Search Results

Back Up Next ISO/IEC TS 27115-2 ISO/IEC TS 27115-2 — Information security, cybersecurity and privacy protection — Cybersecurity of system of systems — Part 2: Security architecture evaluation Up Abstract ?? Introduction ?? Scope [ISO/IEC TS 27115-2] provides a framework to evaluate the cybersecurity of complex systems, including systems of systems, based on ISO/IEC TS 27115-1. The framework uses basic architecture concepts to support model-based, comprehensive and scalable security solutions and their evaluation. Structure ?? Status Part 2 is due out in 2028. It is currently at W orking D raft stage. Commentary TBA Up Up Up This page last updated: 2 April 2026

Back Up Next ISO 27799 ISO 27799:20 25 — Health informatics — Information security controls in health using ISO/IEC 27002 (third edition) Up Abstract ISO 27799:2025 "contains a set of information security controls for health organizations. It considers all the controls in ISO/IEC 27002:2022 and, in some cases, supplements the controls or provides guidance on their application in health. There are also some additional controls specific to health which are not derived from any in ISO/IEC 27002:2022 ” [Source: ISO 27799:2025 ] Introduction This standard offers guidance on information security controls applicable to the health industry and medical-related organisations of various kinds - hospitals, labs, surgeries, medical insurers, medical device suppliers etc. Information security controls are appropriate to mitigate unacceptable risks to the confidentiality, integrity and availability of: Personal information, including private health information and safety-related time-sensitive information; Health-related information provided by or released to third parties such as lab test results, medical histories/records and research studies; Data processed by medical devices such as electronic heart monitors, pacemakers and various scanners. Healthcare companies also face risks associated with non-health commercial information in any business, such as the information used for financial, personnel and commercial management. Furthermore, they are required to comply with various laws, regulations, standards and codes, some of which relate to information security, privacy, safety, essential infrastructure services etc . Although not explicitly excluded from the scope, such areas are not the focus of ISO 27799. Scope The standard helps medical/healthcare-related organisations, plus professionals working for them on information risk, security, privacy and related matters (including assurance), interpret and apply information security controls from ISO/IEC 27002 (with some extensions) plus ISO 81001-1 Health software and health IT systems safety, effectiveness and security — Part 1: Principles and concepts and other cited references. Structure Main clauses: 4 - General 5 - Organizational controls 6 - People controls 7 - Physical controls 8 - Technological controls Annex A - Information security controls for health reference (checklist?) Annex B - Correspondence between the second and third editions of ISO 27799 Annex C - Information security in health organizations (overview?) Annex D - Example infosec and privacy requirements (risks?) mapped to controls Status The first edition was published in 2008 . It was developed by ISO/TC215 Health informatics , not ISO/IEC JTC 1/SC 27, based on ISO/IEC 17799:2005. The second edition, updated to reflect ISO/IEC 27001:2013 and ISO/IEC 27002:2013 , was published in 2016 . The current third edition was published in 2025 . It was updated for ISO/IEC 27002:2022 , and is now focused on the information security controls, omitting the ISO/IEC 27001 I nformation S ecurity M anagement S ystem aspects from the previous edition. Commentary Unfortunately I don't have access to the content of this standard so have nothing substantial to add beyond the general information provided publically on ISO.org . However, speaking as a former phamaceuticals infosec pro, I wonder how much of the medical supply chain is in-scope e.g. are pharmaceuticals suppliers covered, given that they accumulate, generate, process, use, manage and disclose often sensitive commercial and technical information on drugs including clinical trials, extremely valuable intellectual property and, of course, safety-critical information about drug use and efficacy? Pharmacies and pharmacists? And as a former microbial geneticist, what about medical-related research on, say, infectious diseases such as COVID? What about public health and statistical information on disease outbreaks, 'cancer clusters', obesity etc., or the effectiveness and side effects of various treatments (not just conventional, approved drugs - 'alternative therapies' such as homeopathy, herbalism and self-administed narcotics spring to mind here)? Forensic pathology? Councelling? Rehabilitation? Smart prosthetics ? Gyms and sports coaches? And then what about animal health e.g . veterinarians? Non-human animals' privacy may be of no concern to humans but again there are commercial, healthcare and safety aspects. Bottom line: this standard may have some application and value way beyond its stated scope. Maybe not. If you are involved in any way with the intersection of health and information, I suggest taking a good look at this standard. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TS 27022 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) Up Abstract ISO/IEC TS 27022 "defines a process reference model (PRM) for the domain of information security management, which is meeting the criteria defined in ISO/IEC 33004 for process reference models (see Annex A). It is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018, 4.3, within the ISMS; be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes; support users in the operation of an ISMS. [ISO/IEC TS 27022] is complementing the requirements-oriented perspective of ISO/IEC 27003 with an operational, process-oriented point of view.” [Source: ISO/IEC TS 27022:2021] Introduction The standard (a T echnical S pecification) “provides a process reference model (PRM) for information security management, which differentiates between ISMS processes and measures/controls initiated by them ... [and] describes the ISMS processes implied by ISO/IEC 27001.” The standard is based on a PhD thesis . Scope The standard lays out, in some detail, a P rocess R eference M odel comprising a generic suite of ISMS processes that organisations may wish to use as a basis for designing custom processes within their own ISMS. The standard “is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018 clause 4.3 within the ISMS be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes support users in the operation of an ISMS – the document will complement the requirements oriented perspective of ISO/IEC 27003 with an operational, process oriented point of view.” This advisory standard does not add or modify the ISMS requirements in ISO/IEC 27001 . Structure The ISMS processes described fall into 3 “categories” (types or groups) i.e. : Governance activities (confusingly titled ‘management processes’) - direction and oversight for the ISMS; Core operations e.g. information risk and security management, policy management, incident management, internal audits ...; and Support e.g. records management, communicating with interested parties about the ISMS, managing relationships with ISMS ‘customers’ ... The processes are each laid out in an Appendix, first as a table specifying: Process “category” denoting the type of process A brief description Objective/purposes Input[s] and Output[s] Activities/functions i.e. a few words for each of the main steps in the process Informative references. The table is followed by a flowchart summarising each process on one side or less. Status The current first edition was published in 2021 . An amendment updating references to ISO/IEC 27001:2022 and other ISO27k standards was in preparation in 2024 but the proposed revision of the standard was dropped due to lack of expert support. Commentary Mature organisations may already have processes for: Asset management; Audit management, both internal and external; Business continuity management (see ISO 22301: ISO/IEC 27001 is limited to continuity of information security operations during major incidents); Change management plus configuration management and version control; Continuous improvement and maturity management; Database [security] management; Exemption management (management-approved nonconformity with policies); Facilities management including power and other services for the computer room; Identity, access rights and user account management; Incident management including incident investigation and forensics; Information management in general; Information [security] risk management (partly covered by ISO/IEC 27005 ); Information security management (covered by ISO/IEC 27001 , 27002 , 27003 and others); IT! Internal audits and certification audits; Key management, plus the rest of cryptography; Log management, plus alarms and alerts; Metrics and management information management (partly covered by ISO/IEC 27004 ); Monitoring and oversight of the risk management and security arrangements; Patching, including emergency arrangements for urgent fixes; Performance and capacity management; Personnel/HR management including “onboarding” and “offboarding” (nasty neologisms!); Preventive and corrective actions; Quality management, especially quality assurance; Service management [organisations that are heavily process-oriented may be using ITIL/ISO 20000, in which case ISO/IEC 27013 is applicable]; Supplier/vendor relationship management, including telecomms, Internet and cloud services, outsourced development, contract security guards, maintenance/servicing, professional services (consulting, contracting, accounting, tax advising) etc. ; System and network [security] management; System/software development and testing ... ... and more. Providing generally-applicable advice without imposing further constraints is challenging. The processes need to be described without losing the flexibility to cater for myriad differences between organisations. In particular, the processes need to be valuable (cost-effective) in practice to justify their existence, for instance by: Removing unnecessary bureaucracy, rationalising and justifying whatever remains; Facilitating or encouraging process automation and innovation where applicable; Facilitating or encouraging use of existing processes, adapting them where necessary; Perhaps re-using effective ISMS processes elsewhere in the organisation; Managing the processes themselves e.g. management processes for monitoring, reviewing, evaluating and maintaining the ISMS processes, responding to changes, identifying and exploiting improvement opportunities etc . It would be unfortunate if ISMS processes were perceived as distinct from normal operations, rather than being integral to the organisation’s routine activities. The process for managing an information security or privacy incident, for example, is essentially the same as that for managing any other incident, hence it is generally unnecessary to create an alternative incident management process if the existing one (perhaps with a few tweaks) is effective. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27002 ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) Up Abstract ISO/IEC 27002 "provides a reference set of generic information security controls including implementation guidance. [ISO/IEC 27002] is designed to be used by organisations: (a) within the context of an information security management system (ISMS) based on ISO/IEC27001; (b) for implementing information security controls based on internationally recognized best practices; [and] (c) for developing organisation-specific information security management guidelines.” [Source: ISO/IEC 27002:2022] Introduction ISO/IEC 27002 is a popular international standard describing a generic selection of ‘good practice’ information security controls, typically used to mitigate unacceptable risks to the confidentiality, integrity and availability of information. It was based on British Standard BS 7799 in the mid-1990s, itself based on an oil company's proprietary information security manual. ISO/IEC 27002 is an advisory document, a guideline or recommendation rather than a formal specification such as ISO/IEC 27001 . Organisations are advised to identify and evaluate their own information risks, selecting or designing and applying suitable information security controls to mitigate unacceptable risks using ISO/IEC 27002 and other relevant standards and sources for guidance. Scope Like governance and risk management, information security management is a broad topic with ramifications for all organisations. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, clubs, government departments and quasi-autonomous bodies - in fact any organisation that handles and depends on information. The specific information risks and hence control requirements differ in detail between organisations but there is a lot of common ground, for instance most organisations need to address information risks relating to their employees plus contractors, consultants and third party suppliers of various information and IT services such as networking and cloud computing. The standard is explicitly concerned with information security, meaning the security of all forms of information (e.g. computer data, documentation, knowledge and intellectual property) - not just IT/systems/network/cyber/digital security. It includes those, of course, but there's more to secure. Structure The standard lays out a ‘reference set’ of 93* generic information security controls with guidance, categorised into 4 main clauses or ‘themes’: 5: Organisational controls - a large and misleadingly-named catch-all group of 37* controls that don’t fit neatly into the following themes; 6: People controls - 8* controls involving or relating to people e.g. individuals’ behaviors, activities, roles and responsibilities, terms and conditions of employment etc .; 7: Physical controls - 14* tangible controls to secure tangible information assets; 8: Technological controls - 34* controls involving or relating to technologies, IT in particular. The 93* controls are each tagged with one or more values for each of 5 attributes so they can be grouped, selected or filtered in other ways too. The attributes and attribute values are: Control type : preventive, detective and/or corrective - relating to stages of incidents at which the controls act; Information security properties : confidentiality, integrity and/or availability - which of these information characteristics they protect; Cybersecurity concepts : identify, protect, detect, respond and/or recover - a more detailed breakdown of the incident timeline; Operational capabilities : governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships securit, legal and compliance, information security event management, and information security assurance - reflecting the structure used in the previous edition of this standard; Security domains : governance and ecosystem, protection, defence and resilience - another way to classify controls. The control attribute tagging reflects these complexities: A given control may have several worthwhile applications (e.g. backups help protect against malware, hacks, bugs, accidents, mechanical breakdowns, fires etc. , and can include deputies and multi-skilled replacements for critical people, and alternative suppliers/sources of necessary information services, as well as data backups); An unacceptable risk typically requires several controls (e.g. malware can be mitigated using backups, awareness, antivirus, network access controls plus IDS/IPS, authentication, patching, testing, system integrity controls etc ., while avoiding infection can be a powerful approach if bolstered with controls such as policies and procedures, blacklisting etc .); Many of the ‘controls’ identified in the standard are not atomic, being composed of several smaller elements or pieces (e.g. backups involve strategies, policies and procedures, software, hardware, testing, incident recovery, physical protection of backup media etc. ). Some of the themes and attributes are arbitrarily assigned: for example, a commercial card access lock on a building entrance may fall into any, arguably all four of the themes listed above, but if it and other such controls were covered several times, the standard would become unwieldy. More likely, it would be categorised as - primarily - a physical control, possibly with references to other elements. Organisations can usefully define and use their own attributes as well. ISO/IEC 27028 will soon provide guidance on that. * Note: there are 21 fewer control clauses in the third edition than the second despite adding 11 new ones since several second edition control clauses were updated or merged. Each clause is in fact comprised of or incorporates numerous ‘atomic’ controls at a more detailed level of analysis. ISO/IEC 27002 notes or implies hundreds of detailed information security controls , in fact, way more than the nominal and often-stated total of “93”. Status The first edition was published in 2005 . The second edition was published in 2013 . The completely restructured and updated third edition was published in 2022 . A P reliminary W ork I tem will explore the need for a revision of ISO/IEC 27002, assessing the relevance and applicability of the current set of controls and supporting guidance and perhaps new. The intent is to reflect changes "in organizational practices, business, operations, technology and cyber-risks". The committee is also considering offering guidance on information security controls tailored for small organisations. A PWI will clarify the scope and purpose of such an SME infosec guideline, if indeed it gets enough support. Commentary In my considered opinion, one of the most distinctive, innovative and valuable features of the original Shell policy manual, the UK DTI Code of Practice/DISC standard PD003 and British Standard BS 7799 was that they explicitly addressed information security, recommending approaches and controls to secure information in any form - not just computer data, systems, apps, networks and technologies. The focus was clearly on protecting the intangible, vulnerable and valuable information content. Over the decades since ISO/IEC adopted it as an international standard, it has gradually evolved into a tech-centric IT, ICT or cyber-security standard. The third edition of ‘27002 continues along the same trajectory. The third edition misses numerous opportunities to encourage users to consider their “information risks” in order to determine whether various controls are even needed to avoid or mitigate the risks, and if so what controls are appropriate, taking account of their effectiveness, costs, value, reliability etc . It is as if the controls laid out in the standard are not merely good practices worth considering under various circumstances, but required or mandatory to the extent that not implementing them might perhaps be considered inept, unprofessional or bad practice. There is a subtle presumption that most if not all the controls should be employed by all organisations, regardless of the diversity of organisations in scope and their differing information risks. This is misleading, and has remained an issue for several years. I miss the ‘control objectives ’ from BS 7799: these succinctly explained what the controls were expected to achieve, giving them a business-related purpose that was readily interpreted in the particular context of an individual organisation. If management accepted that an objective was valid, the controls were worth considering not in the sense of being obligatory or even recommended, so much as examples of the kinds of things that could be put in place to achieve the objective. In the third edition, the risk-based control objectives have become watered-down and often self-serving ‘purposes’, with little to no explicit reference to the organisation’s information risks that the suggested controls are supposed to mitigate - a retrograde step as far as I’m concerned ... potentially presenting an opportunity to fill in the gaps (watch this space!). However, some experts complained of ‘challenging conversations’ between auditors and management: I suspect the underlying issue there was a failure to understand the true nature of information risk and risk treatment options. While the restructured third edition is readable and usable on paper, the tagging and cross-linking strongly of controls favours database applications (even something as simple as Excel) allowing users to filter or select and sort the controls by whatever criteria or questions they pose - for instance, “Which physical security controls are relevant to privacy?” or “What preventive controls do not involve technology?”. Given a suitable database application, the sequence is almost irrelevant compared to the categorisation, tagging and description of the controls. It will be interesting to see how this turns out. I am dismayed that the standard has been infected with the “cyber” virus, begging questions about definition and interpretation. Some contributors wanted the standard to cover both information security and cybersecurity controls, implying that they consider those to be distinct domains, while others first want to understand the differences before classifying controls ... and I must say I‘m in the second group. What is the true meaning and scope of “cybersecurity”, in fact ? Similarly, the committee hoped to resolve confusion over the meaning of “policy” in the second edition by distinguishing three variants or hierarchical levels in the third : “Information security policy ” refers to the overall, high-level corporate policy at the peak of the classical policy pyramid, approved by ‘top management’. ‘Strategy’ might have been a better term for this, at the risk of creating yet more confusion, but the ISO management systems standard boilerplate requires 'policy', so 'policy' (singular) it is; “Topic-specific policy ” refers to mid-level policies e.g. topic-specific policies on access control and clear desk and clear screen” (the latter sounds, to me, more like a rule than a mid-level policy ... and indeed, as expressed by the project team, the topic-specific policy concept includes guidelines and rules, making this layer a blend, transition or link between the upper and lower levels). These are aligned with and support the high level policy, approved by ‘the appropriate management level’, and [within reason] may be adapted/interpreted locally by departments, business units etc . where their specific contexts (information risks, security requirements, business situations, locations etc .) differ from the overall corporate context; “Rule ” is the lowest, most detailed/specific level, defined as an “accepted principle or instruction that states the organisation’s expectations on what should be done, what is allowed or not allowed” (I’m not sure an organisation, per se , can ‘expect’ anything, or should have expectations on rather than of something: in a corporate context, rules are generally imposed by management on behalf of the organisation and its stakeholders ... but this definition was a bone of contention within SC 27 so a compromise is needed). Up Up Up This page last updated: 14 April 2026

Back Up Next ISO/IEC 27042 ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) Up Abstract “ISO/IEC 27042:2015 provides guidance on the analysis and interpretation of digital evidence in a manner which addresses issues of continuity, validity, reproducibility, and repeatability. ...” [Source: ISO/IEC 27042:2015] Introduction The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardisation will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions. Scope As the title suggests, this standard offers guidance on the process of analysing and interpreting digital evidence, which is of course just a part of the forensics process. It lays out a generic framework encapsulating good practices in this area. Aside from the standard evidential controls (maintaining the chain of custody, scrupulous documentation etc .), the standard emphasizes the integrity of the analytical and interpretational processes such that different investigators working on the same digital evidence ought to come up with essentially the same results - or at least any differences should be traceable to choices they made along the way. Given the volume, variety and complexity of digital evidence these days, that’s quite a challenge, hence the drive for standardization, good practices, common terminology and sound, rational approaches. The standard touches on issues such as the selection and use of forensic tools, plus proficiency and competency of the investigators. Structure Main clauses: 5: Investigation 6: Analysis 7: Analytical models 8: Interpretation 9: Reporting 10: Competence 11: Proficiency Annex A: Examples of Competence and Proficiency Specifications Status The current first edition was published in 2015 and confirmed unchanged in 2021. Commentary I am puzzled why SC 27 publishes and maintains several distinct forensics standards covering different aspects of forensics, when they are in reality complementary parts of the same process: ISO/IEC 27037 concerns the initial capturing of digital evidence. ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly. This standard covers what happens after digital evidence has been collected i.e. its analysis and interpretation. ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur. ISO/IEC 27050 (in 4 parts) concerns electronic discovery ... which is pretty much what the other standards cover. British Standard BS 10008 “Evidential weight and legal admissibility of electronically stored information (ESI), Specification.” may also be of interest. I understand the decision not to integrate this content into ISO/IEC 27037 but a multi-part standard would make more sense to me personally, with an overview part 1 explaining how the jigsaw pieces fit together. The editors rejected such a proposal, claiming that it was considered and rejected when the forensics standards development projects were launched. So, sorry valued customers, it seems you will have to buy and correlate multiple standards if you choose to adopt the complete ISO27k forensics suite. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC TR 27109 ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] Up Abstract ?? None yet Introduction It appears the standard intends to address the claimed dire global shortage of cybersecurity professionals, hopefully increasing the supply of newly-minted professionals to the market by suggesting standard curricula for educators offering college and university courses etc. Maybe. Scope ?? Too early to say Structure The standard may: Cover cybersecurity awareness (?), training and education; Suggest common/standard education and training curricula in this area; List/mention applicable national guidance, strategies or regulations. Status A T echnical R eport is in preparation. It was originally to be published in 2024 but the project was extended to 2026 for ‘additional technical work’. The standard development project missed its extended deadlines and so was cancelled in September 2025 ... but was magically rejuvenated as another 3-year project (I have no idea how that works!) Commentary The standard will hopefully complement rather than replace ISO/IEC 27021 concerning competencies required of ISMS professionals. ISO/IEC JTC 1/SC 27 is collaborating with another committee on ‘cybersecurity competence’. If national guidelines are to be listed in this standard, the details will need to be collated and managed indefinitely, implying a stream of maintenance updates to keep the standard reasonably accurate and current. Why is such an approach even being considered? Most other international standards don’t attempt to list national aspects except perhaps as examples. Up Up Up This page last updated: 26 January 2026

Back Up Next ISO/IEC 27402 ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] Up Abstract ISO/IEC 27402 "provides baseline requirements for IoT devices to support security and privacy controls.” [Source: ISO/IEC 27402:2023] Introduction ISO/IEC 27400 describes commonplace information risks relevant to consumer and industrial IoT devices (things ) plus the associated network/cloud services, introducing the corresponding ICT security and privacy controls for the manufacturers and the users. In practice, however, as insecure things have been proliferating rapidly, the risks have generally increased. As an international standard, ISO/IEC 27402 is intended to ensure that all things at least provide a common set of foundational capabilities and functionality. IoT manufacturers using the suggested information risk management processes can build upon the standardised foundation, providing additional controls addressing the information risks relevant to various industrial and consumer applications. Scope The standard concerns basic information security and privacy controls for things . Structure Main clauses: 4: Overview - 1 paragraph 5: Requirements - for a cybersecurity and privacy baseline Annex: Risk management guidance based on ISO 31000 Status The current first edition was published in 2023 . Commentary The sheer scale, variety and rate of change in IoT makes developing information security and privacy standards challenging and yet important, arguably essential. Rapid innovation and intense market pressures on manufacturers seem unlikely to lead to voluntary adoption of this standard without additional factors (which are beyond the scope of the standard and ISO) ... unless a sufficient proportion of industrial and general consumers start inquiring about the security and privacy controls for IoT, voting with their budgets and wallets. The approach taken is to specify only a few fundamental information security and privacy controls in this ‘horizontal’ baseline standard (such as an information risk management process involving the identification, evaluation and treatment of information risks), with the intention of developing further standards specifying additional requirements for particular industry ‘verticals’, building on the generic baseline. It is anticipated that additional security controls will be required and defined in further standards for specific applications (e.g. for medical or vehicular things ). Noticeably absent from SC 27’s strategy (at present) are standards for implementing, using, managing, monitoring and administering IoT devices securely. The committee has thus far focused on getting appropriate security and privacy controls specified. As the controls are gradually designed and integrated into things (hopefully!), advice on the associated operational aspects may yet follow (possibly!). Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27033-1 ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) Up Abstract ISO/IEC 27033 part 1 “provides an overview of network security and related definitions. It defines and describes the concepts associated with, and provides management guidance on, network security. (Network security applies to the security of devices, security of management activities related to the devices, applications/services, and end-users, in addition to security of the information being transferred across the communication links.) ... Overall it provides an overview of this International Standard and a 'road map' to all other parts.” [Source: ISO/IEC 27033-1:2015] Introduction Part 1 revised and replaced ISO/IEC 18028 part 1. It provides: A roadmap and overview of the concepts and principles underpinning the remaining parts of ISO/IEC 27033. A glossary of information security terms specific to networking. Guidance on a structured process to identify and analyse network security risks and hence define network security control requirements, including those mandated by relevant information security policies. An overview of the controls supporting network technical security architectures and related technical controls, as well as non-technical controls plus other technical controls that are not solely related to network security (thus linking to ISO/IEC 27001 , ISO/IEC 27002 and ISO/IEC 27005 plus other ISO27k standards as they are released). Scope Extends the security management guidelines provided in ISO/IEC TR 13335 and ISO/IEC 27002 etc . by detailing the specific operations and mechanisms needed to implement network security controls in a wider range of network environments, providing a bridge between general information security management issues and the specifics of implementing largely technical network security controls (e.g . firewalls, IDS/IPS, message integrity controls etc .) Structure Main clauses: 6: Overview 7: Identifying risks and preparing to identify security controls 8: Supporting controls 9: Guidelines for the definition and implementation of network security 10: Reference network scenarios - risks, design techniques and control issues 11: 'Technology ' topics - risks, design techniques and control issues 12: Develop and test security solution 13: Operate security solution 14: Monitor and review solution implementation Annex A: Cross-reference between ISO/IEC 27001 Annex A and ISO/IEC 27002 network security-related controls and ISO/IEC 27033-1 Annex B: Example template for a SecOPs document Status ISO/IEC 27033-1 revised and replaced ISO/IEC 18028-1, which in turn superceded ISO/IEC TR 13335-5. The first edition was published in 2009 . The current second edition was published in 2015 and confirmed unchanged in 2021. An extended scope for the ISO/IEC 27033 network security standards is under consideration to catch up with recent and emerging technologies such as cloud computing, zero trust, IoT and AI. Consequently the initial routine standards revision project was stopped and restarted at P reliminary W ork I nstruction stage in 2025. Commentary Part 1 mentions requirements such as non-repudiation and reliability in addition to the classical CIA triad (confidentiality, integrity and availability). It provides a reasonably technical overview of network security despite barely any reference to the OSI or TCP/IP network stacks! At present, the ISO/IEC 27033 standards are largely (entirely?) concerned with digital data networks, but there are other kinds of networks - such as business networks, social networks, professional networks, criminal networks and socio-political/cultural networks - all with differing risks and security concerns. So, should the ISO/IEC 27033 set be extended to cover those too? If so, how? It is not exactly obvious what kinds of guidance might usefully be offered in these other areas - in fact, formally speaking, it is not even entirely clear what ‘networks’ are. Anyway, that’s something to bear in mind. SC 27, meanwhile, tends to stick to the knitting i.e. IT/cyber security, in accordance with its defined scope. Furthermore, I feel the information risk and security aspects of industrial shop-floor O perational T echnology networks are inadequately covered by current ISO/IEC 27033 standards, a significant omission. The networking protocols, risks and controls vary, while the gradual convergence of IT and OT is bound to affect network security in both domains. Up Up Up This page last updated: 23 February 2026

Back Up Next ISO/IEC 27566-2 ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [Draft] Up Abstract ISO/IEC 27566 part 2 "describes different technical approaches suitable in different ecosystems for age assurance systems and guidance for their implementation.” [Source: Draft] Introduction ISO/IEC 27566 part 2 "provides technical guidance for implementing age assurance systems in a consistent and modular manner. It supports the practical application of the framework defined in Part 1 by identifying technical components, implementation approaches, and context-specific trade-offs. This enables privacy-respecting, effective, and policy-aligned age assurance across diverse digital and physical environments." [Source: P reliminary W ork I tem] Part 2 bridges the foundational concepts in part 1 to the analytical approaches in part 3. Scope ISO/IEC 27655 part 2 “ includes guidance for considering the characteristics of various approaches and for making trade-offs when selecting approaches for different users, actors and use cases. The document describes different technical approaches suitable in different ecosystems for the implementation of age assurance systems or of age assurance components” [Source: P reliminary W ork I tem] Structure Main clauses [from initial draft]: 5: Principles carried forward from part 1 6: Relating context of use to implementation choices 7: Major contexts of use 8: Selecting components 9: Specifying requirements for procurement 10: Documenting operational practice statements and evidence Annex A: Commonalities of age assurance methods and interaction models Annex B: Common concerns related to common sub-contexts of use Annex C: Enrolment, user account management, and wallet management Annex D: Relationship to part 3 Annex E: Examples of trade-off choices during design of age assurance systems Annex F: Examples of practice statements Status The PWI was approved in February 2025, so part 2 is officially at W orking D raft stage. Commentary 'Context of use' refers - I think - to the particular business situation in which some form of age assurance is needed. SInce these vary, the standard explains how to identify, determine and evaluate relevant requirements and parameters driving the design of the age assurance approach. e.g. how important is assurance to verify a person's true age? It then offers guidance on how to go about satisfying the requirements by selecting and implementing appropriate age assurance methods and technologies. Up Up Up This page last updated: 13 February 2026