Search Results

Back Up Next ISO/IEC 27035-2 ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) Up Abstract ISO/IEC 27035 part 2 “provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the plan and prepare and learn lessons phases of the information security incident management phases model presented in [part 1 clauses] 5.2 and 5.6 ...” [Source: ISO/IEC 27035-2:2023 ] Introduction Part 2 concerns assurance that the organisation is in fact ready to respond appropriately to information security incidents that may yet occur. Scope Part 2 covers the Plan and prepare and Learn lessons phases of the process laid out in part 1 . Structure Main clauses: 4: Information security incident management policy 5: Updating of information security policies 6: Creating information security incident management plan 7: Establishing an incident management capability 8: Establishing internal and external relationships 9: Defining technical and other support 10: Creating information security incident awareness and training 11: Testing the information security incident management plan 12: Learn lessons ... plus annexes with example forms, incident categorization approaches, and notes on ‘legal and regulatory requirements’ (mostly privacy). Status The first edition of part 2 was published in 2016 . Having been revised for ISO/IEC 27002:2022 and with a new clause 8, the current second edition was published in 2023 . Commentary This part of ISO/IUEC 27035 addresses the rhetorical question “Are we ready to respond to an incident?” and promotes learning from incidents to improve things for the future. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27035-1 ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition) Up Abstract ISO/IEC 27035 part 1 “is the foundation of the ISO/IEC 27035 series. It presents basic concepts, principles and process with key activities of information security incident management, which provide a structured approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying lessons learned. The guidance on the information security incident management process and its key activities given in [ISO/IEC 27035-1] are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance according to their type, size and nature of business in relation to the information security risk situation. [ISO/IEC 27035-1] is also applicable to external organizations providing information security incident management services.” [Source: ISO/IEC 27035-1:2023 ] Introduction Information security controls are imperfect in various ways: controls can be overwhelmed or undermined (e.g. by competent hackers, fraudsters or malware), fail in service (e.g. authentication failures), work partially or poorly (e.g. slow anomaly detection), or be more or less completely missing (e.g . not [yet] fully implemented, not [yet] fully operational, or never even conceived due to failures upstream in risk identification and analysis). Consequently, information security incidents are bound to occur to some extent, even in organisations that take their information security extremely seriously. Managing incidents effectively involves detective and corrective controls designed to recognize and respond to events and incidents, minimize adverse impacts, gather forensic evidence (where applicable) and in due course ‘learn the lessons’ in terms of prompting improvements to the ISMS, typically by improving the preventive controls or other risk treatments. Information security incidents commonly involve the exploitation of previously unrecognised and/or uncontrolled vulnerabilities, hence vulnerability management (e.g. applying relevant security patches to IT systems and addressing various control weaknesses in operational and management procedures) is part preventive and part corrective action. The ISO/IEC 27035 standards concern managing information security events, incidents and vulnerabilities, expanding on the information security incident management section of ISO/IEC 27002 . The standards describe a 5-phase process: Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents; Identify and report information security incidents; Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues; Respond to incidents i.e. contain them, investigate them and resolve them; Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes. Scope Part 1 outlines the concepts and principles underpinning information security incident management and introduces the remaining part/s of the standard. It describes an information security incident management process consisting of five phases, and says how to improve incident management. Structure Main clauses: 4: Overview 5: Process Annex A: Relationship to investigative standards Annex B: Examples of information security incidents and their causes Annex C: Cross-reference table of ISO/IEC 27001 to the ISO/IEC 27035 series Annex D: Considerations of situations discovered during the investigation of an incident Status The first edition of ISO/IEC 27035 was published as a single standard in 2011 , replacing ISO TR 18044. It was subsequently split into four parts ... The first edition of part 1 was published in 2016 . Having been revised for ISO/IEC 27002:2022 the current second edition was published in 2023 . Commentary Information security incident management is described overall, and then as a process with five phases: Plan and prepare: establish an information security incident management policy, form an I ncident R esponse T eam etc. Detect and report: someone has to spot and report “events” that might be or turn into incidents; Assess and decide: someone must assess the situation to determine whether it is in fact an incident; Respond: contain, eradicate, recover from and forensically analyse the incident, where appropriate; Learn lessons: make systematic improvements to the organisation’s management of information risks as a consequence of incidents experienced. Annexes give examples of information security incidents and cross-references to eForensics and ISO/IEC 27001 standards. In addition to actual events and incidents, we should be systematically exploring and learning from near-misses i.e. situations that thankfully caused little if any impact on the business, such as: An alert worker noticing and reporting a phishing or B usiness E mail C ompromise attack; An infection by defective/nonfunctional malware or scareware; A colleague spotting confidential papers left on someone’s office desk after they have gone home, and tidying them away; A manager casually disclosing a commercially-sensitive detail in conversation with a supplier or competitor who appears not to have noticed it; A neighbouring office being ram-raided, burgled, vandalised, burnt or flooded; A competitor, business partner, customer or supplier suffering a noteworthy incident; Any incident from which the organisation successfully recovered e.g. by restoring backups; Incidents that, by sheer good fortune, were trivial (incidental!), and could easily have been much worse e.g. if they had occurred at a different time or day or point in the business cycle, in other circumstances, or if they had not been spotted so soon. Although, in the absence of significant impacts and with finite resources already stretched by other priorities, it is tempting for management simply to ignore close-shaves and minor incidents, they present opportunities to: Identify and study information risks (threats, vulnerabilities, exposures, impacts ...) that might otherwise have remained unrecognised or ignored; Evaluate the risk management approach, particularly the associated decisions and controls; Tease out and address specific or indeed general weaknesses with the approach, making improvements; Gain assurance on the aspects that worked well, or at least went to plan; Generate case study materials for awareness and training purposes, and information to feed into future risk assessments, including statistics/metrics. We might not be quite so lucky next time! The aviation industry is a shining example of this approach, with a comprehensive no-blame strategy to identify, report, address and improve as a result of [literal and figurative] near-misses. Notwithstanding the title, the ISO/IEC 27035 standards specifically concern incidents affecting IT systems and networks although the fundamental principles apply also to incidents affecting other forms of information such as paperwork, knowledge, intellectual property, trade secrets and personal information. Unfortunately (as far as I’m concerned), the language is almost entirely IT-related. That, to me, represents an opportunity squandered: ISO27k covers more than IT/cybersecurity. How are organisations meant to handle incidents such as fraud and piracy where the IT elements are incidental to the business? Explicitly describing the information risks that the incident management process addresses would enhance this standard, I feel. Since it is literally impossible to detect and respond to every single incident, a proportion of the risk has to be accepted (e.g. ‘low and slow’ attacks fly under the radar, while many hacks and malware attacks involve deliberately evading or neutralising both detective and preventive controls), while some might be shared with third parties (e.g. business partners and insurers) or avoided (e.g. by putting even more emphasis on preventive controls). Also, the response to a major incident may well involve invoking business continuity arrangements, hence this standard should in my opinion integrate with or properly cite ISO 22301 etc. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27034-7 ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) Up Abstract ISO/IEC 27034 part 7 ”describes the minimum requirements when the required activities specified by an Application Security Control (ASC) are replaced with a Prediction Application Security Rationale (PASR). The ASC mapped to a PASR define the Expected Level of Trust for a subsequent application. In the context of an Expected Level of Trust, there is always an original application where the project team performed the activities of the indicated ASC to achieve an Actual Level of Trust. The use of Prediction Application Security Rationales (PASRs), defined by [ISO/IEC 27034-7], is applicable to project teams which have a defined Application Normative Framework (ANF) and an original application with an Actual Level of Trust. Predictions relative to aggregation of multiple components or the history of the developer in relation to other applications is outside the scope of [ISO/IEC 27034-7].” [Source: ISO/IEC 27034-7:2018] Introduction Part 7 specifies a framework to deliver the assurance necessary to place trust in a computer program’s security arrangements, for example: When one program (such as an application) relies on another (e.g. a database management system, utility, operating system or companion program) to perform critical security functions (such as user authentication, logical access control or cryptography), or When an organisation updates or patches a trusted program. Scope Specifies minimum requirements when the required activities specified by an A pplication S ecurity C ontrol are replaced with a P rediction A pplication S ecurity R ationale. The ASC mapped to a PASR defines the Expected Level of Trust for a subsequent application. The use of PASRs is applicable to project teams which have a defined A pplication N ormative F ramework and an original application with an Actual Level of Trust. Structure Main clauses: 5: Prediction concepts 6: Predictions 7: Substantial changes 8: Confidence 9: Prediction application security rationale 10: PASR audit 11: PASR Verification 12: PASR implementation 13: Expected level of trust report Annex A: Expected level of trust assurance case Annex B: Comparison of ASC to PASR Status The current first edition of part 7 was published in 2018 and confirmed unchanged in 2023. Commentary The language in part 7 is decidedly formal and stilted (e.g. “An application security claim is a claim that the application team implemented certain security controls and those controls mitigate specific security risks to an acceptable level. A security prediction is the transfer of confidence in the original claim to a claim that the same security controls are also present in a subsequent version of the application and mitigate, to the same acceptable level, the same specific security risks.” - got that?). It falls a long way short of ISO’s guidance on plain English . Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27034-5 ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) Up Abstract ISO/IEC 27034 part 5 "outlines and explains the minimal set of essential attributes of Application Security Contorls (ASCs) and details the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM).” Source: ISO/IEC 27034-5:2017] Introduction The ability to share and reuse properly specified, developed and assured application security functions is a powerful, efficient and effective approach to software development. Scope Part 5 facilitates the establishment of libraries of reusable application security functions that may be shared both within and between organisations. Structure Main clauses: 5: Application Security Control Structure 6: Application Security Life Cycle Reference Model 7: ASC Package Status The current first edition of part 5 was published in 2017 and confirmed in 2023. Commentary Part 5 facilitates the implementation of the ISO/IEC 27034 application security framework and the communication and exchange of ASCs by defining a formal structure for ASCs and certain other components of the framework. It defines the A pplication S ecurity C ontrols data structure, providing requirements, descriptions, graphical representations and XML schema for the data model. The XML schema, based on ISO 15000-1 “Electronic business eXtensible Markup Language ebXML ”, is designated as the standard interchange format for ASCs. It lays out a minimal set of essential attributes of ASCs and the Application Security Life Cycle Reference Model. Note : the accompanying standard ISO/IEC TS 27034-5-1:2018 — Information technology — Security techniques — Application security — Part 5-1: Protocols and application security controls data structure, XML schemas "defines XML Schemas that implement the minimal set of information requirements and essential attributes of ASCs and the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM) from ISO/IEC 27034-5.” [Source: ISO/IEC 27034-5-1:2018] Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27034-3 ISO/IEC 27034-3:2018 — Information technology — Security techniques — Application security — Part 3: Application security management process (first edition) Up Abstract ISO/IEC 27034 part 3 "provides a detailed description and implementation guidance for the Application Security Management Process.” [Source: ISO/IEC 27034-3:2018] Introduction Part 3 defines the processes of managing the security of an application processing critical information. Scope Part 3 "provides a detailed description and implementation guidance for the Application Security Management Process." Structure Main clauses: 5: A pplication S ecurity M anagement P rocess 6: ASMP steps 7: ANF elements Annex A: Guidance text related to the ASMP step: (6.4) Realizing and operating the application Status The current first edition of part 3 was published in 2018 . Commentary Part 3 describes “the overall process for managing security on each specific application used by an organisation”, malking this a broadly applicable and particularly useful part of this multi-part standard. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27034-2 ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework (first edition) Up Abstract ISO/IEC 27034-2 “provides a detailed description of the Organization Normative Framework and provides guidance to organizations for its implementation.” [Source: ISO/IEC 27034-2:2015] Introduction Part 2 explains the structure, relationships and interdependencies between processes in the O rganisation N ormative F ramework - a suite of application security-related policies, procedures, roles and tools. Scope Part 2 provides guidance on designing, implementing, operating and auditing the ONF. Structure Main clauses: 5: Organization Normative Framework Annex A: Aligning the ONF and ASMP with ISO/IEC 15288 and ISO/IEC 12207 through ISO/IEC 15026-4 Annex B: ONF implementation example: implementing ISO/IEC 27034 Application Security and its ONF in an existing organization Status The current first edition of part 2 was published in 2015 and confirmed unchanged in 2021. Commentary The highly structured ONF approach approach is formal and bureaucratic e.g. a committee is needed to oversee the ONF, hence it seems most likely to suit mature organisations who already have or need a highly structured way of securing the applications they develop. It is nothing like vibe coding. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27034-1 ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts (first edition) Up Abstract “ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications. [Part 1] presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security. ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.” [Source: ISO/IEC 27034-1:2011] Introduction As with other multipartite ISO27k standards, the first part sets the scene for the remainder, providing a general introduction and outlining the remaining parts. Scope The ISO/IEC 27034 standards take a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance application security is not defined as the state of security of an application system (the results of the process) but as “a process an organisation can perform for applying controls and measurements to its applications in order the manage the risk of using them ”. They use the concept of defining a Targeted Level of Trust (similar to a security plan) for an application, designing and building the application to meet it, and then validating the application against it. Structure Main clauses: 5: Structure of ISO/IEC 27034 6: Introduction to application security 7: ISO/IEC 27034 overall processes 8: Concepts Annex A: Mapping an existing development process to ISO/IEC 27034 Case Study Annex B: Mapping ASC with an existing standard Annex C: ISO/IEC 27005 risk management process mapped with the ASMP This part is ~80 pages long with quite a lot of detail. Status The current first edition of part 1 was published in 2011 . Three minor corrections plus a revised figure were published in 2014 as a technical corrigendum. The corrected standard was confirmed in 2022. A project to update the ISO/IEC 27034 standards commenced in 2024. It will take years to complete. All parts of the standard should conform with JTC 1/SC 17’s standards on software engineering, plus relevant ISO27k standards , and the terminology should align with the ISO 31000 series . A major redesign of the scope of the individual ISO/IEC 27034 standards and the set as a whole is under way, with the intention of making them more relevant and useful for SMEs, and better aligned with other software engineering standards - in particular, ISO/IEC/IEEE 12207 (software life cycle processes) and ISO/IEC/IEEE 15288 (system life cycle processes). The revision project was therefore stopped and restarted in 2025 at P reliminary W ork I nstruction stage. Commentary The ISO/IEC 27034 standards draw on concepts such as auditing and certification of application systems similar in style to the C ommon C riteria and similar schemes primarily used for government and military systems. The text tends to emphasize deliberate threats arising from external adversaries implying the importance of confidentiality controls, arguably downplaying insider and accidental threats and the need for integrity and availability controls, but the process described ostensibly takes account of the full spectrum of security risks and controls. Rewriting all the parts to adopt ISO's guidance on plain English would be challenging but could substantially extend the utility and value of these standards. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27033-7 ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) Up Abstract ISO/IEC 27033 part 7 "aims to identify security risks of network virtualization and proposes guidelines for the implementation of network virtualization security. Overall, [ISO/IEC 27033-7] intends to considerably aid the comprehensive definition and implementation of security for any organization’s virtualization environments. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls required to provide secure virtualization environments.” [Source: ISO/IEC 27033-7:2023] Introduction Network virtualization was defined in ISO/IEC TR 29181-1:2012 as "technology that enables the creation of logically isolated network partitions over shared physical network infrastructures so that multiple heterogeneous virtual networks can simultaneously coexist over the shared infrastructures. Note 1 to entry: Network virtualization allows the aggregation of multiple resources and makes the aggregated resources appear as a single resource." For context, the same 2012 standard concerned "Future Network", defined as "network of the future which is made on clean-slate design approach as well as incremental design approach; it should provide futuristic capabilities and services beyond the limitations of the current network, including the Internet". Scope Within the multipart network security standard ISO/IEC 27033, part 7 addresses information risks and security controls applicable to network virtualisation. Structure Main clauses: 5: Overview 6: Security threats 7: Security recommendations 8: Security controls 9: Design techniques and considerations Annex A: Use cases of network virtualization Annex B: Detailed security threat description of network virtualization Status The current first edition of part 7 was published in 2023 . Commentary The standard outlines some “security threats” or “security issues” - generic examples of types of incident (such as “Insider attacks: an administrator tampers image or changes security configurations”) but does not explain which information security controls address the identified “security threats/issues”, nor conversely which information risks the suggested information security controls are intended to mitigate: there is no cross-referencing between the two, hence it is unclear how users are meant to identify, select or prioritise whichever controls are most appropriate for their situations. So much for the “implementation guidelines”! Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TR 27024 ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] Up Abstract ISO/IEC TR 27024 "provides a list of national regulations that reference ISO/IEC 27001 as a requirement.” [Source: ISO/IEC JTC 1/SC 27 Committee Doc 11, May 2025] Introduction This T echnical R eport is meant to help management determine which of the ISO27k standards are recommended or required of their organisations for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management. Scope The draft standard identifies a number of national laws, regulations and guidelines that depend and build upon the ISO27k standards , and explicitly concern: Information security Privacy/data protection Digitalization and electronic archiving. It does not (explicitly) cover numerous other areas of law less directly concerned with the confidentiality, integrity or availability of information such as: Governance Contracts Product quality/fitness for purpose Cryptography Digital signatures Defence Official secrets Classified information Health and safety Financial data integrity, reporting and accounting Medical records Misinformation Fraud Forensics ... and more besides. Structure The central chapter is expected to contain just 18 clauses, each listing a selection of relevant laws and regulations from a different country or region (such as the EU). Status A T echnical R eport is being developed from ISO/IEC JTC 1/SC 27 S tanding D ocument 7 - an internal committee reference document. Since SD7 is mature, the standard progressed rapidly to D raft T echnical R eport stage and was planned for release back in 2023. Patently, however, compiling and checking details on relevant laws and regs around the globe, along with editorial changes required by ISO, have substantially delayed release. The title may become “Government and regulatory use of ISO/IEC 27001, ISO/IEC 27002 and other information security standards ”. It is at C ommittee D raft stage and was due to be published last year (2025). Maybe it wil surface in 2026? Maybe not. We shall see. Commentary Depending on how one ineterprets part 2 of the ISO Directives , this standard may be stillborn: "A document does not in itself impose any obligation upon anyone to follow it. However, an obligation can be imposed, for example, by legislation or by a contract which makes reference to the document. A document shall not include contractual requirements (e.g. concerning claims, guarantees, covering of expenses), or legal or statutory requirements." [clause 4] If this remained as a S tanding D ocument without the formalities of becoming a standard, it would be easier, quicker and cheaper to update it as the referenced standards, laws and regs change, with the bonus of being freely available to those who need the information ... but in its infinite wisdom, the committee decided to publish (and consequently maintain) it as a T echnical R eport. Taking a broad perspective, there are loads of laws and regs that have some relevance to the c onfidentiality, i ntegrity or a vailability of information. In the extreme, virtually every law involves forensic evidence with strong cia implications. Laws and regs relating to human safety are important to protect the valuable knowledge and competencies in our heads, while those relating to mental health affect our information processing capabilities. Laws and regs on tax and financial reporting and corporate governance all have information security implications. The standard is unlikely even to mention these, reflecting its arbitrary nature. This standards project faces a similar conundrum to ISO/IEC 27002 . It would be wonderful if the standard was truly comprehensive and up-to-date and could be relied upon as such, but ultimately that is infeasible. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching which laws and regs are in fact applicable - hopefully not you though, having read this cautionary note! Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27033-6 ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) Up Abstract ISO/IEC 27033 part 6 “describes the threats, security requirements, security control and design techniques associated with wireless networks. It provides guidelines for the selection, implementation and monitoring of the technical controls necessary to provide secure communications using wireless networks. The information in [part 6] is intended to be used when reviewing or selecting technical security architecture/design options that involve the use of wireless network in accordance with ISO/IEC 27033-2. Overall, ISO/IEC 27033-6 will aid considerably the comprehensive definition and implementation of security for any organization's wireless network environment. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls necessary to provide secure wireless networks.” [Source: ISO/IEC 27033-6:2016] Introduction This is a generic wireless network security standard offering basic advice for WiFi, Bluetooth, 3G and other wireless networks. Scope Risks, design techniques and control issues for securing IP wireless networks. Relevant to those involved in the detailed planning, design and implementation of security for wireless networks (e.g. network architects and designers, network managers and network security admins). Structure Main clauses: 6: Overview 7: Security threats 8: Security requirements 9: Security controls 10: Security design techniques and considerations Annex A: Technical description of threats and countermeasures Status The current first edition of part 6 was published in 2016 and confirmed unchanged in 2021. Commentary The standard uses the curious term “wire line network”, more commonly known as a wired network. The standard repeatedly refers to “access network”, another curious term that is not defined (aside from Radio Access Network). I guess it means “network” but without a definition, I cannot be sure. The standard indicates that encryption is an integrity control, whereas normally other cryptographic controls and protocols provide the integrity functions, while encryption provides confidentiality. Yes, I'm splitting hairs here ... over an integrity failure. Similarly to Part 7 , this part lists a number of “threats” which are, in fact, attack modes or incident scenarios. The list would, I feel, have been more useful if the standard systematically addressed each of them, explaining how certain controls mitigate them. It doesn’t. Up Up Up This page last updated: 12 February 2026