Search Results

Up Up Up ISO/IEC 27036-1 ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) Up Abstract ISO/IEC 27036 part 1 “is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. [ISO/IEC 27036] addresses perspectives of both acquirers and suppliers.” [ ISO/IEC 27036-1:2021 ] Introduction ISO/IEC 27036 is a multi-part standard offering guidance on the management of information risks involved in the acquisition of IT products (goods and services) from suppliers. The standards avoid referring to selling and buying since the issues are much the same whether the transactions are commercial or not e.g . when one part of an organisation or group acquires IT products from another, or uses free/open-source products. Scope Part 1 introduces all parts of this standard, providing general background information such as the key terms and concepts around information security in supplier relationships, including “any supplier relationship that can have information security implications, e.g. information technology, healthcare services, janitorial services, consulting services, R&D partnerships, outsourced applications (ASPs), or cloud computing services (such as software, platform, or infrastructure as a service). ” Structure Main sections: 5: Problem definition and key concepts 6: Overall ISO/IEC 27036 structure and overview Status The first edition of part 1 was published and made available for free in 2014. The second edition was published in 2021 but is no longer free, unfortunately. Commentary Part 1 outlines a number of information risks commonly arising from or relating to business relationships between acquirers and suppliers, where goods/services acquired have an information content or information security relevance, or where the supplier gains access to the acquirer’s internal information. [The converse situation - i.e. acquirers gaining access to suppliers’ internal information - is not explicitly mentioned in part 1 but is noted in part 2 .] The standard primarily takes the perspective of the acquirer, covering the acquirer’s information security concerns that ought to be addressed in relationships with upstream suppliers. [The supplier’s information risks when supplying downstream customers, or in relationships with partners, are not explicitly covered e.g . disclosure and theft of sensitive intellectual property.] Within the ISO27k information security standards, the products most obviously covered by ISO/IEC 27036 include: IT outsourcing and cloud computing services; Other professional services e.g. legal, accounting/tax and HR services, security guards, cleaners, delivery services (couriers), equipment maintenance/servicing, consulting and specialist advisory services, knowledge management, research and development, manufacturing, logistics, source code escrow and healthcare; Provision of ICT hardware, software and services including telecommunications and Internet services; Bespoke products and services where the acquirer specifies the requirements and may play an active role in the product design and development (as opposed to commodities and standard off-the-shelf products); Electricity to power ICT equipment. The ISO/IEC 27036 standards therefore could cover: Strategic goals, objectives, business needs and compliance obligations in relation to information security, privacy and assurance when acquiring ICT-related or information products; Information risks such as: Acquirer’s reliance on providers, complicating the acquirer’s business continuity arrangements (both resilience and recovery); Physical and logical access to and protection of second and third party information assets; Creating an ‘extended trust’ environment with shared responsibilities for information security, or conversely applying the ‘zero trust’ approach in this context; Creating a shared responsibility for conformity with information security policies, standards, laws, regulations, contracts and other commitments/obligations; Coordination between supplier and acquirer to adapt or respond to new/changed information security requirements; ... and more. Information security controls such as: Preliminary analysis, preparation of a sound business case, Invitation To Tender etc ., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security; Creation of explicit shared strategic goals to align acquirer and provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’); Specification of important information security requirements (such as requiring that suppliers are ISO/IEC 27001 certified and/or use standards such as ISO27k ) in contracts, Service Level Agreements etc .; Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity; Special controls to cater for unique risks (such as testing and fallback arrangements associated with the transition/implementation stage when an outsourcing supplier first provides services); Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence; A ‘right of audit’ and other compliance/assurance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance; ... and more. The entire relationship lifecycle: Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as co-sourcing; Definition of requirements including the information security requirements, of course; Procurement including evaluating, selecting and contracting with supplier/s; Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period; Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring etc .; Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc. ; Termination and exit i.e. ending a business relationship that has run its course in a controlled manner, perhaps leading back to the start. Some - but not all - of this is covered by ISO/IEC 27036, potentially leaving gaps to be filled by other standards plus corporate strategies, policies and procedures. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27034-7 ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) Up Abstract ISO/IEC 27034 part 7 ”describes the minimum requirements when the required activities specified by an Application Security Control (ASC) are replaced with a Prediction Application Security Rationale (PASR). The ASC mapped to a PASR define the Expected Level of Trust for a subsequent application. In the context of an Expected Level of Trust, there is always an original application where the project team performed the activities of the indicated ASC to achieve an Actual Level of Trust. The use of Prediction Application Security Rationales (PASRs), defined by [ISO/IEC 27034-7], is applicable to project teams which have a defined Application Normative Framework (ANF) and an original application with an Actual Level of Trust. Predictions relative to aggregation of multiple components or the history of the developer in relation to other applications is outside the scope of [ISO/IEC 27034-7].” [Source: ISO/IEC 27034-7:2018] Introduction Part 7 specifies a framework to deliver the assurance necessary to place trust in a computer program’s security arrangements, for example: When one program (such as an application) relies on another (e.g. a database management system, utility, operating system or companion program) to perform critical security functions (such as user authentication, logical access control or cryptography), or When an organisation updates or patches a trusted program. Scope Specifies minimum requirements when the required activities specified by an A pplication S ecurity C ontrol are replaced with a P rediction A pplication S ecurity R ationale. The ASC mapped to a PASR defines the Expected Level of Trust for a subsequent application. The use of PASRs is applicable to project teams which have a defined A pplication N ormative F ramework and an original application with an Actual Level of Trust. Structure Main sections: 5: Prediction concepts 6: Predictions 7: Substantial changes 8: Confidence 9: Prediction application security rationale 10: PASR audit 11: PASR Verification 12: PASR implementation 13: Expected level of trust report Annex A: Expected level of trust assurance case Annex B: Comparison of ASC to PASR Status The current first edition of part 7 was published in 2018 and confirmed unchanged in 2023. Commentary The language in part 7 is decidedly formal and stilted (e.g. “An application security claim is a claim that the application team implemented certain security controls and those controls mitigate specific security risks to an acceptable level. A security prediction is the transfer of confidence in the original claim to a claim that the same security controls are also present in a subsequent version of the application and mitigate, to the same acceptable level, the same specific security risks.” - got that?). It falls a long way short of ISO’s guidance on plain English . Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC TR 27550 ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) Up Abstract ISO/IEC TR 27550 "provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into system life cycle processes. ...” [Source: ISO/IEC TR 27550:2019] Introduction ‘Privacy engineering’ involves taking account of privacy during the entire cradle-to-grave lifecycle of IT systems and the associated processes, such that privacy is and remains an integral part of their function. Scope This is an IT security standard about engineering IT systems to satisfy privacy requirements relating to the protection of personal data. Structure Main sections: 5: Privacy engineering 6: Integration of privacy engineering in ISO/IEC/IEEE 15288 Annex A: Additional guidance for privacy engineering objectives Annex B: Additional guidance for privacy engineering practice Annex C: Catalogues Annex D: Examples of risk models and methodologies The standard: Discusses how privacy engineering supports system and security engineering, information risk management, knowledge management etc. Elaborates on conceptual principles such as privacy-by-design and privacy-by-default , important design goals noted in GDPR and elsewhere; Elaborates on the processes for identifying, evaluating and treating privacy risks in the course of IT systems design; Explains how IT systems can be engineered to support and satisfy the OECD privacy principles which form the basis of most privacy laws and regulations. Status The current first edition was published as a T echnical R eport in 2019. Commentary The procedures for operating, using, monitoring, managing and maintaining IT systems and their privacy controls are just as important as the technical controls themselves, and also benefit from being systematically developed (specified, designed, documented, mandated, operated, monitored, maintained ...): it is a good thing this standard is not limited to the technology. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27034-5 ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) Up Abstract ISO/IEC 27034 part 5 "outlines and explains the minimal set of essential attributes of Application Security Contorls (ASCs) and details the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM).” Source: ISO/IEC 27034-5:2017] Introduction The ability to share and reuse properly specified, developed and assured application security functions is a powerful, efficient and effective approach to software development. Scope Part 5 facilitates the establishment of libraries of reusable application security functions that may be shared both within and between organisations. Structure Main sections: 5: Application Security Control Structure 6: Application Security Life Cycle Reference Model 7: ASC Package Status The current first edition of part 5 was published in 2017 and confirmed in 2023. Commentary Part 5 facilitates the implementation of the ISO/IEC 27034 application security framework and the communication and exchange of ASCs by defining a formal structure for ASCs and certain other components of the framework. It defines the A pplication S ecurity C ontrols data structure, providing requirements, descriptions, graphical representations and XML schema for the data model. The XML schema, based on ISO/TS 15000 “Electronic business eXtensible Markup Language ebXML ”, is designated as the standard interchange format for ASCs. It lays out a minimal set of essential attributes of ASCs and the Application Security Life Cycle Reference Model. Note : the accompanying standard ISO/IEC TS 27034-5-1:2018 — Information technology — Security techniques — Application security — Part 5-1: Protocols and application security controls data structure, XML schemas (first edition) "defines XML Schemas that implement the minimal set of information requirements and essential attributes of ASCs and the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM) from ISO/IEC 27034-5.” [Source: ISO/IEC 27034-5-1:2018] Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27091 ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] Up Abstract [ISO/IEC 27091] "provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems, including machine learning (ML) models. [ISO/IEC 27091] helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences and treatment of such risks. ..." [Source: ISO/IEC 27091 D raft I nternational S standard] Introduction By gathering and processing substantial quantities of information (maybe even 'big data'), AI/ML systems may erode privacy - for example by linking personal information from disparate sources back to individual people, or inferring sensitive details - unless appropriate privacy arrangements are made. Scope The standard applies to all manner of organisations that develop or use AI systems. The focus is on mitigating privacy risks by integrating suitable privacy controls into the design of AI/Machine Learning systems. Business decisions about whether it is even appropriate to design, build, use and connect AI systems and services at all, plus general considerations for information risk and security management (e.g. ensuring data accuracy plus system/services resilience, and dealing with incidents) are largely or completely out of scope. Structure Main sections: 5: Framework for privacy analysis of AI systems - gives an overview of the classical information risk management process i.e. identify, analyse, evaluate and treat privacy risks. 6: Privacy of AI models - discusses a few well-known AI system 'privacy threats (modes of attack that are relevant to privacy e.g. membership inference, training data extraction, poisoning, model inversion, insider risk ...) with generic advice on mitigating controls (e.g. limiting access, anonymisation and pseudonimysation, input and output filtering). 7: Privacy in AI system lifecycle - privacy engineering. Annex A: Additional information for privacy analysis of AI systems. Annex B: Use case template Status The standard development project started in 2023. The standard is essentially complete, presently at D raft I nternational D raft stage, with national standards bodies due to vote before the end of February 2026. It looks likely to be published during 2026. Commentary The standard's risk-based approach makes sense, but (as with so much AI security-related work at the moment) the scope, focus or perspective feels rather academic and constrained to me. The standard does not, in my admittedly jaundiced opinion, adequately address or acknowledge the bigger picture here e.g.: Broader aspects of information risk and security management such as strategies, policies, architectures, compliance, change and incident management, including the extent to which those activities address privacy, specifically [the standard refers to ISO/IEC 27090 for this - currently also in draft]; 'Classical' information risks, threats, attacks, vulnerabilities, impacts and consequences that just happen to involve AI, such as smart phishing, smart malware, smart fraud, smart piracy etc. using AI systems, services and tools for nefarious purposes including coercion, misinformation and disinformation - with incidental and indirect rather than central and direct privacy implications; Societal aspects such as the continued erosion of trust and control over our personal information as it is increasingly being demanded, requested, gathered, shared and exploited, incuding by various authorities, both openly and covertly, systematically, at scale; The longstanding disparity of privacy approaches between most of the world (with GDPR and OECD guidance essentially giving individuals rights to retain ownership and control of their own personal information in perpetuity), and the USA in particular (where it seems personal information can be gathered, shared and exploited commercially by whoever holds it, similarly to other types of information, with little referene to the individuals concerned); Compliance, commercial, technological and practical implications if, say, the individuals whose personal information has been used for model training decide to withdraw their consent and (uner GDPR) insist that their information is deleted and no longer used, or insist on corrections being made; Innovation and novelty of all this, meaning that collectively we have quite a journey ahead towards maturity, with anticipated and surprising incidents ('learning points') likely along the way - such as people naively building and using advanced AI systems without reference to applicable laws, regulations, policies and practices ('shadow AI'), and the race towards A rtificial G eneral I ntelligence; Commercial aspects such as the intense competition within the AI industry, and what will happen with potentially valuable AI models, big data and metadata if AI companies implode or are taken over, possibly but not necessarily just when the AI bubble bursts. However, the standard does usefully discuss the use of AI to support: Privacy consent management and control; P rivacy- E nhancing T echnologies such as cryptographic authentication, encryption and anonymisation, pseudonymisation and data minimisation (a nod towards risk avoidance); Privacy assurance such as auditing, monitoring, detecting and responding to privacy violations; Security for AI models and federated learning, including access control and identity management; N atural L anguage P rocessing for data privacy policies. Up Up Up This page last updated: 6 December 2025

Up Up Up ISO/IEC 27035-2 ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) Up Abstract ISO/IEC 27035 part 2 “provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the plan and prepare and learn lessons phases of the information security incident management phases model presented in [part 1 clauses] 5.2 and 5.6 ...” [Source: ISO/IEC 27035-2:2023 ] Introduction Part 2 concerns assurance that the organisation is in fact ready to respond appropriately to information security incidents that may yet occur. Scope Part 2 covers the Plan and prepare and Learn lessons phases of the process laid out in part 1. Structure Main sections: 4: Information security incident management policy 5: Updating of information security policies 6: Creating information security incident management plan 7: Establishing an incident management capability 8: Establishing internal and external relationships 9: Defining technical and other support 10: Creating information security incident awareness and training 11: Testing the information security incident management plan 12: Learn lessons ... plus annexes with example forms, incident categorization approaches, and notes on ‘legal and regulatory requirements’ (mostly privacy). Status The first edition of part 2 was published in 2016 . Having been revised for ISO/IEC 27002:2022 and with a new clause 8, the second edition was published in 2023 . Commentary This part of ISO/IUEC 27035 addresses the rhetorical question “Are we ready to respond to an incident?” and promotes learning from incidents to improve things for the future. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27033-7 ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) Up Abstract ISO/IEC 27033 part 7 "aims to identify security risks of network virtualization and proposes guidelines for the implementation of network virtualization security. Overall, [ISO/IEC 27033-7] intends to considerably aid the comprehensive definition and implementation of security for any organization’s virtualization environments. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls required to provide secure virtualization environments.” [Source: ISO/IEC 27033-7:2023] Introduction This standard started out as ISO/IEC 5188 before being absorbed into ISO27k . Scope As part of the network security standard ISO/IEC 27033, part 7 concerns the information risks and security controls applicable to virtualisation of networks. Structure Main sections: 5: Overview 6: Security threats 7: Security recommendations 8: Security controls 9: Design techniques and considerations Annex A: Use cases of network virtualization Annex B: Detailed security threat description of network virtualization Status The current first edition of part 7 was published in 2023 . Commentary The standard outlines some “security threats” or “security issues” - generic examples of types of incident (such as “Insider attacks: an administrator tampers image or changes security configurations”) but does not explain which information security controls address the identified “security threats/issues”, nor conversely which information risks the suggested information security controls are intended to mitigate: there is no cross-referencing between the two, hence it is unclear how users are meant to identify, select or prioritise whichever controls are most appropriate for their situations. So much for the “implementation guidelines”! Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC TR 27109 ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] Up Abstract ?? None yet Introduction It appears the standard intends to address the claimed dire global shortage of cybersecurity professionals, hopefully increasing the supply of newly-minted professionals to the market by suggesting standard curricula for educators offering college and university courses etc. Maybe. Scope ?? Too early to say Structure The standard may: Cover cybersecurity awareness (?), training and education; Suggest common/standard education and training curricula in this area; List/mention applicable national guidance, strategies or regulations. Status A T echnical R eport is in preparation. It was originally to be published in 2024 but the project was extended to 2026 for ‘additional technical work’. The standard development project missed its extended deadlines and so was cancelled in September 2025 ... but was magically rejuvenated as another 3-year project (I have no idea how that works!) Commentary The standard will hopefully complement rather than replace ISO/IEC 27021 concerning competencies required of ISMS professionals. ISO/IEC JTC 1/SC 27 is collaborating with another committee on ‘cybersecurity competence’. If national guidelines are to be listed in this standard, the details will need to be collated and managed indefinitely, implying a stream of maintenance updates to keep the standard reasonably accurate and current. Why is such an approach even being considered? Most other international standards don’t attempt to list national aspects except perhaps as examples. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27039 ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operation of intrusion detection and prevention systems (IDPS) (first edition) Up Abstract “ISO/IEC 27039:2015 provides guidelines to assist organisations in preparing to deploy intrusion detection and prevention systems (IDPS). In particular, it addresses the selection, deployment, and operations of IDPS. It also provides background information from which these guidelines are derived.” [Source: ISO/IEC 27039:2015] Introduction I ntrusion D etection S ystems are largely automated systems for identifying attacks on and intrusions into a network or system by hackers and raising the alarm. I ntrusion P revention S ystems take the automation a step further by automatically responding to certain types of identified attack, for example by closing off specific network ports through a firewall to block identified hacker traffic. IDPS refers to either type. Scope The scope states “This International Standard provides guidelines to assist organisations in preparing to deploy Intrusion Detection Prevention System (IDPS). In particular, it addresses the selection, deployment and operations of IDPS. It also provides background information from which these guidelines are derived.” Well designed, deployed, configured, managed and operated IDPS are valuable in several respects, for example: Automation leverages scarce security engineers who would otherwise have to monitor, analyse and respond to network security incidents as best they could; Automation tends to speed-up identification and response to attacks, particularly common types of attack that can be identified unambiguously through unique attack signatures; They give additional assurance to management that security issues on the networks and networked systems are being identified and mitigated. The standard is, in effect, an ISPS implementation guide and advisory. Structure Three main sections comprise the bulk of the standard’s ~50 pages: Selection of IDPS - various IDPS types, complementary tools etc . to consider (in some detail, expanded still further in the annex); Deployment of IDPS; IDPS operations. Status The current first edition was published in 2015 , “revising and canceling” (i.e. replacing) ISO/IEC 18043:2006. A technical corrigendum in 2016 corrected the title of the published standard, introducing “and prevention” that somehow got lost. The standard was confirmed unchanged in 2020. It is up for periodic review again in 2025 ... Commentary I had hoped the standard would mention, in addition to the network security risks that they are meant to address, various information risks and issues associated with or introduced by the IDPS themselves, such as: They are technologically advanced and complex, making them difficult to configure, deploy and use effectively, hence there is a risk that they may be incorrectly configured, deployed or used in practice, with various consequences on the organisation and other systems. Furthermore, they probably introduce additional technical security vulnerabilities into the very networks and/or systems they are supposed to protect; They may adversely affect network traffic, restricting legitimate traffic and hence normal use of the network and systems, as well as hacking traffic; They are not 100% capable, meaning that certain types or modes of attack (particularly novel ones) may not be reliably identified and hence blocked, potentially creating a false sense of security (inappropriate assurance); They can only detect and react to available information, making them blind and deaf to attacks that bypass the networks and systems being monitored (including, for examples, social engineering and physical intrusion attacks); They usually require network bandwidth, processing and storage capacity for their own operations and record-keeping, and require hooks into the networks and systems being monitored and/or controlled, impinging upon normal use; They are complicated to configure and manage for best effect, requiring the involvement of competent security engineers who, potentially at least, may themselves be hackers; They require privileged access to network traffic, network devices and/or systems, and could potentially be misused as a vector or mechanism to compromise them. However, it does not ... Up Up Up This page last updated: 6 December 2025

Up Up Up ISO/IEC 27551 ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) Up Abstract ISO/IEC 27551 "provides a framework and establishes requirements for attribute-based unlinkable entity authentication (ABUEA).” [Source: ISO/IEC 27551:2021] Introduction A ttribute-B ased U nlinkable E ntity A uthentication is a mechanism for authenticating unfamiliar parties through the services of a mutually-trusted third party, whilst maintaining privacy of the authenticated. ‘Unlinkable’ refers to the need to be able to handle and process personal information anonymously, in a way that precludes being able to identify the original data subjects from the information being communicated and processed. Scope The standard describes a framework and requirements for ABUEA - a way of avoiding the privacy leakage that can occur when (for instance) we use Internet sites, providing different information to each one or on each occasion, giving the possibility of linking our disparate disclosures back to us, specifically. Structure Main sections: 5: General objectives of attribute-based entity authentication 6: Properties of attribute-based entity authentication protocols 7: Unlinkability properties of attribute-based entity authentication protocols 8: Attributes 9: Requirements for level N attribute-based unlinkable entity authentication Annex A: Formal definitions for security and unlinkability notions Annex B: Examples of attribute-based entity authentication protocols Annex C: ABUEA with OpenID & FIDO Annex D: Use cases for attribute-based unlinkable entity authentication Status The current first edition was published in 2021 . Commentary It would be a challenge to rewrite this standard in accordance with ISO’s version of plain English , given such a deep dive into the technology. Up Up Up This page last updated: 19 November 2025