Search Results

Back Up Next ISO/IEC 27039 ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operations of intrusion detection and prevention systems (IDPS) (first edition) Up Abstract “ISO/IEC 27039:2015 provides guidelines to assist organisations in preparing to deploy intrusion detection and prevention systems (IDPS). In particular, it addresses the selection, deployment, and operations of IDPS. It also provides background information from which these guidelines are derived.” [Source: ISO/IEC 27039:2015] Introduction I ntrusion D etection S ystems are largely automated systems for identifying attacks on and intrusions into a network or system by hackers and raising the alarm. I ntrusion P revention S ystems take the automation a step further by automatically responding to certain types of identified attack, for example by closing off specific network ports through a firewall to block identified hacker traffic. IDPS refers to either type. Scope The scope states “This International Standard provides guidelines to assist organisations in preparing to deploy Intrusion Detection Prevention System (IDPS). In particular, it addresses the selection, deployment and operations of IDPS. It also provides background information from which these guidelines are derived.” Well designed, deployed, configured, managed and operated IDPS are valuable in several respects, for example: Automation leverages scarce security engineers who would otherwise have to monitor, analyse and respond to network security incidents as best they could; Automation tends to speed-up identification and response to attacks, particularly common types of attack that can be identified unambiguously through unique attack signatures; They give additional assurance to management that security issues on the networks and networked systems are being identified and mitigated. The standard is, in effect, an ISPS implementation guide and advisory. Structure Main clauses: 5: Selection - of various types of IDPS, complementary tools etc . to consider (in some detail, expanded still further in the annex) 6: Deployment - of IDPS 7: Operations - of IDPS Annex A: Intrision Detectin and Prevention System (IDPS): framework and issues to be considered Status The current first edition was published in 2015 , “revising and canceling” (i.e. replacing) ISO/IEC 18043:2006. A technical corrigendum in 2016 corrected the title of the published standard, introducing “and prevention” that somehow got lost. The first edition was confirmed unchanged in 2020. It was due for periodic review in 2025 ... Commentary I had hoped the standard would mention, in addition to the network security risks that they are meant to address, various information risks and issues associated with or introduced by the IDPS themselves, such as: They are technologically advanced and complex, making them difficult to configure, deploy and use effectively, hence there is a risk that they may be incorrectly configured, deployed or used in practice, with various consequences on the organisation and other systems. Furthermore, they probably introduce additional technical security vulnerabilities into the very networks and/or systems they are supposed to protect; They may adversely affect network traffic, restricting legitimate traffic and hence normal use of the network and systems, as well as hacking traffic; They are not 100% capable, meaning that certain types or modes of attack (particularly novel ones) may not be reliably identified and hence blocked, potentially creating a false sense of security (inappropriate assurance); They can only detect and react to available information, making them blind and deaf to attacks that bypass the networks and systems being monitored (including, for examples, social engineering and physical intrusion attacks); They usually require network bandwidth, processing and storage capacity for their own operations and record-keeping, and require hooks into the networks and systems being monitored and/or controlled, impinging upon normal use; They are complicated to configure and manage for best effect, requiring the involvement of competent security engineers who, potentially at least, may themselves be hackers; They require privileged access to network traffic, network devices and/or systems, and could potentially be misused as a vector or mechanism to compromise them. However, it does not ... Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27038 ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction (first edition) Up Abstract “ISO/IEC 27038:2014 specifies characteristics of techniques for performing digital redaction on digital documents. It also specifies requirements for software redaction tools and methods of testing that digital redaction has been securely completed. ISO/IEC 27038:2014 does not include the redaction of information from databases.” [Source: ISO/IEC 27038:2014] Introduction Digital data sometimes have to be revealed to third parties, occasionally even published to the general public, for reasons such as disclosure of official documents under Freedom of Information laws or as evidence in commercial disputes or legal cases. However, where it is deemed inappropriate to disclose certain sensitive data within the files (such as the names or locations of people or sources who must remain anonymous and various other personal or proprietary information that must remain strictly confidential), those must be securely removed from the files prior to their release. ‘Redaction’ is the conventional term for the process of denying file recipients knowledge of certain sensitive data within the original files. Given that redaction is usually relevant to the protection of highly confidential information, failures in the process that lead to inappropriate data disclosure are almost bound to be serious and in the worst cases can be grave. Redaction failures have led to incidents such as identity theft, disclosure of confidential security matters, privacy breaches and compromising the identities of undercover agents and informants, while disclosure of trade secrets could prove extremely costly in a commercial context. At the very least, redaction failures are embarrassing to those deemed responsible. Information risks associated with digital redaction include: Making bad decisions about the data to be redacted, the technical methods or process to be used and/or the suitability (primarily competency and diligence) of those tasked to do it; Failing to identify correctly all the sensitive data that must be redacted (both the individual data items and the files); Failing to render the redacted data totally unrecoverable, for example: Using inappropriate or ineffective technical methods for redaction, such as crudely modifying rather than permanently deleting the sensitive data using methods that can be completely or partially reversed (for example simply reformatting or overlaying redacted text to appear invisible, or applying readily-reversed mechanistic transformations or tokenization of textual identifiers); Accidentally leaving one or more copies of the sensitive data completely or partially unredacted (perhaps releasing multiple, independently and differently redacted versions of a sensitive document, enabling it to be reconstructed directly or by inference); Partially deleting the sensitive data, leaving data remnants or sufficient information (such as the editing journal or cached copies) enabling the data to be restored from the redacted file; Relying excessively on pixellation, blurring or similar methods of obfuscation to obscure parts of images (typically for personal privacy reasons), whereas deconvolution and other more or less advanced image manipulation/transformation techniques may restore enough of the original image to permit recognition; Neglecting to redact sensitive metadata (e.g . in document properties or reviewer comments, GPS data on digital images, or alternate data streams); Failing to distinguish all redacted from non-redacted data, consistently and accurately, such that recipients know unambiguously which parts are no longer original; Excessive or inappropriate redaction, removing more than just the specific sensitive items that were supposed to have been redacted or doing so clumsily (which raises the prospect of having to justify redaction decisions and activities to a trustworthy intermediary or authority); Inappropriately or inadvertently altering the meaning of the remaining data as a result of contextual issues (e.g. deleting selected data records may invalidate statistical analysis of the remainder), or by causing collateral damage to the file structure (such as file integrity issues and inappropriate formatting changes) during the redaction process; Leaving sufficient data in the file to enable recipients to infer sensitive information, perhaps in conjunction with other available information sources (e.g. replacing people’s names with anonymous labels in a redacted file but separately disclosing the relationship between labels and names; disclosing anonymous statistical data on known small populations; disclosing the number of characters redacted, and perhaps even giving clues to the most likely characters by dint of their printed size; applying data mining, correlation and inference techniques to glean sensitive data from redacted or anonymized content); Placing excessive reliance on redaction, believing it sufficient to keep sensitive data totally confidential under all circumstances whereas technical and process failures are possible and incidents sometimes occur in practice; conversely, placing zero reliance on redaction, believing it to be totally incapable of protecting sensitive information (these are governance and assurance risks); Information security issues that are incidental or peripheral to the redaction process itself such as: Sending the original files, redaction instructions, redacted content or indeed the redacted files to the wrong recipients; Failing to secure information relating to the redaction process, such as the original files or detailed redaction instructions, while in transit, during processing and in storage (e.g . interception of sensitive content in clear on the network); Accidentally disclosing unredacted versions of the file, whether at the same time and through the same disclosure mechanism or separately; Deliberate disclosure or ‘leakage’ of unredacted versions of the file without permission or inappropriately (e.g. to Wikileaks); Accidentally or deliberately disclosing the redacted information by some means other than by releasing the digital data (e.g. by releasing the redaction instructions, or being overheard discussing sensitive matters); Damaging the integrity and/or availability of the original unredacted files (e.g . overwriting them with the redacted versions); Use of redaction to conceal illegal or inappropriate activities; Use of AI/ML/NLP to surmise the redacted content based on linguistic principles and the surrounding context, plus broader analysis of related materials; Various other risks (the risk analysis implied here is generic and not comprehensive : it does not necessarily reflect any specific situation). [Thanks to colleagues on CISSPforum for contributing to this list.] Scope The standard formally defines redaction as “permanent removal of information within a document” where document is formally defined as “recorded information which can be treated as a unit”. The definitions are important because, in other contexts and general use, these terms often mean other things ... and indeed later in the standard, redaction is expanded to include not just the removal of confidential content but also, if appropriate, indicating where content has been removed. The standard “specifies characteristics of techniques for performing digital redaction on digital documents [... and ...] requirements for software redaction tools and methods of testing that digital redaction has been securely completed [... but ...] does not include the redaction of information from databases.” Databases qualify as ‘units of recorded information’ but redaction of databases is specifically excluded from the scope of the standard. Even though this standard has a restricted scope, the risks it covers are significant and many of the associated controls are technically and procedurally complex. Like other ISO27k standards, it does not attempt to cover all the vagaries of the redaction process in great detail but provides sound if rather generic and high-level guidance. Structure Main clauses: 4: General principles of digital redaction - an introduction 5: Requirements - an overview of the redaction process 6: Redaction processes - such as printing and physically redacting content, editing the original documents in various ways, dealing with metadata (such as document properties and change records) and, in the case of ‘enhanced’ redaction, considering the broader context as well as the specific content (e.g. the possibility of guessing, inferring or reconstructing redacted content from other content in redacted files, or by using other sources) 7: Keeping records of redaction work - in order to be able to explain or justify redaction decisions and actions 8: Characteristics of software redaction tools - a core set of functional requirements 9: Requirements for redaction testing - five simple if basic ways to check whether the redaction has been successful Annex A: Redacting of PDF documents Status The current first edition was published in 2014 and confirmed unchanged in 2019 Commentary The title uses the keyword ‘specification’ which, in ISO-speak, implies a formal definition against which organisations may be independently audited and certified compliant. Whereas ISO specification standards normally use the key-word “shall” exclusively to indicate mandatory requirements, the DIS version also used “should” in places, providing guidance above and beyond the formal specifications. In practice, this makes the standard easier for users to understand and apply, but harder to audit and certify against, if indeed that was ever intended. The standard doesn’t say much about the governance or overall management of the redaction process (e.g. identifying what has to be redacted, why, how and by whom, nor about analysing and treating the risks in a given redaction situation), nor on the security controls that ought to be applied to or associated with the process (e.g. to prevent the inappropriate release of unredacted content or explicit redaction instructions). There is room here for further implementation guidance. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27037 ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) Up Abstract “ISO/IEC 27037:2012 provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value. It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions. ISO/IEC 27037:2012 gives guidance for the following devices and circumstances: digital storage media used in standard computers like hard drives, floppy disks, optical and magneto optical disks, data devices with similar functions; mobile phones, Personal Digital Assistants (PDAs), Personal Electronic Devices (PEDs), memory cards; mobile navigation systems; digital still and video cameras (including CCTV); standard computer with network connections; networks based on TCP/IP and other digital protocols; and devices with similar functions as above. The above list of devices is an indicative list and not exhaustive.” [Source: ISO/IEC 27037:2012] Introduction This standard provides guidance on identifying, gathering/collecting/acquiring, handling and protecting/preserving digital forensic evidence i.e. “digital data that may be of evidential value” for use in court. The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions. One of the most critical issues in forensic investigations is the acquisition and preservation of evidence in such a way as to ensure its integrity. As with conventional physical evidence, it is crucial for the first and subsequent responders (defined as “Digital Evidence First Responders” and “Digital Evidence Specialists”) to maintain the chain of custody of all digital forensic evidence, ensuring that it is gathered and protected through structured processes that are acceptable to the courts. More than simply providing integrity, the processes must provide assurance that nothing untoward can have occurred. This requires that a defined baseline level of information security controls is met or exceeded. Digital forensic evidence can come from any electronic storage or communications media such as cellphones, computers, iPod's, video game consoles etc . By its nature, digital forensic evidence is fragile - it can be easily damaged or altered due to improper handling, whether by accident or on purpose. Prior to the release of ISO/IEC 27037, there were no globally-accepted standards on acquiring digital evidence, the first step in the process. Police have developed their own national guidelines and procedures for the acquisition and protection of electronic evidence. However, this creates issues when cross-border crimes are committed since digital forensic evidence acquired in one country may need to be presented in the courts of another. Tainted evidence that may have been acquired or protected without the requisite level of security may be legally inadmissible. Scope The standard provides detailed guidance on the identification, collection and/or acquisition, marking, storage, transport and preservation of electronic evidence, particularly to maintain its integrity. It defines and describes the processes through which evidence is recognized and identified, documentation of the crime scene, collection and preservation of the evidence, and the packaging and transportation of evidence. The scope covers ‘traditional’ IT systems and media rather than vehicle systems, cloud computing etc. The guidance is aimed primarily at first responders. Every country has its own unique legislative system. A crime committed in one jurisdiction may not even be regarded as a crime in another. The challenge is to harmonize processes across borders such that cybercriminals can be prosecuted accordingly. Therefore, a means to allow and facilitate the exchange and use of reliable evidence (i.e. an international standard on acquiring digital evidence) is required. “Digital evidence”, meaning information from digital devices to be presented in court, is interpreted differently in different jurisdictions. For the widest applicability, the standard will avoid using jurisdiction-specific terminology. It will not cover analysis of digital evidence, nor its admissibility, weight, relevance etc . It also will not mandate the use of particular tools or methods. Structure Main clauses: 5: Overview 6: Key components of identification, collection, acquisition and preservation of digital evidence 7: Instances of identification, collection, acquisition and preservation Annex A: Digital Evidence First Responder core skills and competency description Annex B: Minimum documentation requirements for evidence transfer Status The current first edition was published in 2012 and confirmed unchanged in 2018. Commentary This standard concerns the initial capturing of digital evidence. In addition: ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly. ISO/IEC 27042 covers what happens after digital evidence has been collected i.e. its analysis and interpretation. ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur. ISO/IEC 27050 (in 4 parts) concerns electronic discovery which is pretty much what the other standards cover. British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification.” may also be of interest. I don’t understand why SC 27 maintains several distinct forensics standards, covering different aspects of forensics, when they are in reality complementary parts of the same process. A properly structured multi-part standard would make more sense to me, with an overview part explaining how the jigsaw pieces fit together. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27036-4 ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) Up Abstract ISO/IEC 27036 part 4 “provides cloud service customers and cloud service providers with guidance on (a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and (b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services. [Part 4] does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity. [Part 4] does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017. The scope of [part 4] is to define guidelines supporting the implementation of information security management for the use of cloud services” [Source: ISO/IEC 27036-4:2016 ] Introduction There are numerous information risks involved in the supply of cloud computing services: this standard encourages suppliers and customers to identify and address them, collaboratively in some cases. Scope Part 4 guides the suppliers and customers of cloud services on information security management for cloud services. Structure Main clauses: 5: Key cloud concepts and security threats and risks 6: Information security controls in cloud service acquisition lifecycle 7: Information security controls in cloud service providers Annex A: Information security standards for cloud providers Annex B: Mapping to ISO/IEC 27017 controls Status The current first edition of part 4 was published in 2016 and confirmed unchanged in 2022. Commentary Part 4 explicitly describes the information risks that it addresses. Full marks! Various security controls are recommended to mitigate unacceptable risks, so in order to choose appropriate controls it helps to know what those risks are. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27036-3 ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) Up Abstract ISO/IEC 27036 part 3 “provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding: a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains; b) responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services; c) integrating information security processes and practices into the system and software life cycle processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting information security controls, as described in ISO/IEC 27002. [ISO/IEC 27036-3] does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and communication technology readiness for business continuity.” [Source: ISO/IEC 27036-3:2023 ] Introduction Part 3 guides both suppliers and acquirers of IT products (goods and services) on information risk management relating to complex supply chains, including risks such as malware and counterfeit products plus ‘organisational risks’, and the integration of information risk management into IT development lifecycles. Scope Part 3 concerns a wide range of security controls for IT supply chains, such as: Assurance; Avoiding the gray-market; Chain of custody (provenance and S oftware B ill o f M aterials); Code assessment and verification; Compliance management; Configuration and change management; Defined security expectations (specifications); HR management; IT implementation and transition; IT integration; ... and more .... Most of these controls are covered in general terms by ISO/IEC 27002 : this standard provides additional guidance for their application in the context of supply and acquisition of IT products e.g. maintaining a detailed SBoM (defined as an “inventory of software components, sub-components and dependencies with associated information ”) to keep up with vulnerabilities and patches even in obscure library functions etc . buried deep within end products. The bulk of the standard provides information security guidance for ICT suppliers and acquirers, as a set of processes for each stage of the typical ICT system lifecycle. Annexes reference applicable clauses from ISO/IEC 27002 and describe the essential elements of an SBoM. Structure Main clauses: 5: Key concepts 6: Hardware, software, and services supply chain security in life cycle processes Annex A: Correspondence between the controls in ISO/IEC 27002 and [ISO/IEC 27036-3] Annex B: Essential elements of a software bill of materials Status The first edition of part 3 was published in 2013 . The current second edition was published in 2023 . Commentary The standard is myopically focused on IT e.g. it concerns IT services, specifically, rather than professional services in general, even though they often have significant information content and substantial information risks. Organisations should therefore consider their supply chain information risks broadly (e.g. theft of intellectual property, misprepresentation, misappropriation, fraud ...) as well as commercial, financial and other kinds of risks (including business continuity aspects such as supply chain disruptions). Aside from supplier-acquirer relationships, information risks associated with business partners may also be of concern, where multiple organisations combine their efforts in the production process - for example, the use of contractors on an IT production line. There may be yet more information risks in the logistics parts of the supply chain, plus related services such as installation, configuration, support and maintenance of IT equipment, commercial data centre facilities, communications services and more. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27036-2 ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements (second edition) Up Abstract ISO/IEC 27036 part 2 “specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, build-operate-transfer and cloud computing services ... To meet the requirements, it is expected that an organization has internally implemented a number of foundational processes or is actively planning to do so [such as] business management, risk management, operational and human resources management, and information security.” [Source: ISO/IEC 27036-2:2022 ] Introduction The controls recommended in part 2 cover various aspects of governance and business management (e.g. operations, HR management, IT management, relationship management, metrics) as well as information risk management (e.g. information risk analysis and treatment, security controls specification, security architecture/design, strategy). Scope Part 2 specifies fundamental information security requirements pertaining to business relationships between suppliers and acquirers of various products (goods and services). It helps them reach a common understanding of the associated information risks, and treat them accordingly to their mutual satisfaction. The introduction explicitly states that part 2 is not for certification despite having “Requirements” in the title and “shall” in the content [these are normally reserved words in ISO-land]. Structure Main clauses: 6: Information security in supplier relationship management 7: Information security in a supplier relationship instance Annex A: Correspondence between ISO/IEC/IEEE 15288 and this document Annex B: Correspondence between ISO/IEC 27002 controls and this document Annex C: Objectives from Clauses 6 and 7 Status The first edition of part 2 was published in 2014 . Following changes in ISO/IEC 15288 , the current second edition was published in 2022 . Commentary Although this is not intended to be a certifiable standard with formally-specified requirements that are mandatory for certification, wording along the lines of “The following minimum activities shall be executed by the acquirer to meet the objective defined at [a specific clause] ” leaves little latitude for organisations to interpret, adapt and apply the standard according to their particular business situations and needs, despite an explanatory note: ”The user of [ISO/IEC 27036-2] needs to correctly interpret each of the forms of the expression of provisions (e.g. “shall”, “shall not”, should” and “should not”) as being either requirements to be satisfied or recommendations where there is a certain freedom of choice.” It comes down to the business and legal arrangements in place between supplier and acquirer as to how much ‘freedom of choice’ there is in interpreting and applying this standard. In the absence of explicit, perfectly worded, unambiguous and binding contractual clauses, lawyers smile wryly and rub their hands together ... Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27036-1 ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) Up Abstract ISO/IEC 27036 part 1 “is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. [ISO/IEC 27036] addresses perspectives of both acquirers and suppliers.” [ ISO/IEC 27036-1:2021 ] Introduction ISO/IEC 27036 is a multi-part standard offering guidance on the management of information risks involved in the acquisition of IT products (goods and services) from suppliers. The standards avoid referring to selling and buying since the issues are much the same whether the transactions are commercial or not e.g . when one part of an organisation or group acquires IT products from another, or uses free/open-source products. Scope Part 1 introduces all parts of this standard, providing general background information such as the key terms and concepts around information security in supplier relationships, including “any supplier relationship that can have information security implications, e.g. information technology, healthcare services, janitorial services, consulting services, R&D partnerships, outsourced applications (ASPs), or cloud computing services (such as software, platform, or infrastructure as a service). ” Structure Main clauses: 5: Problem definition and key concepts 6: Overall ISO/IEC 27036 structure and overview Status The first edition of part 1 was published and made available for free in 2014. The current second edition was published, initially for free in 2021 but is no longer free, unfortunately. Commentary Part 1 outlines a number of information risks commonly arising from or relating to business relationships between acquirers and suppliers, where goods/services acquired have an information content or information security relevance, or where the supplier gains access to the acquirer’s internal information. [The converse situation - i.e. acquirers gaining access to suppliers’ internal information - is not explicitly mentioned in part 1 but is noted in part 2 .] The standard primarily takes the perspective of the acquirer, covering the acquirer’s information security concerns that ought to be addressed in relationships with upstream suppliers. [The supplier’s information risks when supplying downstream customers, or in relationships with partners, are not explicitly covered e.g . disclosure and theft of sensitive intellectual property.] Within the ISO27k information security standards, the products most obviously covered by ISO/IEC 27036 include: IT outsourcing and cloud computing services; Other professional services e.g. legal, accounting/tax and HR services, security guards, cleaners, delivery services (couriers), equipment maintenance/servicing, consulting and specialist advisory services, knowledge management, research and development, manufacturing, logistics, source code escrow and healthcare; Provision of ICT hardware, software and services including telecommunications and Internet services; Bespoke products and services where the acquirer specifies the requirements and may play an active role in the product design and development (as opposed to commodities and standard off-the-shelf products); Electricity to power ICT equipment. The ISO/IEC 27036 standards therefore could cover: Strategic goals, objectives, business needs and compliance obligations in relation to information security, privacy and assurance when acquiring ICT-related or information products; Information risks such as: Acquirer’s reliance on providers, complicating the acquirer’s business continuity arrangements (both resilience and recovery); Physical and logical access to and protection of second and third party information assets; Creating an ‘extended trust’ environment with shared responsibilities for information security, or conversely applying the ‘zero trust’ approach in this context; Creating a shared responsibility for conformity with information security policies, standards, laws, regulations, contracts and other commitments/obligations; Coordination between supplier and acquirer to adapt or respond to new/changed information security requirements; ... and more. Information security controls such as: Preliminary analysis, preparation of a sound business case, Invitation To Tender etc ., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security; Creation of explicit shared strategic goals to align acquirer and provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’); Specification of important information security requirements (such as requiring that suppliers are ISO/IEC 27001 certified and/or use standards such as ISO27k ) in contracts, Service Level Agreements etc .; Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity; Special controls to cater for unique risks (such as testing and fallback arrangements associated with the transition/implementation stage when an outsourcing supplier first provides services); Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence; A ‘right of audit’ and other compliance/assurance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance; ... and more. The entire relationship lifecycle: Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as co-sourcing; Definition of requirements including the information security requirements, of course; Procurement including evaluating, selecting and contracting with supplier/s; Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period; Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring etc .; Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc. ; Termination and exit i.e. ending a business relationship that has run its course in a controlled manner, perhaps leading back to the start. Some - but not all - of this is covered by ISO/IEC 27036, potentially leaving gaps to be filled by other standards plus corporate strategies, policies and procedures. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27035-4 ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination (first edition) Up Abstract ISO/IEC 27035 part 4 “provides guidelines for multiple organizations handling information security incidents in a coordinated manner. It also addresses the impacts of external cooperation on the internal incident management of an individual organization and provides guidelines for an individual organization to adapt to the coordination process. Furthermore, it provides guidelines for the coordination team, if it exists, to perform coordination activities supporting the cross-organization incident response. The principles given in [ISO/IEC 27035-4] are generic and are intended to be applicable to multiple organizations to work together to handle information security incidents, regardless of their types, sizes or nature. Organizations can adjust the guidance given in [ISO/IEC 27035-4] according to their type, sizes and nature of business in relation to the information security risk situation. [ISO/IEC 27035-4] is also applicable to an individual organization that participates in partner relationships.” [Source: ISO/IEC 27035-4:2024 ] Introduction Whereas managing routine information security incidents typically involves several departments or teams within an organisation, exceptional/major incidents (such as botnet or phishing attacks) require collaboration and coordination between the I ncident R esponse T eams of several organisations, often in different countries. They may be affected or involved in various ways e.g . Internet and cloud service providers, plus law enforcement, plus the targeted organisation/s. Scope Part 4 is about coordinating responses to major incidents with other implicated, involved or support organisations, such as cloud and network suppliers. Structure Main clauses: 4: Overview 5: Coordinated incident management process 6: Guidelines for key activities of coordinated incident management Annex A: Examples of information security incident management coordination Status The current first edition was published in 2024 . Commentary Part 4 "provides guidelines for multiple organizations handling information security incidents in a coordinated manner. It also addresses the impacts of external cooperation on the internal incident management of an individual organization and provides guidelines for an individual organization to adapt to the coordination process. Furthermore, it provides guidelines for the coordination team, if it exists, to perform coordination activities supporting the cross-organization incident response. The principles given in this document are generic and are intended to be applicable to multiple organizations to work together to handle information security incidents, regardless of their types, sizes or nature. Organizations can adjust the guidance given in this document according to their type, sizes and nature of business in relation to the information security risk situation. This document is also applicable to an individual organization that participates in partner relationships." Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27034-6 ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies (first edition) Up Abstract ISO/IEC 27034 part 6 “provides usage examples of ASCs for specific applications. NOTE Herein specified ASCs are provided for explanation purposes only and the audience is encouraged to create their own ASCs to assure the application security.” [Source: ISO/IEC 27034-6:2016] Introduction Part 6 provides examples of how A pplication S ecurity C ontrols might be developed and documented. Scope Part 6 concerns the handling of application security in the course of software development. Structure Main clauses: 5: Security guidance for specific applications Annex A: XML examples for case studies in 5.2 Status The current first edition of part 6 was published in 2016 and confirmed unchanged in 2022. Commentary Case studies demonstrate the feasibility of this highly structured, formal approach that is being used successfully by some major software developers. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27035-3 ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) Up Abstract ISO/IEC 27035 part 3 “gives guidelines for information security incident response in ICT security operations. [ISO/IEC 27035-3] does this by firstly covering the operational aspects in ICT security operations from a people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion ...” [Source: ISO/IEC 27035-3:2020 ] Introduction Part 3 concerns the 'security operations' elements in response to an IT incident. Scope Part 3 concerns the organisation and processes necessary for the information security function to prepare for, and respond to, IT security events and incidents - mostly active, deliberate attacks in fact. Structure Main clauses: 5: Overview 6: Common types of attacks 7: Incident detection operations 8: Incident notification operations 9: Incident triage operations 10: Incident analysis operations 11: Incident containment, eradication and recovery operations 12: Incident reporting operations Annex A: Example of the incident criteria based on information security events and incidents Status The current first edition of part 3 was published in 2020 . After 5 years, the standard is now being reviewed by ISO/IEC JTC 1/SC 27 to decide whether it should be withdrawn, revised or retained as-is. Commentary The standard’s title contains a commonplace but unexpanded abbreviation: ICT. Plain old "IT" has included communications and networking for decades, so I'm not sure why anyone feels the need for the C. Up Up Up This page last updated: 12 February 2026