Search Results

Back Up Next ISO/IEC 27036-1 ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) Up Abstract ISO/IEC 27036 part 1 “is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. [ISO/IEC 27036] addresses perspectives of both acquirers and suppliers.” [ ISO/IEC 27036-1:2021 ] Introduction ISO/IEC 27036 is a multi-part standard offering guidance on the management of information risks involved in the acquisition of IT products (goods and services) from suppliers. The standards avoid referring to selling and buying since the issues are much the same whether the transactions are commercial or not e.g . when one part of an organisation or group acquires IT products from another, or uses free/open-source products. Scope Part 1 introduces all parts of this standard, providing general background information such as the key terms and concepts around information security in supplier relationships, including “any supplier relationship that can have information security implications, e.g. information technology, healthcare services, janitorial services, consulting services, R&D partnerships, outsourced applications (ASPs), or cloud computing services (such as software, platform, or infrastructure as a service). ” Structure Main clauses: 5: Problem definition and key concepts 6: Overall ISO/IEC 27036 structure and overview Status The first edition of part 1 was published and made available for free in 2014. The current second edition was published initially for free in 2021 but no longer, unfortunately. Commentary Part 1 outlines a number of information risks commonly arising from or relating to business relationships between acquirers and suppliers, where goods/services acquired have an information content or information security relevance, or where the supplier gains access to the acquirer’s internal information. [The converse situation - i.e. acquirers gaining access to suppliers’ internal information - is not explicitly mentioned in part 1 but is noted in part 2 .] The standard primarily takes the perspective of the acquirer, covering the acquirer’s information security concerns that ought to be addressed in relationships with upstream suppliers. [The supplier’s information risks when supplying downstream customers, or in relationships with partners, are not explicitly covered e.g . disclosure and theft of sensitive intellectual property.] Within the ISO27k information security standards , the products most obviously covered by ISO/IEC 27036 include: IT outsourcing and cloud computing services; Other professional services e.g. legal, accounting/tax and HR services, security guards, cleaners, delivery services (couriers), equipment maintenance/servicing, consulting and specialist advisory services, knowledge management, research and development, manufacturing, logistics, source code escrow and healthcare; Provision of ICT hardware, software and services including telecommunications and Internet services; Bespoke products and services where the acquirer specifies the requirements and may play an active role in the product design and development (as opposed to commodities and standard off-the-shelf products); Electricity to power ICT equipment. The ISO/IEC 27036 standards therefore could cover: Strategic goals, objectives, business needs and compliance obligations in relation to information security, privacy and assurance when acquiring ICT-related or information products; Information risks such as: Acquirer’s reliance on providers, complicating the acquirer’s business continuity arrangements (both resilience and recovery); Physical and logical access to and protection of second and third party information assets; Creating an ‘extended trust’ environment with shared responsibilities for information security, or conversely applying the ‘zero trust’ approach in this context; Creating a shared responsibility for conformity with information security policies, standards, laws, regulations, contracts and other commitments/obligations; Coordination between supplier and acquirer to adapt or respond to new/changed information security requirements; ... and more. Information security controls such as: Preliminary analysis, preparation of a sound business case, Invitation To Tender etc ., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security; Creation of explicit shared strategic goals to align acquirer and provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’); Specification of important information security requirements (such as requiring that suppliers are ISO/IEC 27001 certified and/or use standards such as ISO27k ) in contracts, Service Level Agreements etc .; Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity; Special controls to cater for unique risks (such as testing and fallback arrangements associated with the transition/implementation stage when an outsourcing supplier first provides services); Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence; A ‘right of audit’ and other compliance/assurance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance; ... and more. The entire relationship lifecycle: Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as co-sourcing; Definition of requirements including the information security requirements, of course; Procurement including evaluating, selecting and contracting with supplier/s; Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period; Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring etc .; Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc. ; Termination and exit i.e. ending a business relationship that has run its course in a controlled manner, perhaps leading back to the start. Some - but not all - of this is covered by ISO/IEC 27036, potentially leaving gaps to be filled by other standards plus corporate strategies, policies and procedures. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27557 ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) Up Abstract ISO/IEC 27557"provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. [ISO/IEC 27557] provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: organizational consequences of adverse privacy impacts on individuals; and organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. [ISO/IEC 27557] assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization.” [Source: ISO/IEC 27557:2022] Introduction This standard advises on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organisation and/or individuals (data subjects) as an integral part of the organisation’s overall risk management . It supports the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards - particularly ISO 31000 of course plus ISO/IEC 29134 and ISO/IEC 27005 . The standard distinguishes information risks (with the potential to harm the organisation directly) from privacy risks (with the potential to harm individuals directly and the organisation indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps: ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information; Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities; Many privacy-related controls are information security controls e.g. identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability; Serious privacy breaches can materially harm the organisation’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence; Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organisation may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital). Scope The standard advises using ISO 31000 “Risk management - Guidelines” to manage privacy risks, aiding the integration of privacy risks into the organisation’s overall risk management. Structure Main clauses: 4: Principles of organizational privacy risk management 5: Framework 6: Risk management process Annex A: PII processing identification Annex B: Example privacy events and causes Annex C: Privacy impact and consequence examples Annex D: Template showing the severity scale for privacy impacts on individuals Status The current first edition was published in 2022 . Commentary When an organisation manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf in a custodianship role ... which differs from the usual solely corporate perspective of information risk management. There is an ethical dimension that goes beyond the organisation’s self-preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The standard does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Up Abstract “ISO/IEC TR 27016:2014 provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources. ISO/IEC TR 27016:2014 is applicable to all types and sizes of organisations and provides information to enable economic decisions in information security management by top management who have responsibility for information security decisions.” [Source: ISO/IEC TR 27016:2014] Introduction There are substantial economic, financial and resourcing aspects to the management of information risks and security controls. Scope The ISO catalogue says ISO/IEC TR 27016 “provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.” Structure Main clauses: 6: Information security economic factors - investment aspects 7: Economic objectives - asset values 8: Balancing information security economics for I nformation S ecurity M anagement - cost-benefit analysis Annex A: Identifcation of stakeholders and objectives for setting values Annex B: Economic decisions and key cost decision factors Annex C: Economic models appropriate for information security Annex D: Business cases calculation examples Status The current first edition was published in 2014 as a T echnical R eport since this was deemed a developing field of study. Evidently the field has not developed significantly (and I guess the first edition did such a good job) since work on a second edition ground to a halt due to lack of inputs from committee members. Commentary Some generic parts of the text may be more appropriate in the ISO27k overview sections of ISO/IEC 27000 . Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC TS 27115-2 ISO/IEC TS 27115-2 — Information security, cybersecurity and privacy protection — Cybersecurity of system of systems — Part 2: Security architecture evaluation Up Abstract ?? Introduction ?? Scope [ISO/IEC TS 27115-2] provides a framework to evaluate the cybersecurity of complex systems, including systems of systems, based on ISO/IEC TS 27115-1. The framework uses basic architecture concepts to support model-based, comprehensive and scalable security solutions and their evaluation. Structure ?? Status Part 2 is due out in 2028. It is currently at W orking D raft stage. Commentary TBA Up Up Up This page last updated: 2 April 2026

Back Up Next ISO 27799 ISO 27799:20 25 — Health informatics — Information security controls in health using ISO/IEC 27002 (third edition) Up Abstract ISO 27799:2025 "contains a set of information security controls for health organizations. It considers all the controls in ISO/IEC 27002:2022 and, in some cases, supplements the controls or provides guidance on their application in health. There are also some additional controls specific to health which are not derived from any in ISO/IEC 27002:2022 ” [Source: ISO 27799:2025 ] Introduction This standard offers guidance on information security controls applicable to the health industry and medical-related organisations of various kinds - hospitals, labs, surgeries, medical insurers, medical device suppliers etc. Information security controls are appropriate to mitigate unacceptable risks to the confidentiality, integrity and availability of: Personal information, including private health information and safety-related time-sensitive information; Health-related information provided by or released to third parties such as lab test results, medical histories/records and research studies; Data processed by medical devices such as electronic heart monitors, pacemakers and various scanners. Healthcare companies also face risks associated with non-health commercial information in any business, such as the information used for financial, personnel and commercial management. Furthermore, they are required to comply with various laws, regulations, standards and codes, some of which relate to information security, privacy, safety, essential infrastructure services etc . Although not explicitly excluded from the scope, such areas are not the focus of ISO 27799. Scope The standard helps medical/healthcare-related organisations, plus professionals working for them on information risk, security, privacy and related matters (including assurance), interpret and apply information security controls from ISO/IEC 27002 (with some extensions) plus ISO 81001-1 Health software and health IT systems safety, effectiveness and security — Part 1: Principles and concepts and other cited references. Structure Main clauses: 4 - General 5 - Organizational controls 6 - People controls 7 - Physical controls 8 - Technological controls Annex A - Information security controls for health reference (checklist?) Annex B - Correspondence between the second and third editions of ISO 27799 Annex C - Information security in health organizations (overview?) Annex D - Example infosec and privacy requirements (risks?) mapped to controls Status The first edition was published in 2008 . It was developed by ISO/TC215 Health informatics , not ISO/IEC JTC 1/SC 27, based on ISO/IEC 17799:2005. The second edition, updated to reflect ISO/IEC 27001:2013 and ISO/IEC 27002:2013 , was published in 2016 . The current third edition was published in 2025 . It was updated for ISO/IEC 27002:2022 , and is now focused on the information security controls, omitting the ISO/IEC 27001 I nformation S ecurity M anagement S ystem aspects from the previous edition. Commentary Unfortunately I don't have access to the content of this standard so have nothing substantial to add beyond the general information provided publically on ISO.org . However, speaking as a former phamaceuticals infosec pro, I wonder how much of the medical supply chain is in-scope e.g. are pharmaceuticals suppliers covered, given that they accumulate, generate, process, use, manage and disclose often sensitive commercial and technical information on drugs including clinical trials, extremely valuable intellectual property and, of course, safety-critical information about drug use and efficacy? Pharmacies and pharmacists? And as a former microbial geneticist, what about medical-related research on, say, infectious diseases such as COVID? What about public health and statistical information on disease outbreaks, 'cancer clusters', obesity etc., or the effectiveness and side effects of various treatments (not just conventional, approved drugs - 'alternative therapies' such as homeopathy, herbalism and self-administed narcotics spring to mind here)? Forensic pathology? Councelling? Rehabilitation? Smart prosthetics ? Gyms and sports coaches? And then what about animal health e.g . veterinarians? Non-human animals' privacy may be of no concern to humans but again there are commercial, healthcare and safety aspects. Bottom line: this standard may have some application and value way beyond its stated scope. Maybe not. If you are involved in any way with the intersection of health and information, I suggest taking a good look at this standard. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TS 27022 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) Up Abstract ISO/IEC TS 27022 "defines a process reference model (PRM) for the domain of information security management, which is meeting the criteria defined in ISO/IEC 33004 for process reference models (see Annex A). It is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018, 4.3, within the ISMS; be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes; support users in the operation of an ISMS. [ISO/IEC TS 27022] is complementing the requirements-oriented perspective of ISO/IEC 27003 with an operational, process-oriented point of view.” [Source: ISO/IEC TS 27022:2021] Introduction The standard (a T echnical S pecification) “provides a process reference model (PRM) for information security management, which differentiates between ISMS processes and measures/controls initiated by them ... [and] describes the ISMS processes implied by ISO/IEC 27001.” The standard is based on a PhD thesis . Scope The standard lays out, in some detail, a P rocess R eference M odel comprising a generic suite of ISMS processes that organisations may wish to use as a basis for designing custom processes within their own ISMS. The standard “is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018 clause 4.3 within the ISMS be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes support users in the operation of an ISMS – the document will complement the requirements oriented perspective of ISO/IEC 27003 with an operational, process oriented point of view.” This advisory standard does not add or modify the ISMS requirements in ISO/IEC 27001 . Structure The ISMS processes described fall into 3 “categories” (types or groups) i.e. : Governance activities (confusingly titled ‘management processes’) - direction and oversight for the ISMS; Core operations e.g. information risk and security management, policy management, incident management, internal audits ...; and Support e.g. records management, communicating with interested parties about the ISMS, managing relationships with ISMS ‘customers’ ... The processes are each laid out in an Appendix, first as a table specifying: Process “category” denoting the type of process A brief description Objective/purposes Input[s] and Output[s] Activities/functions i.e. a few words for each of the main steps in the process Informative references. The table is followed by a flowchart summarising each process on one side or less. Status The current first edition was published in 2021 . An amendment updating references to ISO/IEC 27001:2022 and other ISO27k standards was in preparation in 2024 but the proposed revision of the standard was dropped due to lack of expert support. Commentary Mature organisations may already have processes for: Asset management; Audit management, both internal and external; Business continuity management (see ISO 22301: ISO/IEC 27001 is limited to continuity of information security operations during major incidents); Change management plus configuration management and version control; Continuous improvement and maturity management; Database [security] management; Exemption management (management-approved nonconformity with policies); Facilities management including power and other services for the computer room; Identity, access rights and user account management; Incident management including incident investigation and forensics; Information management in general; Information [security] risk management (partly covered by ISO/IEC 27005 ); Information security management (covered by ISO/IEC 27001 , 27002 , 27003 and others); IT! Internal audits and certification audits; Key management, plus the rest of cryptography; Log management, plus alarms and alerts; Metrics and management information management (partly covered by ISO/IEC 27004 ); Monitoring and oversight of the risk management and security arrangements; Patching, including emergency arrangements for urgent fixes; Performance and capacity management; Personnel/HR management including “onboarding” and “offboarding” (nasty neologisms!); Preventive and corrective actions; Quality management, especially quality assurance; Service management [organisations that are heavily process-oriented may be using ITIL/ISO 20000, in which case ISO/IEC 27013 is applicable]; Supplier/vendor relationship management, including telecomms, Internet and cloud services, outsourced development, contract security guards, maintenance/servicing, professional services (consulting, contracting, accounting, tax advising) etc. ; System and network [security] management; System/software development and testing ... ... and more. Providing generally-applicable advice without imposing further constraints is challenging. The processes need to be described without losing the flexibility to cater for myriad differences between organisations. In particular, the processes need to be valuable (cost-effective) in practice to justify their existence, for instance by: Removing unnecessary bureaucracy, rationalising and justifying whatever remains; Facilitating or encouraging process automation and innovation where applicable; Facilitating or encouraging use of existing processes, adapting them where necessary; Perhaps re-using effective ISMS processes elsewhere in the organisation; Managing the processes themselves e.g. management processes for monitoring, reviewing, evaluating and maintaining the ISMS processes, responding to changes, identifying and exploiting improvement opportunities etc . It would be unfortunate if ISMS processes were perceived as distinct from normal operations, rather than being integral to the organisation’s routine activities. The process for managing an information security or privacy incident, for example, is essentially the same as that for managing any other incident, hence it is generally unnecessary to create an alternative incident management process if the existing one (perhaps with a few tweaks) is effective. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27002 ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) Up Abstract ISO/IEC 27002 "provides a reference set of generic information security controls including implementation guidance. [ISO/IEC 27002] is designed to be used by organisations: (a) within the context of an information security management system (ISMS) based on ISO/IEC27001; (b) for implementing information security controls based on internationally recognized best practices; [and] (c) for developing organisation-specific information security management guidelines.” [Source: ISO/IEC 27002:2022] Introduction ISO/IEC 27002 is a popular international standard describing a generic selection of ‘good practice’ information security controls, typically used to mitigate unacceptable risks to the confidentiality, integrity and availability of information. It was based on British Standard BS 7799 in the mid-1990s, itself based on an oil company's proprietary information security manual. ISO/IEC 27002 is an advisory document, a guideline or recommendation rather than a formal specification such as ISO/IEC 27001 . Organisations are advised to identify and evaluate their own information risks, selecting or designing and applying suitable information security controls to mitigate unacceptable risks using ISO/IEC 27002 and other relevant standards and sources for guidance. Scope Like governance and risk management, information security management is a broad topic with ramifications for all organisations. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, clubs, government departments and quasi-autonomous bodies - in fact any organisation that handles and depends on information. The specific information risks and hence control requirements differ in detail between organisations but there is a lot of common ground, for instance most organisations need to address information risks relating to their employees plus contractors, consultants and third party suppliers of various information and IT services such as networking and cloud computing. The standard is explicitly concerned with information security, meaning the security of all forms of information (e.g. computer data, documentation, knowledge and intellectual property) - not just IT/systems/network/cyber/digital security. It includes those, of course, but there's more to secure. Structure The standard lays out a ‘reference set’ of 93* generic information security controls with guidance, categorised into 4 main clauses or ‘themes’: 5: Organisational controls - a large and misleadingly-named catch-all group of 37* controls that don’t fit neatly into the following themes; 6: People controls - 8* controls involving or relating to people e.g. individuals’ behaviors, activities, roles and responsibilities, terms and conditions of employment etc .; 7: Physical controls - 14* tangible controls to secure tangible information assets; 8: Technological controls - 34* controls involving or relating to technologies, IT in particular. The 93* controls are each tagged with one or more values for each of 5 attributes so they can be grouped, selected or filtered in other ways too. The attributes and attribute values are: Control type : preventive, detective and/or corrective - relating to stages of incidents at which the controls act; Information security properties : confidentiality, integrity and/or availability - which of these information characteristics they protect; Cybersecurity concepts : identify, protect, detect, respond and/or recover - a more detailed breakdown of the incident timeline; Operational capabilities : governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships securit, legal and compliance, information security event management, and information security assurance - reflecting the structure used in the previous edition of this standard; Security domains : governance and ecosystem, protection, defence and resilience - another way to classify controls. The control attribute tagging reflects these complexities: A given control may have several worthwhile applications (e.g. backups help protect against malware, hacks, bugs, accidents, mechanical breakdowns, fires etc. , and can include deputies and multi-skilled replacements for critical people, and alternative suppliers/sources of necessary information services, as well as data backups); An unacceptable risk typically requires several controls (e.g. malware can be mitigated using backups, awareness, antivirus, network access controls plus IDS/IPS, authentication, patching, testing, system integrity controls etc ., while avoiding infection can be a powerful approach if bolstered with controls such as policies and procedures, blacklisting etc .); Many of the ‘controls’ identified in the standard are not atomic, being composed of several smaller elements or pieces (e.g. backups involve strategies, policies and procedures, software, hardware, testing, incident recovery, physical protection of backup media etc. ). Some of the themes and attributes are arbitrarily assigned: for example, a commercial card access lock on a building entrance may fall into any, arguably all four of the themes listed above, but if it and other such controls were covered several times, the standard would become unwieldy. More likely, it would be categorised as - primarily - a physical control, possibly with references to other elements. Organisations can usefully define and use their own attributes as well. ISO/IEC 27028 will soon provide guidance on that. * Note: there are 21 fewer control clauses in the third edition than the second despite adding 11 new ones since several second edition control clauses were updated or merged. Each clause is in fact comprised of or incorporates numerous ‘atomic’ controls at a more detailed level of analysis. ISO/IEC 27002 notes or implies hundreds of detailed information security controls , in fact, way more than the nominal and often-stated total of “93”. Status The first edition was published in 2005 . The second edition was published in 2013 . The completely restructured and updated third edition was published in 2022 . A P reliminary W ork I tem will explore the need for a revision of ISO/IEC 27002, assessing the relevance and applicability of the current set of controls and supporting guidance and perhaps new. The intent is to reflect changes "in organizational practices, business, operations, technology and cyber-risks". The committee is also considering offering guidance on information security controls tailored for small organisations. A PWI will clarify the scope and purpose of such an SME infosec guideline, if indeed it gets enough support. Commentary In my considered opinion, one of the most distinctive, innovative and valuable features of the original Shell policy manual, the UK DTI Code of Practice/DISC standard PD003 and British Standard BS 7799 was that they explicitly addressed information security, recommending approaches and controls to secure information in any form - not just computer data, systems, apps, networks and technologies. The focus was clearly on protecting the intangible, vulnerable and valuable information content. Over the decades since ISO/IEC adopted it as an international standard, it has gradually evolved into a tech-centric IT, ICT or cyber-security standard. The third edition of ‘27002 continues along the same trajectory. The third edition misses numerous opportunities to encourage users to consider their “information risks” in order to determine whether various controls are even needed to avoid or mitigate the risks, and if so what controls are appropriate, taking account of their effectiveness, costs, value, reliability etc . It is as if the controls laid out in the standard are not merely good practices worth considering under various circumstances, but required or mandatory to the extent that not implementing them might perhaps be considered inept, unprofessional or bad practice. There is a subtle presumption that most if not all the controls should be employed by all organisations, regardless of the diversity of organisations in scope and their differing information risks. This is misleading, and has remained an issue for several years. I miss the ‘control objectives ’ from BS 7799: these succinctly explained what the controls were expected to achieve, giving them a business-related purpose that was readily interpreted in the particular context of an individual organisation. If management accepted that an objective was valid, the controls were worth considering not in the sense of being obligatory or even recommended, so much as examples of the kinds of things that could be put in place to achieve the objective. In the third edition, the risk-based control objectives have become watered-down and often self-serving ‘purposes’, with little to no explicit reference to the organisation’s information risks that the suggested controls are supposed to mitigate - a retrograde step as far as I’m concerned ... potentially presenting an opportunity to fill in the gaps (watch this space!). However, some experts complained of ‘challenging conversations’ between auditors and management: I suspect the underlying issue there was a failure to understand the true nature of information risk and risk treatment options. While the restructured third edition is readable and usable on paper, the tagging and cross-linking strongly of controls favours database applications (even something as simple as Excel) allowing users to filter or select and sort the controls by whatever criteria or questions they pose - for instance, “Which physical security controls are relevant to privacy?” or “What preventive controls do not involve technology?”. Given a suitable database application, the sequence is almost irrelevant compared to the categorisation, tagging and description of the controls. It will be interesting to see how this turns out. I am dismayed that the standard has been infected with the “cyber” virus, begging questions about definition and interpretation. Some contributors wanted the standard to cover both information security and cybersecurity controls, implying that they consider those to be distinct domains, while others first want to understand the differences before classifying controls ... and I must say I‘m in the second group. What is the true meaning and scope of “cybersecurity”, in fact ? Similarly, the committee hoped to resolve confusion over the meaning of “policy” in the second edition by distinguishing three variants or hierarchical levels in the third : “Information security policy ” refers to the overall, high-level corporate policy at the peak of the classical policy pyramid, approved by ‘top management’. ‘Strategy’ might have been a better term for this, at the risk of creating yet more confusion, but the ISO management systems standard boilerplate requires 'policy', so 'policy' (singular) it is; “Topic-specific policy ” refers to mid-level policies e.g. topic-specific policies on access control and clear desk and clear screen” (the latter sounds, to me, more like a rule than a mid-level policy ... and indeed, as expressed by the project team, the topic-specific policy concept includes guidelines and rules, making this layer a blend, transition or link between the upper and lower levels). These are aligned with and support the high level policy, approved by ‘the appropriate management level’, and [within reason] may be adapted/interpreted locally by departments, business units etc . where their specific contexts (information risks, security requirements, business situations, locations etc .) differ from the overall corporate context; “Rule ” is the lowest, most detailed/specific level, defined as an “accepted principle or instruction that states the organisation’s expectations on what should be done, what is allowed or not allowed” (I’m not sure an organisation, per se , can ‘expect’ anything, or should have expectations on rather than of something: in a corporate context, rules are generally imposed by management on behalf of the organisation and its stakeholders ... but this definition was a bone of contention within SC 27 so a compromise is needed). Up Up Up This page last updated: 14 April 2026

Back Up Next ISO/IEC 27042 ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) Up Abstract “ISO/IEC 27042:2015 provides guidance on the analysis and interpretation of digital evidence in a manner which addresses issues of continuity, validity, reproducibility, and repeatability. ...” [Source: ISO/IEC 27042:2015] Introduction The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardisation will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions. Scope As the title suggests, this standard offers guidance on the process of analysing and interpreting digital evidence, which is of course just a part of the forensics process. It lays out a generic framework encapsulating good practices in this area. Aside from the standard evidential controls (maintaining the chain of custody, scrupulous documentation etc .), the standard emphasizes the integrity of the analytical and interpretational processes such that different investigators working on the same digital evidence ought to come up with essentially the same results - or at least any differences should be traceable to choices they made along the way. Given the volume, variety and complexity of digital evidence these days, that’s quite a challenge, hence the drive for standardization, good practices, common terminology and sound, rational approaches. The standard touches on issues such as the selection and use of forensic tools, plus proficiency and competency of the investigators. Structure Main clauses: 5: Investigation 6: Analysis 7: Analytical models 8: Interpretation 9: Reporting 10: Competence 11: Proficiency Annex A: Examples of Competence and Proficiency Specifications Status The current first edition was published in 2015 and confirmed unchanged in 2021. Commentary I am puzzled why SC 27 publishes and maintains several distinct forensics standards covering different aspects of forensics, when they are in reality complementary parts of the same process: ISO/IEC 27037 concerns the initial capturing of digital evidence. ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly. This standard covers what happens after digital evidence has been collected i.e. its analysis and interpretation. ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur. ISO/IEC 27050 (in 4 parts) concerns electronic discovery ... which is pretty much what the other standards cover. British Standard BS 10008 “Evidential weight and legal admissibility of electronically stored information (ESI), Specification.” may also be of interest. I understand the decision not to integrate this content into ISO/IEC 27037 but a multi-part standard would make more sense to me personally, with an overview part 1 explaining how the jigsaw pieces fit together. The editors rejected such a proposal, claiming that it was considered and rejected when the forensics standards development projects were launched. So, sorry valued customers, it seems you will have to buy and correlate multiple standards if you choose to adopt the complete ISO27k forensics suite. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC TR 27109 ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] Up Abstract ?? None yet Introduction It appears the standard intends to address the claimed dire global shortage of cybersecurity professionals, hopefully increasing the supply of newly-minted professionals to the market by suggesting standard curricula for educators offering college and university courses etc. Maybe. Scope ?? Too early to say Structure The standard may: Cover cybersecurity awareness (?), training and education; Suggest common/standard education and training curricula in this area; List/mention applicable national guidance, strategies or regulations. Status A T echnical R eport is in preparation. It was originally to be published in 2024 but the project was extended to 2026 for ‘additional technical work’. The standard development project missed its extended deadlines and so was cancelled in September 2025 ... but was magically rejuvenated as another 3-year project (I have no idea how that works!) Commentary The standard will hopefully complement rather than replace ISO/IEC 27021 concerning competencies required of ISMS professionals. ISO/IEC JTC 1/SC 27 is collaborating with another committee on ‘cybersecurity competence’. If national guidelines are to be listed in this standard, the details will need to be collated and managed indefinitely, implying a stream of maintenance updates to keep the standard reasonably accurate and current. Why is such an approach even being considered? Most other international standards don’t attempt to list national aspects except perhaps as examples. Up Up Up This page last updated: 26 January 2026