Search Results

Up Up Up ISO/IEC TS 27568 ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] Up Abstract ?? Introduction Digital twins are essentially analogues, realistic models of real-world situations used for various purposes. Scope The standard will address the security and privacy implications of digital twins, supporting other digital twinning standards as the field develops at pace. Structure ?? Status Currently (2025) at P reliminary W ork I tem stage. Publication of the T echnical S pecification is planned for 2028. Commentary Blank look Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27019 ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) Up Abstract ISO/IEC 27019 "provides information security controls for the energy utility industry, based on ISO/IEC 27002:2022, for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices; digital controllers and automation components such as control and field devices or programmable logic controllers (PLCs), including digital sensor and actuator elements; all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes; communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote-control technology; Advanced metering infrastructure (AMI) components, e.g. smart meters; measurement devices, e.g. for emission values; digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms; energy management systems, e.g. for distributed energy resources (DER), electric charging infrastructures, and for private households, residential buildings or industrial customer installations; distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations; all software, firmware and applications installed on above-mentioned systems, e.g. distribution management system (DMS) applications or outage management systems (OMS); any premises housing the abovementioned equipment and systems; remote maintenance systems for abovementioned systems.” [Source: ISO/IEC 27019:2024] Introduction This standard is intended to help organisations in “the energy utility industry” (such as conventional/non-nuclear electricity generators, plus suppliers of gas, oil and heating) to interpret and apply ISO/IEC 27002 in order to secure their industrial process control systems i.e. their O perational T echnology as opposed to I nformation T echnology. Scope Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems plus their associated safety and environmental criticality make some aspects particularly challenging for energy utilities. The standard therefore provides additional, more specific guidance on information security controls than the generic advice provided by ISO/IEC 27002 , tailored to the specific context of process control systems used by energy utilities for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. Note: given its unique risks, the scope of ISO/IEC 27019 explicitly excludes process control in nuclear facilities. See instead (for example) IEC 63096 “Nuclear power plants - Instrumentation, control and electrical power systems - Security controls” . Structure ISO/IEC 27019 complements and must be read in conjunction with ISO/IEC 27002 . It is aligned with ISO/IEC 27002:2022 but does not incorporate the content of ISO/IEC 27002. A dozen additional controls are offered for the energy sector. The standard notes in clause 0.4: “In addition to the controls provided by a comprehensive information security management system, [ISO/IEC 27019] provides additional assistance and sector-specific measures for the process control systems used by the energy utility sector, taking into consideration the special requirements in these environments. If necessary, further controls can be developed to fulfil particular requirements. The selection of controls depends upon the decisions taken by the organization on the basis of its own risk acceptance criteria, the options for dealing with the risk and the general risk management approach of the organization. NOTE National and international law, legal ordinances and regulations can apply.” Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching I nformation S ecurity M anagement S ystem that encompasses process control/OT as well as general commercial systems, networks and processes, plus ISO/IEC 27005 concerning the management of information risk. Status A preliminary edition was published as a T echnical R eport in 2013 by fast-tracking the German standard DIN SPEC 27009:2012-04 based on ISO/IEC 27002:2005. The first International Standard was published in 2017, based on ISO/IEC 27001:2013 and ISO/IEC 27002:2013, plus IEC TC 57 standards, IEC TC 65 standards (IEC 62443-2-1) and IEC SC45A standards (IEC 62645). A corrigendum to replace a stray “should” with a “shall” in the annex was published to critical acclaim in 2019. Hurrah! Crisis averted! The corrected standard was confirmed unchanged in 2022 ... but then was revised anyway to reflect the themed restructure and controls resequence of ISO/IEC 27002:2022 adding 12 suggested “ENR” controls to ISO/IEC 27022’s 96. The second edition was published in 2024 . Commentary The global energy industry has long had a strong safety culture since the devastating physical impacts caused by explosions, oil and chemical spills, radioactive releases etc. are painfully apparent (Bhopal , Three Mile Island , Chernobyl , Exxon Valdiz , Deepwater Horizon , Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental obligations both in terms of its own operations, the upstream primary industries (e.g. mining) and the downstream impacts of some of its products. F Furthermore, the industry has a strong culture of physical and information security due to the substantial risks arising from: Threats such as natural disasters and deliberate attacks (sabotage) from hackers, A dvanced P ersistent T hreats, spies and spooks, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, electromechanical failures, malware/ransomware, social engineers etc .; Vulnerabilities inherent in their systems and processes. Process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks are vulnerable to a panopoly of cyber-threats, including those resulting from design flaws and bugs in software especially if they are not well designed, managed and maintained (e.g . security patching is distinctly challenging on safety-critical systems, given the need for assurance that patches do not harm safety); and Impacts , particularly limited availability and/or integrity of business- or safety-critical information leading to supply interruptions (power cuts), out-of-specification supplies (e.g . over/under-voltage supplies), safety incidents (e.g . the catastrophic release of vast amounts of energy) and environmental incidents (e.g. oil/gas/chemical leaks). Energy utilities, both public and private, are generally classed as part of the critical national infrastructures (e.g. under NIS 2 in Europe) due to their obvious strategic significance. With an extremely high level of automation, the energy industry relies heavily on OT, principally electronic process control systems such as P rogrammable L ogic C ontrollers, I ndustrial I nternet o f T hings, I ndustrial C ontrol S ystems and S upervisory C ontrol A nd D ata A cquisition, plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend heavily on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup or emergency override functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely, sometimes very remotely, making physical access, monitoring and access control challenging and costly. In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27556 ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) Up Abstract ISO/IEC 27556 "provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.” [Source: ISO/IEC 27556:2022] Introduction The standard lays out a “user-centric framework” (an architecture) to handle personal information in a controlled manner in accordance with the privacy-by-design and other requirements of applicable privacy laws and regulations. The standard outlines a mechanism for organisations handling personal data to comply with data subjects’ privacy requirements, even as those organisations share and collaborate on processing the data. Scope The standard describes a generic high-level system architecture without specifying the content and format of privacy preference information. The architecture, in turn, informs the design and implementation of IT systems handling personal information and communicating it between organisations, while managing the privacy preferences of data subjects (known as ‘PII Principals’ in the standard i.e. the people whose personal information is being handled). The standard expands upon ISO/IEC 29100’s “Privacy framework ”. Structure Main sections: 5: User-centric framework for handling PII. 6: Requirements and recommendations for the P rivacy P reference M anager (defined as “component providing a capability allowing PII principals to express privacy preferences and a capability to monitor PII processing according to these privacy preferences” - normally an IT system component, not a person). 7: Further considerations for the PPM in a P rivacy I nformation M anagement S ystem. Annex A: Use cases of PII handling based on privacy preferences Annex B: Identifying an actor serving as a component for each example service Annex C: Guidance on configuration of privacy preferences management Annex D: Supporting the design of a privacy preference management Status The current first edition was published in 2022 . Commentary I appreciate the intent to standardise the handling and management of users’ privacy consents, perhaps allowing the preferences to be shared among systems. However, given strong commercial incentives for social media and related systems and companies to exploit every scrap of personal information they can obtain, it may take even stronger pressure from regulators and legislators on behalf of private individuals to see this widely adopted in practice. So, watch this space. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27036-1 ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) Up Abstract ISO/IEC 27036 part 1 “is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. [ISO/IEC 27036] addresses perspectives of both acquirers and suppliers.” [ ISO/IEC 27036-1:2021 ] Introduction ISO/IEC 27036 is a multi-part standard offering guidance on the management of information risks involved in the acquisition of IT products (goods and services) from suppliers. The standards avoid referring to selling and buying since the issues are much the same whether the transactions are commercial or not e.g . when one part of an organisation or group acquires IT products from another, or uses free/open-source products. Scope Part 1 introduces all parts of this standard, providing general background information such as the key terms and concepts around information security in supplier relationships, including “any supplier relationship that can have information security implications, e.g. information technology, healthcare services, janitorial services, consulting services, R&D partnerships, outsourced applications (ASPs), or cloud computing services (such as software, platform, or infrastructure as a service). ” Structure Main sections: 5: Problem definition and key concepts 6: Overall ISO/IEC 27036 structure and overview Status The first edition of part 1 was published and made available for free in 2014. The second edition was published in 2021 but is no longer free, unfortunately. Commentary Part 1 outlines a number of information risks commonly arising from or relating to business relationships between acquirers and suppliers, where goods/services acquired have an information content or information security relevance, or where the supplier gains access to the acquirer’s internal information. [The converse situation - i.e. acquirers gaining access to suppliers’ internal information - is not explicitly mentioned in part 1 but is noted in part 2 .] The standard primarily takes the perspective of the acquirer, covering the acquirer’s information security concerns that ought to be addressed in relationships with upstream suppliers. [The supplier’s information risks when supplying downstream customers, or in relationships with partners, are not explicitly covered e.g . disclosure and theft of sensitive intellectual property.] Within the ISO27k information security standards, the products most obviously covered by ISO/IEC 27036 include: IT outsourcing and cloud computing services; Other professional services e.g. legal, accounting/tax and HR services, security guards, cleaners, delivery services (couriers), equipment maintenance/servicing, consulting and specialist advisory services, knowledge management, research and development, manufacturing, logistics, source code escrow and healthcare; Provision of ICT hardware, software and services including telecommunications and Internet services; Bespoke products and services where the acquirer specifies the requirements and may play an active role in the product design and development (as opposed to commodities and standard off-the-shelf products); Electricity to power ICT equipment. The ISO/IEC 27036 standards therefore could cover: Strategic goals, objectives, business needs and compliance obligations in relation to information security, privacy and assurance when acquiring ICT-related or information products; Information risks such as: Acquirer’s reliance on providers, complicating the acquirer’s business continuity arrangements (both resilience and recovery); Physical and logical access to and protection of second and third party information assets; Creating an ‘extended trust’ environment with shared responsibilities for information security, or conversely applying the ‘zero trust’ approach in this context; Creating a shared responsibility for conformity with information security policies, standards, laws, regulations, contracts and other commitments/obligations; Coordination between supplier and acquirer to adapt or respond to new/changed information security requirements; ... and more. Information security controls such as: Preliminary analysis, preparation of a sound business case, Invitation To Tender etc ., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security; Creation of explicit shared strategic goals to align acquirer and provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’); Specification of important information security requirements (such as requiring that suppliers are ISO/IEC 27001 certified and/or use standards such as ISO27k ) in contracts, Service Level Agreements etc .; Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity; Special controls to cater for unique risks (such as testing and fallback arrangements associated with the transition/implementation stage when an outsourcing supplier first provides services); Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence; A ‘right of audit’ and other compliance/assurance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance; ... and more. The entire relationship lifecycle: Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as co-sourcing; Definition of requirements including the information security requirements, of course; Procurement including evaluating, selecting and contracting with supplier/s; Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period; Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring etc .; Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc. ; Termination and exit i.e. ending a business relationship that has run its course in a controlled manner, perhaps leading back to the start. Some - but not all - of this is covered by ISO/IEC 27036, potentially leaving gaps to be filled by other standards plus corporate strategies, policies and procedures. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27034-7 ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) Up Abstract ISO/IEC 27034 part 7 ”describes the minimum requirements when the required activities specified by an Application Security Control (ASC) are replaced with a Prediction Application Security Rationale (PASR). The ASC mapped to a PASR define the Expected Level of Trust for a subsequent application. In the context of an Expected Level of Trust, there is always an original application where the project team performed the activities of the indicated ASC to achieve an Actual Level of Trust. The use of Prediction Application Security Rationales (PASRs), defined by [ISO/IEC 27034-7], is applicable to project teams which have a defined Application Normative Framework (ANF) and an original application with an Actual Level of Trust. Predictions relative to aggregation of multiple components or the history of the developer in relation to other applications is outside the scope of [ISO/IEC 27034-7].” [Source: ISO/IEC 27034-7:2018] Introduction Part 7 specifies a framework to deliver the assurance necessary to place trust in a computer program’s security arrangements, for example: When one program (such as an application) relies on another (e.g. a database management system, utility, operating system or companion program) to perform critical security functions (such as user authentication, logical access control or cryptography), or When an organisation updates or patches a trusted program. Scope Specifies minimum requirements when the required activities specified by an A pplication S ecurity C ontrol are replaced with a P rediction A pplication S ecurity R ationale. The ASC mapped to a PASR defines the Expected Level of Trust for a subsequent application. The use of PASRs is applicable to project teams which have a defined A pplication N ormative F ramework and an original application with an Actual Level of Trust. Structure Main sections: 5: Prediction concepts 6: Predictions 7: Substantial changes 8: Confidence 9: Prediction application security rationale 10: PASR audit 11: PASR Verification 12: PASR implementation 13: Expected level of trust report Annex A: Expected level of trust assurance case Annex B: Comparison of ASC to PASR Status The current first edition of part 7 was published in 2018 and confirmed unchanged in 2023. Commentary The language in part 7 is decidedly formal and stilted (e.g. “An application security claim is a claim that the application team implemented certain security controls and those controls mitigate specific security risks to an acceptable level. A security prediction is the transfer of confidence in the original claim to a claim that the same security controls are also present in a subsequent version of the application and mitigate, to the same acceptable level, the same specific security risks.” - got that?). It falls a long way short of ISO’s guidance on plain English . Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC TR 27550 ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) Up Abstract ISO/IEC TR 27550 "provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into system life cycle processes. ...” [Source: ISO/IEC TR 27550:2019] Introduction ‘Privacy engineering’ involves taking account of privacy during the entire cradle-to-grave lifecycle of IT systems and the associated processes, such that privacy is and remains an integral part of their function. Scope This is an IT security standard about engineering IT systems to satisfy privacy requirements relating to the protection of personal data. Structure Main sections: 5: Privacy engineering 6: Integration of privacy engineering in ISO/IEC/IEEE 15288 Annex A: Additional guidance for privacy engineering objectives Annex B: Additional guidance for privacy engineering practice Annex C: Catalogues Annex D: Examples of risk models and methodologies The standard: Discusses how privacy engineering supports system and security engineering, information risk management, knowledge management etc. Elaborates on conceptual principles such as privacy-by-design and privacy-by-default , important design goals noted in GDPR and elsewhere; Elaborates on the processes for identifying, evaluating and treating privacy risks in the course of IT systems design; Explains how IT systems can be engineered to support and satisfy the OECD privacy principles which form the basis of most privacy laws and regulations. Status The current first edition was published as a T echnical R eport in 2019. Commentary The procedures for operating, using, monitoring, managing and maintaining IT systems and their privacy controls are just as important as the technical controls themselves, and also benefit from being systematically developed (specified, designed, documented, mandated, operated, monitored, maintained ...): it is a good thing this standard is not limited to the technology. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27034-5 ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) Up Abstract ISO/IEC 27034 part 5 "outlines and explains the minimal set of essential attributes of Application Security Contorls (ASCs) and details the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM).” Source: ISO/IEC 27034-5:2017] Introduction The ability to share and reuse properly specified, developed and assured application security functions is a powerful, efficient and effective approach to software development. Scope Part 5 facilitates the establishment of libraries of reusable application security functions that may be shared both within and between organisations. Structure Main sections: 5: Application Security Control Structure 6: Application Security Life Cycle Reference Model 7: ASC Package Status The current first edition of part 5 was published in 2017 and confirmed in 2023. Commentary Part 5 facilitates the implementation of the ISO/IEC 27034 application security framework and the communication and exchange of ASCs by defining a formal structure for ASCs and certain other components of the framework. It defines the A pplication S ecurity C ontrols data structure, providing requirements, descriptions, graphical representations and XML schema for the data model. The XML schema, based on ISO/TS 15000 “Electronic business eXtensible Markup Language ebXML ”, is designated as the standard interchange format for ASCs. It lays out a minimal set of essential attributes of ASCs and the Application Security Life Cycle Reference Model. Note : the accompanying standard ISO/IEC TS 27034-5-1:2018 — Information technology — Security techniques — Application security — Part 5-1: Protocols and application security controls data structure, XML schemas (first edition) "defines XML Schemas that implement the minimal set of information requirements and essential attributes of ASCs and the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM) from ISO/IEC 27034-5.” [Source: ISO/IEC 27034-5-1:2018] Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27091 ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] Up Abstract [ISO/IEC 27091] "provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems, including machine learning (ML) models. [ISO/IEC 27091] helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences and treatment of such risks. ..." [Source: ISO/IEC 27091 D raft I nternational S standard] Introduction By gathering and processing substantial quantities of information (maybe even 'big data'), AI/ML systems may erode privacy - for example by linking personal information from disparate sources back to individual people, or inferring sensitive details - unless appropriate privacy arrangements are made. Scope The standard applies to all manner of organisations that develop or use AI systems. The focus is on mitigating privacy risks by integrating suitable privacy controls into the design of AI/Machine Learning systems. Business decisions about whether it is even appropriate to design, build, use and connect AI systems and services at all, plus general considerations for information risk and security management (e.g. ensuring data accuracy plus system/services resilience, and dealing with incidents) are largely or completely out of scope. Structure Main sections: 5: Framework for privacy analysis of AI systems - gives an overview of the classical information risk management process i.e. identify, analyse, evaluate and treat privacy risks. 6: Privacy of AI models - discusses a few well-known AI system 'privacy threats (modes of attack that are relevant to privacy e.g. membership inference, training data extraction, poisoning, model inversion, insider risk ...) with generic advice on mitigating controls (e.g. limiting access, anonymisation and pseudonimysation, input and output filtering). 7: Privacy in AI system lifecycle - privacy engineering. Annex A: Additional information for privacy analysis of AI systems. Annex B: Use case template Status The standard development project started in 2023. The standard is essentially complete, presently at D raft I nternational D raft stage, with national standards bodies due to vote before the end of February 2026. It looks likely to be published during 2026. Commentary The standard's risk-based approach makes sense, but (as with so much AI security-related work at the moment) the scope, focus or perspective feels rather academic and constrained to me. The standard does not, in my admittedly jaundiced opinion, adequately address or acknowledge the bigger picture here e.g.: Broader aspects of information risk and security management such as strategies, policies, architectures, compliance, change and incident management, including the extent to which those activities address privacy, specifically [the standard refers to ISO/IEC 27090 for this - currently also in draft]; 'Classical' information risks, threats, attacks, vulnerabilities, impacts and consequences that just happen to involve AI, such as smart phishing, smart malware, smart fraud, smart piracy etc. using AI systems, services and tools for nefarious purposes including coercion, misinformation and disinformation - with incidental and indirect rather than central and direct privacy implications; Societal aspects such as the continued erosion of trust and control over our personal information as it is increasingly being demanded, requested, gathered, shared and exploited, incuding by various authorities, both openly and covertly, systematically, at scale; The longstanding disparity of privacy approaches between most of the world (with GDPR and OECD guidance essentially giving individuals rights to retain ownership and control of their own personal information in perpetuity), and the USA in particular (where it seems personal information can be gathered, shared and exploited commercially by whoever holds it, similarly to other types of information, with little referene to the individuals concerned); Compliance, commercial, technological and practical implications if, say, the individuals whose personal information has been used for model training decide to withdraw their consent and (uner GDPR) insist that their information is deleted and no longer used, or insist on corrections being made; Innovation and novelty of all this, meaning that collectively we have quite a journey ahead towards maturity, with anticipated and surprising incidents ('learning points') likely along the way - such as people naively building and using advanced AI systems without reference to applicable laws, regulations, policies and practices ('shadow AI'), and the race towards A rtificial G eneral I ntelligence; Commercial aspects such as the intense competition within the AI industry, and what will happen with potentially valuable AI models, big data and metadata if AI companies implode or are taken over, possibly but not necessarily just when the AI bubble bursts. However, the standard does usefully discuss the use of AI to support: Privacy consent management and control; P rivacy- E nhancing T echnologies such as cryptographic authentication, encryption and anonymisation, pseudonymisation and data minimisation (a nod towards risk avoidance); Privacy assurance such as auditing, monitoring, detecting and responding to privacy violations; Security for AI models and federated learning, including access control and identity management; N atural L anguage P rocessing for data privacy policies. Up Up Up This page last updated: 6 December 2025

Up Up Up ISO/IEC 27035-2 ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) Up Abstract ISO/IEC 27035 part 2 “provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the plan and prepare and learn lessons phases of the information security incident management phases model presented in [part 1 clauses] 5.2 and 5.6 ...” [Source: ISO/IEC 27035-2:2023 ] Introduction Part 2 concerns assurance that the organisation is in fact ready to respond appropriately to information security incidents that may yet occur. Scope Part 2 covers the Plan and prepare and Learn lessons phases of the process laid out in part 1. Structure Main sections: 4: Information security incident management policy 5: Updating of information security policies 6: Creating information security incident management plan 7: Establishing an incident management capability 8: Establishing internal and external relationships 9: Defining technical and other support 10: Creating information security incident awareness and training 11: Testing the information security incident management plan 12: Learn lessons ... plus annexes with example forms, incident categorization approaches, and notes on ‘legal and regulatory requirements’ (mostly privacy). Status The first edition of part 2 was published in 2016 . Having been revised for ISO/IEC 27002:2022 and with a new clause 8, the second edition was published in 2023 . Commentary This part of ISO/IUEC 27035 addresses the rhetorical question “Are we ready to respond to an incident?” and promotes learning from incidents to improve things for the future. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27033-7 ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) Up Abstract ISO/IEC 27033 part 7 "aims to identify security risks of network virtualization and proposes guidelines for the implementation of network virtualization security. Overall, [ISO/IEC 27033-7] intends to considerably aid the comprehensive definition and implementation of security for any organization’s virtualization environments. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls required to provide secure virtualization environments.” [Source: ISO/IEC 27033-7:2023] Introduction This standard started out as ISO/IEC 5188 before being absorbed into ISO27k . Scope As part of the network security standard ISO/IEC 27033, part 7 concerns the information risks and security controls applicable to virtualisation of networks. Structure Main sections: 5: Overview 6: Security threats 7: Security recommendations 8: Security controls 9: Design techniques and considerations Annex A: Use cases of network virtualization Annex B: Detailed security threat description of network virtualization Status The current first edition of part 7 was published in 2023 . Commentary The standard outlines some “security threats” or “security issues” - generic examples of types of incident (such as “Insider attacks: an administrator tampers image or changes security configurations”) but does not explain which information security controls address the identified “security threats/issues”, nor conversely which information risks the suggested information security controls are intended to mitigate: there is no cross-referencing between the two, hence it is unclear how users are meant to identify, select or prioritise whichever controls are most appropriate for their situations. So much for the “implementation guidelines”! Up Up Up This page last updated: 19 November 2025