in a cybersecurity framework (first edition*) Up Abstract ISO/IEC TS 27103 "provides guidance on how to leverage existing ISO and IEC standards in a cybersecurity framework.” [Source: ISO/IEC TS 27103:20 26] Introduction "The concepts behind information security can be used to assess and manage cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured manner, and ensure that processes, governance and controls are addressed. This can be done through a management systems approach. An Information Security Management system (ISMS) as described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity. [ISO/IEC TS 27103] demonstrates how a cybersecurity framework can utilize current information security standards to achieve a well-controlled approach to cybersecurity management." [Source: ISO/IEC TS 27103:2026] Scope The standard offers guidance on using existing ISO and IEC standards (not just ISO27k ) in a "risk-based, prioritized, flexible, outcome-focused, and communications-enabling framework for cybersecurity". The 'cybersecurity framework and programme' is described as a set of five 'activities' relating to the 'target state for cybersecurity' (presumably meaning objectives), applying the conventional systematic ISO27k approach to the management of 'cybersecurity risk': Describe the organization’s current cybersecurity status; Describe the organization’s target state for cybersecurity; Identify and prioritize opportunities for improvement; Assess progress toward the target state; and Communicate among internal and external stakeholders about cybersecurity risk Confusingly, the 'framework and programme' also revolves around five 'functions' relating to the incident timescale - basically NIST's C yber S ecurity F ramework : Identify - business context, resources and risks relating to critical [business] functions; Protect - safeguard delivery of critical infrastructure services; Detect - activities to identify cybersecurity events, promptly; Respond - react to and contain identified events; Recover - resilience and restoration of impaired capabilities or services. The 'functions' are further divided into 'categories' and 'subcategories' which are cross-referenced to relevant clauses in ISO27k and other standards. Structure Main clauses: 5: Background - risk-based approach, stakeholders, framework and programme 6: Concepts - overview, framework functions Annex A: Sub-categories - identify, protect, detect, respond, recover Annex B: Three principles of the cybersecurity [plus ten essentials] for top management - an alternative to the NIST CSF approach, cross-referenced to ISO27k standards Status * This standard was initially published as a T echnical R eport in 2018 and confirmed unchanged in 2022 . It was updated, becoming the current first edition as a T echnical S pecification in 2026 . Commentary See also ISO/IEC TS 27110 . In ISO-land, a T echnical S pecification is a standard for an immature or developing technical subject. In theory, that means it should be formally reviewed within three years, becoming an I nternational S tandard if there is consensus ... otherwise continuing unchanged or being withdrawn. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27102 ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) Up Abstract ISO/IEC 27102 "provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organisation's information security risk management framework. ...” [Source: ISO/IEC 27102:2019] Introduction There is a global market for ‘cyber-insurance’, providing options for the transfer of some information/commercial risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber-incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organisation. Scope This standard explains: Essential insurance concepts to information risk and security professionals; Essential cybersecurity concepts to insurance professionals; What the insurers and customers of cyber-insurance typically expect of each other; How to scope, determine, specify and procure appropriate cyber-insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process; The advantages and disadvantages, costs and benefits, constraints and opportunities in this area. Structure Main clauses: 5: Overview of cyber-insurance and cyber-insurance policy 6: Cyber-risk and insurance coverage 7: Risk assessment supporting cyber-insurance underwriting 8: Role of ISMS in support of cyber-insurance Annex A: Examples of ISMS documents for sharing Status The current first edition was published in 2019 . The second edition is at first W orking D raft stage. The standard may be refocused on how cyber insurance can both support and draw upon an ISMS, and updated to reflect the current 2022 versions of ISO/IEC 27001 and 27002. A new title has been approved (“Guidelines for the use of ISMS in support of cyber insurance” ) plus a revised scope (“This document provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organization’s information security risk management framework, as well as leveraging the organization’s ISMS when sharing relevant data and information with an insurer. This document gives guidelines for: a) considering the purchase of cyber insurance as a risk treatment option to share cyber risks; b) leveraging cyber insurance to assist in managing the impact of a cyber incident; c) sharing of data and information between the insured and an insurer to support underwriting, monitoring and claims activities associated with a cyber insurance policy; d) leveraging an ISMS when sharing relevant data and information with an insurer. This document is applicable to organizations that intend to purchase cyber insurance, regardless of type, size or sector.” ). Commentary The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered. It concerns what I would call everyday [cyber] incidents, a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various kinds of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance depends on the policy wording and interpretation. Insurers are well aware of their dependence on integrity and credibility, plus the ability to pay out on rare but severe events. This standard is a basis for mutual understanding, supporting full and frank discussions between cyber-insurers and their clients on the terms and conditions leading to appropriate insurance cover. Meanwhile both insurers and insured share a common interest in avoiding, preventing or mitigating all kinds of incident involving valuable yet vulnerable information (including the digitals), which is where the remaining ISO27k standards shine. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TS 27100 ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) Up Abstract ISO/IEC TS 27100 "provides an overview of cybersecurity. [It]: describes cybersecurity and relevant concepts, including how it is related to and different from information security; establishes the context of cybersecurity; does not cover all terms and definitions applicable to cybersecurity; and does not limit other standards in defining new cybersecurity-related terms for use.” [Source: ISO/IEC TS 27100:2020] Introduction According to this T echnical S pecification: “[ISO/IEC TS 27100] defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security. Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.” Scope Overview of cybersecurity: the standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management. "Cybersecurity is a broad term used differently through the world ... Cybersecurity focuses on the risks in cyberspace, an interconnected digital environment that can extend across organizational boundaries, and in which entities share information, interact digitally and have responsibility to respond to cybersecurity incidents." [Source: ISO/IEC TS 27100:2020] Structure Main clauses: 4: Concepts 5: Relationship between cybersecurity and relevant concepts 6: Risk management approach in the context of cybersecurity 7: Cyber threats 8: Incident management in cybersecurity Annex A: A layered model representing cyberspace Status The current first edition of this T echnical S pecification was published in 2020 and confirmed unchanged in 2024. Commentary See ISO/IEC 27032 . It seems to me two ‘cyber’ worlds coexist on parallel planes: Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by highly capable and determined foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It could be a delaying tactic. However, I may be a semi-paranoid conspiracy theorist. Plain old IT security, network security and Internet security in particular : protecting digital data in general against deliberate attacks. This is the everyday world, a subset of information security in fact. Move along please, nothing much to see here. Rather than clarifying the concepts and terminology, advancing the field, the standard muddies the waters - possibly the desired outcome of #1 above. Thankfully, it is just 17 pages and I suspect is destined to become a little-known cul de sac off the information superhighway, despite the project team’s desire for ISO to promote it as a substantial contribution. They claimed “cybersecurity is simply an evolution of information security” and that the standard “provides much needed explanation in the environment of general confusion about the differences and similarities between cybersecurity and information security”: ‘in the environment of general confusion’ is a curious way of putting it. Ironic, that, for a standard that was meant to clarify things ... Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27091 ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] Up Abstract [ISO/IEC 27091] "provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems, including machine learning (ML) models. [ISO/IEC 27091] helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences and treatment of such risks. ..." [Source: ISO/IEC 27091 D raft I nternational S standard] Introduction By gathering and processing substantial quantities of information (maybe even 'big data'), AI/ML systems may erode privacy - for example by linking personal information from disparate sources back to individual people, or inferring sensitive details - unless appropriate privacy arrangements are made. Scope The standard applies to all manner of organisations that develop or use AI systems. The focus is on mitigating privacy risks by integrating suitable privacy controls into the design of AI /M achine L earning systems. Business decisions about whether it is even appropriate to design, build, use and connect AI systems and services at all, plus general considerations for information risk and security management (e.g . ensuring data accuracy plus system/services resilience, and dealing with incidents) are largely or completely out of scope. Structure Main clauses: 5: Framework for privacy analysis of AI systems - gives an overview of the classical information risk management process i.e. identify, analyse, evaluate and treat privacy risks. 6: Privacy of AI models - discusses a few well-known AI system 'privacy threats (modes of attack that are relevant to privacy e.g. membership inference, training data extraction, poisoning, model inversion, insider risk ...) with generic advice on mitigating controls (e.g. limiting access, anonymisation and pseudonimysation, input and output filtering). 7: Privacy in AI system lifecycle - privacy engineering. Annex A: Additional information for privacy analysis of AI systems. Annex B: Use case template Status The standard development project started in 2023. The standard is essentially complete, presently at D raft I nternational D raft stage, with national standards bodies due to vote before the end of February 2026. It looks likely to be published during 2026. Commentary The standard's risk-based approach makes sense, but (as with so much AI security-related work at the moment) the scope, focus or perspective feels rather academic and constrained to me. The standard does not, in my admittedly jaundiced opinion, adequately address or acknowledge the bigger picture here e.g.: Broader aspects of information risk and security management such as strategies, policies, architectures, compliance, change and incident management, including the extent to which those activities address privacy, specifically [the standard refers to ISO/IEC 27090 for this - currently also in draft]; 'Classical' information risks, threats, attacks, vulnerabilities, impacts and consequences that just happen to involve AI, such as smart phishing, smart malware, smart fraud, smart piracy etc. using AI systems, services and tools for nefarious purposes including coercion, misinformation and disinformation - with incidental and indirect rather than central and direct privacy implications; Societal aspects such as the continued erosion of trust and control over our personal information as it is increasingly being demanded, requested, gathered, shared and exploited, incuding by various authorities, both openly and covertly, systematically, at scale; The longstanding disparity of privacy approaches between most of the world (with GDPR and OECD guidance essentially giving individuals rights to retain ownership and control of their own personal information in perpetuity), and the USA in particular (where it seems personal information can be gathered, shared and exploited commercially by whoever holds it, similarly to other types of information, with little referene to the individuals concerned); Compliance, commercial, technological and practical implications if, say, the individuals whose personal information has been used for model training decide to withdraw their consent and (uner GDPR) insist that their information is deleted and no longer used, or insist on corrections being made; Innovation and novelty of all this, meaning that collectively we have quite a journey ahead towards maturity, with anticipated and surprising incidents ('learning points') likely along the way - such as people naively building and using advanced AI systems without reference to applicable laws, regulations, policies and practices ('shadow AI'), and the race towards A rtificial G eneral I ntelligence; Commercial aspects such as the intense competition within the AI industry, and what will happen with potentially valuable AI models, big data and metadata if AI companies implode or are taken over, possibly but not necessarily just when the AI bubble bursts. However, the standard does usefully discuss the use of AI to support: Privacy consent management and control; P rivacy- E nhancing T echnologies such as cryptographic authentication, encryption and anonymisation, pseudonymisation and data minimisation (a nod towards risk avoidance); Privacy assurance such as auditing, monitoring, detecting and responding to privacy violations; Security for AI models and federated learning, including access control and identity management; N atural L anguage P rocessing for data privacy policies. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27090 ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] Up Abstract ISO/IEC 27090 “addresses security threats and compromises specific to artificial intelligence (AI) systems. The guidance in this This document aims to provide information to organizations to help them better understand the consequences of security threats specific to AI systems, throughout their life cycle, and descriptions of how to detect and mitigate such threats. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems.” [Source: ISO/IEC 27090 D raft I nternational S tandard] Introduction The rampant proliferation of ‘smart systems’ means ever greater reliance on automation: computers are making decisions and reacting or responding to situations that would previously have required human beings. Currently, however, the tech smarts are limited, so the systems don’t always react or behave as they should. Scope The standard will guide organisations on addressing security threats to A rtificial I ntelligence systems. It will: Help organisations better understand the consequences of security threats to AI systems, throughout their lifecycle; and Explain how to detect and mitigate such threats. Structure The standard will cover at least a dozen threats such as: Poisoning - data and model poisoning e.g. deliberately injecting false information to mislead and hence harm a competitor’s AI system; Evasion - deliberately misleading the AI algorithms using carefully-crafted training inputs; Membership inference and model inversion - methods to distinguish [and potentially manipulate] the data points used in training the system; Model stealing - theft of the valuable intellectual property in a trained AI system/model. For each threat, the standard will offer about a page of advice: Describing the threat; Discussing the potential consequences of an attack; Explaining how to detect and mitigate attacks. An extensive list of references will direct readers to further information including relevant academic research and more pragmatic advice, including other standards. Status ISO/IEC JTC 1/SC 27/WG 4 started developing this standard in 2022. The standard is now at D raft I nternational S tandard stage, due for publication during 2026. Commentary It will be disappointing if imprecise/unclear use of terminology in the draft persists in the published standard. Are ‘security failures’ vulnerabilities, control failures, events, incidents or compromises maybe? Are ‘threats’ attacks, information risks, threat agents, incidents or something else? Detecting ‘threats’ (which generally refers to impending or in-progress attacks) is seen as a focal point for the standard, hinting that security controls cannot respond to undetected attacks ... which may be generally true for active responses but not for passive, general purpose controls. As usual with ‘cybersecurity’, the proposal and drafts focused on active, deliberate, malicious, focused attacks on AI systems by motivated and capable adversaries, disregarding the possibility of natural and accidental threats such as design flaws and bugs, and threats from within i.e. insider threats. The standard addresses ‘threats’ (attacks) to AI that are of concern to the AI system owner, rather than threats involving AI that are of concern to its users or to third parties e.g. hackers and spammers misusing AI systems to learn new malevolent techniques. The rapid proliferation (explosion?) of publicly-accessible AI systems during 2023 put a rather different spin on this area. The scope excludes ‘robot wars’ where AI systems are used to attack other AI systems. Scary stuff, if decades of science fiction and cinema blockbusters are anything to go by. The potentially significant value of AI systems in identifying, evaluating and responding to information risks and security incidents is also out of scope of this standard: the whole thing is quite pessimistic, focusing on the negatives. However, the hectic pace of progress in the AI field is clearly a factor: this standard will provide a starting point, a foundation for further AI security standards and updates as the field matures. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27071 ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services (first edition) Up Abstract ISO/IEC 27071 "provides a framework and recommendations for establishing trusted connections between devices and services based on hardware security modules. It includes recommendations for components such as: hardware security module, roots of trust, identity, authentication and key establishment, remote attestation, data integrity and authenticity. [ISO/IEC 27071] is applicable to scenarios that establish trusted connections between devices and services based on hardware security modules. [ISO/IEC 27071] does not address privacy concerns.” [Source: ISO/IEC 27071:2023] Introduction This standard concerns mutual authentication between distributed network devices (such as sensors and other IoT things ) and [cloud-based] information services, using P ublic K ey I nfrastructure and physical H ardware S ecurity M odules - complementing the virtual roots of trust described in ISO/IEC 27070 . Scope The standard lays out a conceptual framework for establishing trusted connections between devices and services based on HSMs with recommendations roots of trust, identity, authentication and key establishment, remote attestation, data integrity and authenticity. Structure Main clauses: 5: Framework and components for establishing a trusted connection - concepts and architectures 6: Security recommendations for establishing a trusted connection - brief descriptions of the information and physical security controls recommended to ensure that device-service connected are sufficiently secure, trusted and trustworthy. Annex A: Threats Annex B: Solutions for components of a trusted connection Annex C: Example of establishing a trusted connection The standard is admirably succinct. Status The current first edition was published in 2023 . Commentary Here is a fictitious scenario illustrating the need for mutual authentication. Imagine your electric car maintains detailed technical data about the places its has been driven to, the manner of driving, battery performance etc. You agree to share the data routinely with the vehicle manufacturer through a 4G or 5G connection to a car monitoring app, in return for a warranty extension, driving tips or advanced warning of issues requiring a service visit. How does the manufacturer know the data uploaded by your car is, in fact, your car, not a cloned or modified vehicle? How does your car know that the car monitoring app is, in fact, the car monitoring app run by the manufacturer, not some naughty hacker intent on discovering your movements and habits for blackmail or kidnap, or another car manufacturer snooping on its competitor’s technology, or an agent for the insurance companies illicitly checking on your driving competence and hence risk profile? Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27070 ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) Up Abstract ISO/IEC 27070"specifies requirements for establishing virtualized roots of trust.” [Source: ISO/IEC 27070:2021] Introduction The integrity and hence value of some security functions and subsystems (particularly those relating to cryptography) relies on their being based on trustworthy foundations known as the R oot o f T rust. Special RoT security arrangements are necessary to negate threats involving low-level exploitation of data-processing chips, devices or systems, in turn compromising the higher-level firmware, device drivers, operating system and application software that build upon the RoT. Whereas trusted computing generally involves some form of H ardware S ecurity M odule (e.g. an ISO/IEC 11889 T rusted P latform M odule) providing various cryptographic functions and key storage in a physically secure tamper-resistant enclosure, that architecture is not well suited to cloud computing. In the cloud, systems are virtualised, hence they cannot readily access and rely directly upon hardware-based RoT in the conventional manner. Scope The standard specifies functional requirements and information security controls supporting the provision of trustworthy foundations for cloud computing environments, where V irtual M achines are dynamically created to provide cloud services. Structure Main clauses: 5: Functional view - describes the architecture in functional/modular terms 6: Activity view - describes how the functional modules deliver the desired level of trusted computing. Annex A: relationship between activity and functional views Status The current first edition was published in 2021 . Commentary The trust, risk and security implications of this are, frankly, above my pay grade. As my withered little old brain understands it, the standard aims to establish a rock-solid foundation on which to build the house of cards delivering cloud computing services. Regardless of all the information risks and security controls at higher levels (of which there are many), providing a sound, trustworthy platform makes RoT a fundamental security requirement. Otherwise, we’re erecting skyscrapers in the marshlands. Up Up Up This page last updated: 12 February 2026