Search Results

Back Up Next ISO/IEC 27032 ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) Up Abstract ISO/IEC 27032 "provides: an explanation of the relationship between Internet security, web security, network security and cybersecurity; an overview of Internet security; identification of interested parties and a description of their roles in Internet security; high-level guidance for addressing common Internet security issues. [ISO/IEC 27032] is intended for organizations that use the Internet.” [Source: ISO/IEC 27032:2023] Introduction ISO/IEC 27032 addresses Internet security i.e. “protecting Internet-related services and related ICT systems and networks as an extension of network security”. Scope The abstract above covers the scope and purpose. The introduction notes that “[ISO/IEC 27032] does not specifically address controls that organizations can require for systems supporting critical infrastructure or national security. However, most of the controls mentioned in [ISO/IEC 27032] can be applied to such systems.” In other words it primarily concerns the ordinary everyday network security threats facing all Internet users, particularly businesses rather than the more extreme spooky threats of concern in the governmental and defence domain. Structure Main clauses: 5: Relationship between Internet security, web security, network security and cybersecurity. 6: Overview of Internet security. 7: Interested parties. 8: Internet security risk assessment and treatment. 9: Security guidelines for the Internet. Annex A: Cross-references between this standard and ISO/IEC 27002 . The annex cites a reasonable assortment of 50 controls from ISO/IEC 27002:2022 i.e.: 25 Organizational controls; 2 People controls; 0 Physical controls*; and 23 Technological controls. * It doesn't explicitly cover physical security for network cabling and equipment, nor the range and remote access concerns with wireless networking. Status The first edition was published in 2012 . The current second , thoroughly revised edition was published in 2023 . Commentary FWIW see also ISO/IEC TS 27100 . Since the term emerged in 1990, “cyber” as in “cybersecurity” has gradually become buzzword, buzzier than a hive fully of excited honeybees, and yet doubts and disagreements over what it actually means persists. SC 27 had the opportunity to clarify cyber-related terms when revising this standard but the second edition simply reproduces the definition of cybersecurity from ISO/IEC TS 27100:2020 vis “safeguarding of people, society, organizations and nations from cyber risks. Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.” ... but fails to define "cyber" or “cyber risk”, failing yet again to clarify what it is that we are supposedly being safeguarded against. Other cyber terms defined in the first edition were simply dropped. Meanwhile, the second edition remains myopically focused on deliberate attacks perpetrated via the Internet by hackers, malware, phishers and spammers. If those are your only concerns relating to the Internet, well it appears you have led a very sheltered life ... Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27036-3 ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) Up Abstract ISO/IEC 27036 part 3 “provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding: a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains; b) responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services; c) integrating information security processes and practices into the system and software life cycle processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting information security controls, as described in ISO/IEC 27002. [ISO/IEC 27036-3] does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and communication technology readiness for business continuity.” [Source: ISO/IEC 27036-3:2023 ] Introduction Part 3 guides both suppliers and acquirers of IT products (goods and services) on information risk management relating to complex supply chains, including risks such as malware and counterfeit products plus ‘organisational risks’, and the integration of information risk management into IT development lifecycles. Scope Part 3 concerns a wide range of security controls for IT supply chains, such as: Assurance; Avoiding the gray-market; Chain of custody (provenance and S oftware B ill o f M aterials); Code assessment and verification; Compliance management; Configuration and change management; Defined security expectations (specifications); HR management; IT implementation and transition; IT integration; ... and more .... Most of these controls are covered in general terms by ISO/IEC 27002 : this standard provides additional guidance for their application in the context of supply and acquisition of IT products e.g. maintaining a detailed SBoM (defined as an “inventory of software components, sub-components and dependencies with associated information ”) to keep up with vulnerabilities and patches even in obscure library functions etc . buried deep within end products. The bulk of the standard provides information security guidance for ICT suppliers and acquirers, as a set of processes for each stage of the typical ICT system lifecycle. Annexes reference applicable clauses from ISO/IEC 27002 and describe the essential elements of an SBoM. Structure Main clauses: 5: Key concepts 6: Hardware, software, and services supply chain security in life cycle processes Annex A: Correspondence between the controls in ISO/IEC 27002 and [ISO/IEC 27036-3] Annex B: Essential elements of a S oftware B ill o f M aterials Status The first edition was published in 2013 . The current second edition was published in 2023 . Commentary The standard is myopically focused on IT e.g. it concerns IT services, specifically, rather than professional services in general, even though they often have significant information content and substantial information risks. Organisations should therefore consider their supply chain information risks broadly (e.g. theft of intellectual property, misprepresentation, misappropriation, fraud ...) as well as commercial, financial and other kinds of risks (including business continuity aspects such as resilience to supply chain disruptions by minimising critical dependencies). Aside from supplier-acquirer relationships, information risks associated with business partners may also be of concern, where multiple organisations combine their efforts in the production process - for example, the use of contractors on an IT production line. There may be yet more information risks in the logistics parts of the supply chain, plus related services such as installation, configuration, support and maintenance of IT equipment, commercial data centre facilities, communications services and more. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Up Abstract ISO/IEC 27018 "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, [ISO/IEC 27018] specifies guidelines based on ISO/IEC 27002:2022, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services ... The guidelines in [ISO/IEC 27018] can also be relevant to organizations acting as PII controllers.” [Source: ISO/IEC 27018:2025] Introduction This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing P ersonally I dentifiable I nformation entrusted to them. See also ISO/IEC 27017 covering the wider information security angles of cloud computing, aside from privacy. The standard development project had widespread support from national standards bodies plus the C loud S ecurity A lliance . Scope ISO/IEC 27018 intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001 , or as a guidance document for organisations for implementing commonly accepted PII protection controls” . The standard is primarily concerned with public-cloud computing service providers processing PII . “A public cloud service provider is a 'PII processor' when it processes PII for and according to the instructions of a cloud service customer” [according to the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls. The standard interprets rather than duplicates ISO/IEC 27002 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors. ISO/IEC 27000 , ISO/IEC 27001 and ISO/IEC 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788:2014 “Cloud computing - overview and vocabulary” (withdrawn - replaced by ISO/IEC 22123-1:2023 , a legitimate free download from ISO) and ISO/IEC 29100 “Privacy framework” (another free download!). Structure Main clauses: 4: Overview 5: Organizational controls 6: People controls 7: Physical controls 8: Technological controls Annex A: Public cloud PII processor extended control set for PII protection Annex B: Correspondence between this document and the first edition ISO/IEC 27018:2019 Status The first edition was published in 2014 . The second edition (a minor revision) was published in 2019 . The current third edition was published in 2025 , having been updated to reflect ISO/IEC 27002:2022 and offering an ‘extended control set’ aligned with ISO/IEC 29100:2024 Commentary The standard builds on ISO/IEC 27002 , expanding on its generic advice in a few areas, and referring to the OECD privacy principles that are enshrined in several privacy laws and regulations around the globe. In most sections, it simply says: “The objectives specified in, and the contents of, clause [whatever] of ISO/IEC 27002 apply.” The expansions or additions are straightforward - no surprises here. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27050-1 ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) Up Abstract “Electronic discovery is the process of discovering pertinent Electronically Stored Information (ESI) or data by one or more parties involved in an investigation or litigation, or similar proceeding. [ISO/IEC 27050-1] provides an overview of electronic discovery ...” [Source: ISO/IEC 27050-1:2019 ] Introduction The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls in compliance with local laws, regulations and established practices, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions. Scope Part 1 gives an overview of eDiscovery, defines the terms, concepts, processes etc . (such as E lectronically S tored I nformation), and introduces this multi-part standard. Structure Main clauses: 5: Overall structure and overview of the ISO/IEC 27050 series 6: Overview of electronic discovery 7: E lectronically S tored I nformation (ESI ) 8: Electronic discovery process 9: Additional considerations Status The first edition was published in 2016 . The current second edition was published in 2019 . Commentary This multi-part standard concerns the discovery phase, specifically the discovery of E lectronically S tored I nformation, a legal term-of-art meaning (in essence) forensic evidence in the form of digital data. Electronic discovery (eDiscovery) involves the following main steps: Identification: ESI that is potentially relevant to a case is identified, along with its locations, custodians, sizes/volumes etc. This can be more complex than it may appear, for instance involving information assets belonging not just to the individual suspects but also their employers, friends and other organisations such as phone companies and the suppliers of services such as email and Internet access (ISPs), even social media. Operational/online data, backups and archives may all contain relevant data. Often, this phase is time-critical since potential evidence (especially ephemeral operational data) may be spoiled or destroyed before it has been captured and preserved; Preservation: the identified, potentially relevant ESI is placed under a legal hold, starting the formalized forensic process designed to ensure, beyond doubt, that they are protected through the remaining steps against threats such as loss/theft, accidental damage, deliberate interference/manipulation and replacement/substitution, any of which might spoil, discredit and devalue the data, perhaps resulting in the ESI being ruled inadmissible or simply becoming unusable. The legal hold is essentially a formal obligation on the custodian not to interfere with or delete the ESI. Note: this may have implications on live systems since their continued operation may spoil the ESI; Collection: the ESI is collected from the original custodian, typically by physically removing the original digital storage media (hard drives, memory sticks and cards, CDs, DVDs, whatever) and perhaps associated physical evidence (such as devices, media storage cases, envelopes etc . that might have fingerprints or DNA evidence linking a suspect to the crime) into safe custody. In the case of Internet, cloud or other dispersed and ephemeral data including RAM on a running system, it may be impracticable or impossible to secure the data by capturing physical media, hence the data rather than the media may need to be captured directly in a forensically sound manner. Note: the original evidence may later be produced in court hence all subsequent forensic analysis must be performed in such a way that there is no credible possibility that it might have been spoiled e.g. by analysing bit-copies made with suitable forensic tools and methods rather than the original evidence itself. Note also that physically removing systems and media into the custody of a third party could itself be classed as an information security incident with clear implications on the confidentiality, integrity and availability of the information, particularly since, at this stage, the case is not proven: in other words, liabilities may be accumulating; Processing: forensic bit-copies are stored in a form that allows them to be searched or analysed for information that is relevant to the case, using suitable forensic tools and platforms. Sifting out the few vital bits of data from a much larger volume typically collected is the crux of this step; Review: forensic bit-copies are searched or analysed for information that is relevant to the case; Analysis: the information is further analysed and assessed as to its relevance, suitability, weight, meaning, implications etc. Useful information is gleaned from the selected data; Production: relevant information from the analysis, plus the original storage media etc. , is formally presented to the court as evidence. This inevitably involves demonstrating and explaining the meaning of the evidence in terms that make sense to the court. Hopefully, something along the lines of “I state, under oath, that we complied fully with ISO/IEC 27050” will, in future, side-step a raft of challenges concerning the eDiscovery processes! Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27050-3 ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) Up Abstract ISO/IEC 27050 part 3 “provides requirements and recommendations on activities in electronic discovery, including, but not limited to, identification, preservation, collection, processing, review, analysis and production of electronically stored information (ESI). In addition, this document specifies relevant measures that span the lifecycle of the ESI from its initial creation through to final disposition. [Part 3] is relevant to both non-technical and technical personnel involved in some or all of the electronic discovery activities. It is important to note that the user is expected to be aware of any applicable jurisdictional requirements.” [Source: ISO/IEC 27050-3:2020 ] Introduction Part 3 of ISO/IEC 27050 identifies requirements and offers guidance on the seven main steps of eDiscovery noted in part 1 i.e . ESI: Identification - what information from/at a crime scene might be relevant and useful? Preservation - starting the chain of evidence. Collection - removing physical media etc, Processing - forensic bit-copies. Review - searching evidence for relevant info. Analysis - picking out the most weighty bits for court. Production - preparing to present evidence+analysis in court. Scope The structured processes involving E lectronically S tored I nformation. Structure Main clauses: 5: Electronic discovery background 6: Electronic discovery requirements and guidance Status The first edition was published in 2017 . The current second edition was published in 2020 . Commentary Part 3 is, essentially, a basic, generic how-to-do-it guide laying out the key elements that will no doubt form the basis of many digital forensics manuals. While full-time forensics specialists have their own well-practiced procedures, training, forms, tools etc. , corporate information security pro's who only get involved occasionally in this area may benefit from preparing the basics to get the process started properly, even if the management decision is soon made to call in eForensics specialists. If things are fouled-up at the beginning, they are unlikely to be recoverable later on, compromising potentially valid cases. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27557 ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) Up Abstract ISO/IEC 27557"provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. [ISO/IEC 27557] provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: organizational consequences of adverse privacy impacts on individuals; and organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. [ISO/IEC 27557] assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization.” [Source: ISO/IEC 27557:2022] Introduction This standard advises on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organisation and/or individuals (data subjects) as an integral part of the organisation’s overall risk management . It supports the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards - particularly ISO 31000 of course plus ISO/IEC 29134 and ISO/IEC 27005 . The standard distinguishes information risks (with the potential to harm the organisation directly) from privacy risks (with the potential to harm individuals directly and the organisation indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps: ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information; Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities; Many privacy-related controls are information security controls e.g. identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability; Serious privacy breaches can materially harm the organisation’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence; Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organisation may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital). Scope The standard advises using ISO 31000 “Risk management - Guidelines” to manage privacy risks, aiding the integration of privacy risks into the organisation’s overall risk management. Structure Main clauses: 4: Principles of organizational privacy risk management 5: Framework 6: Risk management process Annex A: PII processing identification Annex B: Example privacy events and causes Annex C: Privacy impact and consequence examples Annex D: Template showing the severity scale for privacy impacts on individuals Status The current first edition was published in 2022 . Commentary When an organisation manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf in a custodianship role ... which differs from the usual solely corporate perspective of information risk management. There is an ethical dimension that goes beyond the organisation’s self-preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The standard does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Up Abstract “ISO/IEC TR 27016:2014 provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources. ISO/IEC TR 27016:2014 is applicable to all types and sizes of organisations and provides information to enable economic decisions in information security management by top management who have responsibility for information security decisions.” [Source: ISO/IEC TR 27016:2014] Introduction There are substantial economic, financial and resourcing aspects to the management of information risks and security controls. Scope The ISO catalogue says ISO/IEC TR 27016 “provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.” Structure Main clauses: 6: Information security economic factors - investment aspects 7: Economic objectives - asset values 8: Balancing information security economics for I nformation S ecurity M anagement - cost-benefit analysis Annex A: Identifcation of stakeholders and objectives for setting values Annex B: Economic decisions and key cost decision factors Annex C: Economic models appropriate for information security Annex D: Business cases calculation examples Status The current first edition was published in 2014 as a T echnical R eport since this was deemed a developing field of study. Evidently the field has not developed significantly (and I guess the first edition did such a good job) since work on a second edition ground to a halt due to lack of inputs from committee members. Commentary Some generic parts of the text may be more appropriate in the ISO27k overview sections of ISO/IEC 27000 . Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC TS 27115-2 ISO/IEC TS 27115-2 — Information security, cybersecurity and privacy protection — Cybersecurity of system of systems — Part 2: Security architecture evaluation Up Abstract ?? Introduction ?? Scope [ISO/IEC TS 27115-2] provides a framework to evaluate the cybersecurity of complex systems, including systems of systems, based on ISO/IEC TS 27115-1. The framework uses basic architecture concepts to support model-based, comprehensive and scalable security solutions and their evaluation. Structure ?? Status Part 2 is due out in 2028. It is currently at W orking D raft stage. Commentary TBA Up Up Up This page last updated: 2 April 2026

Back Up Next ISO 27799 ISO 27799:20 25 — Health informatics — Information security controls in health using ISO/IEC 27002 (third edition) Up Abstract ISO 27799:2025 "contains a set of information security controls for health organizations. It considers all the controls in ISO/IEC 27002:2022 and, in some cases, supplements the controls or provides guidance on their application in health. There are also some additional controls specific to health which are not derived from any in ISO/IEC 27002:2022 ” [Source: ISO 27799:2025 ] Introduction This standard offers guidance on information security controls applicable to the health industry and medical-related organisations of various kinds - hospitals, labs, surgeries, medical insurers, medical device suppliers etc. Information security controls are appropriate to mitigate unacceptable risks to the confidentiality, integrity and availability of: Personal information, including private health information and safety-related time-sensitive information; Health-related information provided by or released to third parties such as lab test results, medical histories/records and research studies; Data processed by medical devices such as electronic heart monitors, pacemakers and various scanners. Healthcare companies also face risks associated with non-health commercial information in any business, such as the information used for financial, personnel and commercial management. Furthermore, they are required to comply with various laws, regulations, standards and codes, some of which relate to information security, privacy, safety, essential infrastructure services etc . Although not explicitly excluded from the scope, such areas are not the focus of ISO 27799. Scope The standard helps medical/healthcare-related organisations, plus professionals working for them on information risk, security, privacy and related matters (including assurance), interpret and apply information security controls from ISO/IEC 27002 (with some extensions) plus ISO 81001-1 Health software and health IT systems safety, effectiveness and security — Part 1: Principles and concepts and other cited references. Structure Main clauses: 4 - General 5 - Organizational controls 6 - People controls 7 - Physical controls 8 - Technological controls Annex A - Information security controls for health reference (checklist?) Annex B - Correspondence between the second and third editions of ISO 27799 Annex C - Information security in health organizations (overview?) Annex D - Example infosec and privacy requirements (risks?) mapped to controls Status The first edition was published in 2008 . It was developed by ISO/TC215 Health informatics , not ISO/IEC JTC 1/SC 27, based on ISO/IEC 17799:2005. The second edition, updated to reflect ISO/IEC 27001:2013 and ISO/IEC 27002:2013 , was published in 2016 . The current third edition was published in 2025 . It was updated for ISO/IEC 27002:2022 , and is now focused on the information security controls, omitting the ISO/IEC 27001 I nformation S ecurity M anagement S ystem aspects from the previous edition. Commentary Unfortunately I don't have access to the content of this standard so have nothing substantial to add beyond the general information provided publically on ISO.org . However, speaking as a former phamaceuticals infosec pro, I wonder how much of the medical supply chain is in-scope e.g. are pharmaceuticals suppliers covered, given that they accumulate, generate, process, use, manage and disclose often sensitive commercial and technical information on drugs including clinical trials, extremely valuable intellectual property and, of course, safety-critical information about drug use and efficacy? Pharmacies and pharmacists? And as a former microbial geneticist, what about medical-related research on, say, infectious diseases such as COVID? What about public health and statistical information on disease outbreaks, 'cancer clusters', obesity etc., or the effectiveness and side effects of various treatments (not just conventional, approved drugs - 'alternative therapies' such as homeopathy, herbalism and self-administed narcotics spring to mind here)? Forensic pathology? Councelling? Rehabilitation? Smart prosthetics ? Gyms and sports coaches? And then what about animal health e.g . veterinarians? Non-human animals' privacy may be of no concern to humans but again there are commercial, healthcare and safety aspects. Bottom line: this standard may have some application and value way beyond its stated scope. Maybe not. If you are involved in any way with the intersection of health and information, I suggest taking a good look at this standard. Up Up Up This page last updated: 12 February 2026