Search Results

Back Up Next ISO/IEC 27033-5 ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) Up Abstract ISO/IEC 27033 part 5 “gives guidelines for the selection, implementation, and monitoring of the technical controls necessary to provide network security using Virtual Private Network (VPN) connections to interconnect networks and connect remote users to networks.” [Source: ISO/IEC 27033-5:2013] Introduction ISO/IEC 27033-5 revised ISO/IEC 18028 part 5. It extends the IT security management guidelines of ISO/IEC TR 13335 by detailing the specific operations and mechanisms needed to implement network security safeguards and controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations. It provides guidance for securing remote access over public networks. Scope The standard guides network administrators and technicians who plan to make use of this kind of connection, or who already have it in use and need advice on how to set it up securely and operate it securely. Structure Main clauses: 6: Overview 7: Security threats 8: Security requirements 9: Security controls 10: Design techniques 11: Guidelines for product selection Status ISO/IEC 27033-5 revised and replaced ISO/IEC 18028-5 . The current first edition of part 5 was published in 2013 and confirmed unchanged in 2019 and again in 2025. Commentary Gives a high-level, incomplete assessment of the threats to VPNs (i.e. it mentions the threats of intrusion and denial of service but not unauthorized monitoring/interception, traffic analysis, data corruption, insertion of bogus traffic, various attacks on VPN end points, malware, masquerading/identity theft, insider threats etc ., although these are mentioned or at least hinted-at later under security requirements). Introduces different types of remote access including protocols, authentication issues and support when setting up remote access securely. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27033-3 ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) Up Abstract ISO/IEC 27033 part 3 “describes the threats, design techniques and control issues associated with reference network scenarios. For each scenario, it provides detailed guidance on the security threats and the security design techniques and controls required to mitigate the associated risks. Where relevant, it includes references to ISO/IEC 27033-4 to ISO/IEC 27033-6 to avoid duplicating the content of those documents. The information in ISO/IEC 27033-3:2010 is for use when reviewing technical security architecture/design options and when selecting and documenting the preferred technical security architecture/design and related security controls, in accordance with ISO/IEC 27033-2. The particular information selected (together with information selected from ISO/IEC 27033-4 to ISO/IEC 27033-6) will depend on the characteristics of the network environment under review, i.e. the particular network scenario(s) and ‘technology’ topic(s) concerned. Overall, ISO/IEC 27033-3:2010 will aid considerably the comprehensive definition and implementation of security for any organization's network environment.” [Source: ISO/IEC 27033-3:2010] Introduction Using a set of 'reference scenarios' (worked examples), part 3 demonstrates how to identify, evaluate and treat typical information risks in the networking security context. Scope Part 3 intended to“define the specific risks, design techniques and control issues associated with typical network scenarios” [Source: ISO/IEC 27033-1] . Structure Main clauses: 7: Internet access services for employees 8: Business to business services 9: Business to customer services 10: Enhanced collaboration services 11: Network segmentation 12: Networking support for home and small business offices 13: Mobile communication 14: Networking support for travelling users 15: Outsourced services Annex A: Example Internet use policy Annex B: Catalogue of threats Status The current first edition of part 3 was published long, long ago in 2010 and confirmed unchanged in 2018. Commentary This standard: Discusses threats, specifically, rather than all the elements of risk. Refers to other parts of ISO/IEC 27033 for more specific guidance. Is way out of date, despite ironically noting "the evolving nature of technology". There is no mention of 'cloud', for instance. Not one. None. Zilch. Zero. Nor 'zero trust', for that matter, nor '*aaS'. '3DES' and 'AES' are in there though, so it's not totally prehistoric. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27033-2 ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) Up Abstract ISO/IEC 27033 part 2 “gives guidelines for organizations to plan, design, implement and document network security.” [Source: ISO/IEC 27033-2:2012] Introduction Part 2 revised and replaced ISO/IEC 18028 part 2. Defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. Scope Planning, designing, implementing and documenting network security. Objective: “to define how organisations should achieve quality network technical security architectures, designs and implementations that will ensure network security appropriate to their business environments, using a consistent approach to the planning, design and implementation of network security, as relevant aided by the use of models/frameworks. (In this context, a model/framework is used to outline a representation or description showing the structure and high level workings of a type of technical security architecture/design)” . Structure Main clauses: 6: Preparing for design of network security 7: Design of network security 8: Implementation Annex A: Cross-references between ISO/IEC 27001:2005 /ISO/IEC 27002:2005 network security-related controls and ISO/IEC 27033-2:2012 clauses Annex B: Example documentation templates Annex C: ITU-T X.805 framework and ISO/IEC 27001:2005 control mapping Status ISO/IEC 27033-2 revised and replaced ISO/IEC 18028-2. The current first edition of part 2 was published way back in 2012 and confirmed unchanged in 2018. It refers to outdated editions of other standards Commentary Defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. Serves as a foundation for detailed recommendations on end-to-end network security. Covers risks, design, techniques and control issues. Refers to other parts of ISO/IEC 27033 for more specific guidance. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27033-1 ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) Up Abstract ISO/IEC 27033 part 1 “provides an overview of network security and related definitions. It defines and describes the concepts associated with, and provides management guidance on, network security. (Network security applies to the security of devices, security of management activities related to the devices, applications/services, and end-users, in addition to security of the information being transferred across the communication links.) ... Overall it provides an overview of this International Standard and a 'road map' to all other parts.” [Source: ISO/IEC 27033-1:2015] Introduction Part 1 revised and replaced ISO/IEC 18028 part 1. It provides: A roadmap and overview of the concepts and principles underpinning the remaining parts of ISO/IEC 27033. A glossary of information security terms specific to networking. Guidance on a structured process to identify and analyse network security risks and hence define network security control requirements, including those mandated by relevant information security policies. An overview of the controls supporting network technical security architectures and related technical controls, as well as non-technical controls plus other technical controls that are not solely related to network security (thus linking to ISO/IEC 27001 , ISO/IEC 27002 and ISO/IEC 27005 plus other ISO27k standards as they are released). Scope Extends the security management guidelines provided in ISO/IEC TR 13335 and ISO/IEC 27002 etc . by detailing the specific operations and mechanisms needed to implement network security controls in a wider range of network environments, providing a bridge between general information security management issues and the specifics of implementing largely technical network security controls (e.g . firewalls, IDS/IPS, message integrity controls etc .) Structure Main clauses: 6: Overview 7: Identifying risks and preparing to identify security controls 8: Supporting controls 9: Guidelines for the definition and implementation of network security 10: Reference network scenarios - risks, design techniques and control issues 11: 'Technology' topics - risks, design techniques and control issues 12: Develop and test security solution 13: Operate security solution 14: Monitor and review solution implementation Annex A: Cross-reference between ISO/IEC 27001 Annex A and ISO/IEC 27002 network security-related controls and ISO/IEC 27033-1 Annex B: Example template for a SecOPs document Status ISO/IEC 27033-1 revised and replaced ISO/IEC 18028-1, which in turn superceded ISO/IEC TR 13335-5. The first edition was published in 2009 . Thecurrent second edition was published in 2015 and confirmed unchanged in 2021. An extended scope for the ISO/IEC 27033 network security standards is under consideration to catch up with recent and emerging technologies such as cloud computing, zero trust, IoT and AI. Consequently the initial routine standards revision project was stopped and restarted at P reliminary W ork I nstruction stage in 2025. Commentary Part 1 mentions requirements such as non-repudiation and reliability in addition to the classical CIA triad (confidentiality, integrity and availability). It provides a reasonably technical overview of network security despite barely any reference to the OSI or TCP/IP network stacks! At present, the ISO/IEC 27033 standards are largely (entirely?) concerned with digital data networks, but there are other kinds of networks - such as business networks, social networks, professional networks, criminal networks and socio-political/cultural networks - all with differing risks and security concerns. So, should the ISO/IEC 27033 set be extended to cover those too? If so, how? It is not exactly obvious what kinds of guidance might usefully be offered in these other areas - in fact, formally speaking, it is not even entirely clear what ‘networks’ are. Anyway, that’s something to bear in mind. SC 27, meanwhile, tends to stick to the knitting i.e. IT/cyber security, in accordance with its defined scope. Furthermore, I feel the information risk and security aspects of industrial shop-floor O perational T echnology networks are inadequately covered by current ISO/IEC 27033 standards, a significant omission. The networking protocols, risks and controls vary, while the gradual convergence of IT and OT is bound to affect network security in both domains. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27032 ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) Up Abstract ISO/IEC 27032 "provides: an explanation of the relationship between Internet security, web security, network security and cybersecurity; an overview of Internet security; identification of interested parties and a description of their roles in Internet security; high-level guidance for addressing common Internet security issues. [ISO/IEC 27032] is intended for organizations that use the Internet.” [Source: ISO/IEC 27032:2023] Introduction ISO/IEC 27032 addresses Internet security i.e. “protecting Internet-related services and related ICT systems and networks as an extension of network security”. Scope The abstract above covers the scope and purpose. The introduction notes that “[ISO/IEC 27032] does not specifically address controls that organizations can require for systems supporting critical infrastructure or national security. However, most of the controls mentioned in [ISO/IEC 27032] can be applied to such systems.” In other words it primarily concerns the ordinary everyday network security threats facing all Internet users, particularly businesses rather than the more extreme spooky threats of concern in the governmental and defence domain. Structure Main clauses: 5: Relationship between Internet security, web security, network security and cybersecurity. 6: Overview of Internet security. 7: Interested parties. 8: Internet security risk assessment and treatment. 9: Security guidelines for the Internet. Annex A: Cross-references between this standard and ISO/IEC 27002 . The annex cites a reasonable assortment of 50 controls from ISO/IEC 27002:2022 i.e.: 25 Organizational controls; 2 People controls; 0 Physical controls*; and 23 Technological controls. * It doesn't explicitly cover physical security for network cabling and equipment, nor the range and remote access concerns with wireless networking. Status The first edition was published in 2012 . The current second , thoroughly revised edition was published in 2023 . Commentary FWIW see also ISO/IEC TS 27100 . Since the term emerged in 1990, “cyber” as in “cybersecurity” has gradually become buzzword, buzzier than a hive fully of excited honeybees, and yet doubts and disagreements over what it actually means persists. SC 27 had the opportunity to clarify cyber-related terms when revising this standard but the second edition simply reproduces the definition of cybersecurity from ISO/IEC TS 27100:2020 vis “safeguarding of people, society, organizations and nations from cyber risks. Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.” ... but fails to define "cyber" or “cyber risk”, failing yet again to clarify what it is that we are supposedly being safeguarded against. Other cyber terms defined in the first edition were simply dropped. Meanwhile, the second edition remains myopically focused on deliberate attacks perpetrated via the Internet by hackers, malware, phishers and spammers. If those are your only concerns relating to the Internet, well it appears you have led a very sheltered life ... Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27031 ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity (second edition) Up Abstract “ISO/IEC 27031 provides guidance on ensuring that information and communication technology (ICT) is prepared to support business continuity. It outlines a framework for ICT readiness that aligns with broader business continuity objectives, helping organizations to prevent, respond to and recover from ICT-related disruptions that could impact critical operations. In today’s digital world, organizations rely heavily on ICT systems to operate, deliver services and maintain trust with stakeholders. Disruptions to these systems — from cyberattacks to system failures — can have severe consequences. ISO/IEC 27031 helps organizations build ICT resilience by integrating readiness planning into business continuity and information security practices. It ensures that ICT services can be restored within agreed timeframes, protecting operations, reputation and customer trust. This readiness is not only about internal systems but also extends to dependencies on third-party services such as cloud providers. Benefits: Supports uninterrupted business operations during ICT disruptions Strengthens alignment between ICT, security and continuity strategies Reduces recovery time and data loss after incidents Enhances organisational resilience and stakeholder confidence Integrates smoothly with ISO/IEC 27001 and ISO 22301 practices” [Source: ISO.org summary page ] Introduction ISO/IEC 27031 provides guidance on the concepts and principles behind the role of I nformation and C ommunication T echnology in ensuring business continuity. The standard: Suggests a structure or framework (a coherent set or suite of methods and processes) for any organisation – private, governmental, and non-governmental; Identifies and specifies all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organisation’s ISMS, helping to ensure business continuity; Enables an organisation to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner. Scope The standard encompasses all events and incidents (not just information security related) that could have an impact on ICT infrastructure and systems. It therefore extends the practices of information security incident handling and management, ICT readiness planning and services. I CT R eadiness for B usiness C ontinuity [a general term for the processes described in the standard] supports B usiness C ontinuity M anagement “by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organisation.” ICT readiness is important for business continuity because ICT is prevalent and vital: many organisations’ critical business processes (including those involved in managing incidents plus the related business continuity, disaster and emergency responses) are highly dependent on ICT. Therefore, BCM would be incomplete without adequately considering the need to protect availability and continuity of the ICT. ICT readiness encompasses: Preparing the organisation’s ICT (i.e. the IT infrastructure, operations and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity; Leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities. ICT readiness should of course reduce the impact (meaning the extent, duration and/or consequences) of information security incidents on the organisation. The standard incorporates the cyclical P lan-D o-C heck-A ct Deming-style approach, extending the conventional business continuity planning process to take greater account of ICT. It incorporates ‘failure scenario assessment methods’ such as F ailure M ode and E ffects A nalysis, with a focus on identifying ‘triggering events’ that could precipitate more or less serious incidents. The SC 27 team responsible for ISO/IEC 27031 liaised with ISO Technical Committee 233 on business continuity, to ensure alignment and avoid overlap or conflict. Structure Main clauses: 6: Integration of IRBC into BCM 7: Business expectations for IRBC 8: Defining prerequisites for IRBC 9: Determining IRBC strategies 10: Determining the ICT continuity plan 11: Testing, exercise, and auditing 12: Final MBCO 13: Top management responsibilities regarding evaluating the IRBC Annex A: Comparing RTO and RPO to business objectives for ICT recovery Annex B: Risk reporting for FMEA Status The first edition was published in 2011 . The revision project ran into trouble and was cancelled in 2020, then rebooted. The standard was revised to cover the need for ICT support for business continuity arising from both deliberate and accidental incidents. The current second edition was published in 2025 . Commentary The value of this standard is unclear, given that ISO 22301 does such a good job in this general area while ISO/IEC 24762 covers ICT D isaster R ecovery specifically. This standard could usefully be extended beyond the ICT domain since: The ISO27k standards concern risk and security to information, not just “ICT” (a clumsy and unnecessary amplification of good old “IT” which in common usage has included comms for, oh at least 50 years); O perational T echnology (such as I ndustrial C ontrol S ystems running manufacturing plant, and assorted facilities management systems providing power, cooling etc .) is not mentioned, not even once - neither included nor excluded, just completely ignored; Information in forms or formats other than computer data can be just as important for business continuity, just as valuable and just as much at risk. For example, the loss of a critical knowledge worker, perhaps even an entire high-perfoming team of professionals, can devastate the operational capability of any department. Think September 11th, or COVID, or defection to/poaching by a competitor or startup. However, the standard remains entirely ICT-focused, tech-centric. Furthermore, to avoid any hint of overlap or conflict with the ISO 22300 -series standards, ISO/IEC 27031 does not replace a B usiness C ontinuity M anagement S ystem. That said, the standard orbits around “IRBC” (I CT R eadiness for B usiness C ontinuity) ... which is essentially a systematic way to manage the IT elements of business continuity, supplementing the BCMS as a whole. Although the issued standard mentions ICT resilience to - as well as recovery from - disastrous situations, the coverage on resilience (the ability for critical processes and systems to withstand as well as recover from serious incidents) is limited. It is similarly light on contingency . Contingency planning involves developing the organisation’s flexibility, capability, resources and dogged determination to cope with whatever situations actually eventuate, preparing for the uncertainties and challenges ahead. What will actually happen following an incident is contingent on the situation that occurs, its significance (reflecting its scale, nature, timing, implications for the business etc .) and the resources available (surviving!) at that point. The standard only refers once to ‘contingency’, as a convoluted and ineptly-phrased note to the definition of [ICT] readiness. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27028 ISO/IEC 27028 — Information security, cybersecurity and privacy protection — Guidance on using information security control attributes [DRAFT] Up Abstract ISO/IEC 27028 "provides guidance on the use of information security control attributes. The guidance given in this document is generic and is intended to be applicable to all organizations, regardless of type, size, or nature.” [Source: ISO's page on ISO/IEC DIS 27028 ] Introduction In 2022, the third edition of ISO/IEC 27002 introduced a new structure for information security controls, based around ‘themes’ and ‘attributes’, noting that organisations may prefer to use their own attributes as well or instead. ISO/IEC 27028 will explain how to do that, in practice, suggesting a variety of attributes with which to classify or characterise, select or design information security controls in various ways for various information security and business management purposes. Scope The standard will expand upon the five control attributes in ISO/IEC 27002 i.e. Control type. Information security properties. Cybersecurity concepts. Operational capabilities. Security domains. It will provide practical guidance on how to use the specified attributes and how to develop additional attributes and attribute values where appropriate. ISO/IEC 27002 casually mentioned that this is possible but did not explain. Structure Main sections: 5: Overview on [of] attribute approach 6: Additional attributes Some 16 control attributes are suggested in addition to those five from ISO/IEC 27002 , and there is advice on extending the approach to other information security controls and control attributes. Status Work started on this project in 2021. It may be published as a T echnical S pecification rather than a full I nternational S tandard since the approach is innovative and not yet proven by experience ... but we will see. The first D raft I nternational S tandard was approved by SC 27 in November 2025, with comments leading to the release of a second DIS in December and votes due by early February 2026. Publication is expected towards the middle or second half of 2026. Commentary There has been significant interest and support for the control attributes concept from ISO/IEC JTC 1/SC 27 . When it is finally published, I believe ISO/IEC TS 27028 will be a valuable contribution to the field, expanding on the value and utility of ISO/IEC 27002 . Meanwhile, a free guideline explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks using appropriate information security controls. Thinking about which attributes or characteristics of controls are relevant, plus the importance of the corresponding attribute values or parameters, helps round-off the analysis and select or design appropriate controls. As usual, exploring objectives in detail generates insight that leads to a more successful outcome. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC TS 27022 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) Up Abstract ISO/IEC TS 27022 "defines a process reference model (PRM) for the domain of information security management, which is meeting the criteria defined in ISO/IEC 33004 for process reference models (see Annex A). It is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018, 4.3, within the ISMS; be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes; support users in the operation of an ISMS. [ISO/IEC TS 27022] is complementing the requirements-oriented perspective of ISO/IEC 27003 with an operational, process-oriented point of view.” [Source: ISO/IEC TS 27022:2021] Introduction The standard (a T echnical S pecification) “provides a process reference model (PRM) for information security management, which differentiates between ISMS processes and measures/controls initiated by them ... [and] describes the ISMS processes implied by ISO/IEC 27001.” The standard is based on a PhD thesis . Scope The standard lays out, in some detail, a P rocess R eference M odel comprising a generic suite of ISMS processes that organisations may wish to use as a basis for designing custom processes within their own ISMS. The standard “is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018 clause 4.3 within the ISMS be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes support users in the operation of an ISMS – the document will complement the requirements oriented perspective of ISO/IEC 27003 with an operational, process oriented point of view.” This advisory standard does not add or modify the ISMS requirements in ISO/IEC 27001 . Structure The ISMS processes described fall into 3 “categories” (types or groups) i.e. : Governance activities (confusingly titled ‘management processes’) - direction and oversight for the ISMS; Core operations e.g. information risk and security management, policy management, incident management, internal audits ...; and Support e.g. records management, communicating with interested parties about the ISMS, managing relationships with ISMS ‘customers’ ... The processes are each laid out in an Appendix, first as a table specifying: Process “category” denoting the type of process A brief description Objective/purposes Input[s] and Output[s] Activities/functions i.e. a few words for each of the main steps in the process Informative references. The table is followed by a flowchart summarising each process on one side or less. Status The current first edition was published in 2021 . An amendment updating references to ISO/IEC 27001:2022 and other ISO27k standards was in preparation in 2024 but the proposed revision of the standard was dropped due to lack of expert support. Commentary Mature organisations may already have processes for: Asset management; Audit management, both internal and external; Business continuity management (see ISO 22301: ISO/IEC 27001 is limited to continuity of information security operations during major incidents); Change management plus configuration management and version control; Continuous improvement and maturity management; Database [security] management; Exemption management (management-approved nonconformity with policies); Facilities management including power and other services for the computer room; Identity, access rights and user account management; Incident management including incident investigation and forensics; Information management in general; Information [security] risk management (partly covered by ISO/IEC 27005 ); Information security management (covered by ISO/IEC 27001 , 27002 , 27003 and others); IT! Internal audits and certification audits; Key management, plus the rest of cryptography; Log management, plus alarms and alerts; Metrics and management information management (partly covered by ISO/IEC 27004 ); Monitoring and oversight of the risk management and security arrangements; Patching, including emergency arrangements for urgent fixes; Performance and capacity management; Personnel/HR management including “onboarding” and “offboarding” (nasty neologisms!); Preventive and corrective actions; Quality management, especially quality assurance; Service management [organisations that are heavily process-oriented may be using ITIL/ISO 20000, in which case ISO/IEC 27013 is applicable]; Supplier/vendor relationship management, including telecomms, Internet and cloud services, outsourced development, contract security guards, maintenance/servicing, professional services (consulting, contracting, accounting, tax advising) etc. ; System and network [security] management; System/software development and testing ... ... and more. Providing generally-applicable advice without imposing further constraints is challenging. The processes need to be described without losing the flexibility to cater for myriad differences between organisations. In particular, the processes need to be valuable (cost-effective) in practice to justify their existence, for instance by: Removing unnecessary bureaucracy, rationalising and justifying whatever remains; Facilitating or encouraging process automation and innovation where applicable; Facilitating or encouraging use of existing processes, adapting them where necessary; Perhaps re-using effective ISMS processes elsewhere in the organisation; Managing the processes themselves e.g. management processes for monitoring, reviewing, evaluating and maintaining the ISMS processes, responding to changes, identifying and exploiting improvement opportunities etc . It would be unfortunate if ISMS processes were perceived as distinct from normal operations, rather than being integral to the organisation’s routine activities. The process for managing an information security or privacy incident, for example, is essentially the same as that for managing any other incident, hence it is generally unnecessary to create an alternative incident management process if the existing one (perhaps with a few tweaks) is effective. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27021 ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals (first edition) Up Abstract “ISO/IEC 27021:2017 specifies the requirements of competence for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving one or more information security management system processes that conforms to ISO/IEC 27001.” [Source: ISO/IEC 27021:2017] Introduction To help stabilise and standardise the global market for training and certifying professionals for ISO27k implementation and audit work, this standard lays out the competence expected of ISMS professionals. Scope The standard concerns the competences (meaning the combination of knowledge and skills) required or expected of professionals managing an ISMS in accordance with ISO/IEC 27001 , ISO/IEC 27002 , ISO/IEC 27005 and ISO/IEC 27007 . Note : the standard does not specify a qualification scheme as such, but in effect serves as a reference for the organisations that offer such schemes. Note : the standard does not cover auditor competence. Structure Main clauses: 4: Concept and structure 5: Business management competence for ISMS professionals 6: Information security competence for ISMS professionals Annex A: Including knowledge for ISMS professionals as parr of a body of knowledge The standard starts by explaining that an ISMS is just one form of Management System, requiring a combination of competences in general business management (e.g. leadership and communication, planning and budgeting) plus information security/ISMS management (e.g. scoping the ISMS). The competences roughly mirror the main body clauses of ISO/IEC 27001 , except that most of the general management competences are not directly related to specific clauses. Each competence is described quite succinctly in four ways: Relevant ISO/IEC 27001 clause (where applicable) Intended outcome: what this part of the role entails and is expected to achieve Knowledge required: things the ISMS professional should know about Skills required: things the ISMS professional should be able to do Status The first edition was published in 2017 . Additional references to ISO/IEC 27001 clauses were added to plug gaps in the competencies table through an amendment in 2021: ISO/IEC 27021:2017/Amd1:2021 Information technology - Security techniques - Competence requirements for information security management systems professionals - Amendment 1: Addition of ISO/IEC 27001:2013 clauses or subclauses to competence requirements . Commentary Although the title of this standard includes the reserved word ‘requirements’, that should not be taken to imply this is a certifiable standard. The four standards listed in the scope section above may be the ‘core standards’ but they represent just a fraction of the growing ISO27k suite . It could be argued that several others are nearly as important - ISO/IEC 27003 and ISO/IEC 27004 for examples - which begs questions about the breadth and depth of knowledge and competencies truly expected of information security managers. Another aspect is that (ISO27k notwithstanding) information security management is materially different in different types/sizes of organisation, so perhaps there is a need for different levels or tiers of qualification (or practitioner maturity, you could say), from entry-level basics up to subject matter experts? A tiered scheme would also encourage career development and lifelong learning. Since the standard is intended to guide those developing courses and qualifications, it might make sense to incorporate or build the standard around a matrix listing the skills and competencies on one axis and the levels or tiers on another, indicating in the body of the matrix which items people at that level/tier are expected to know about and be competent to perform. The idea of a tiered scheme was agreed in principle by the project team, with e-CF and e-QF schemes (whatever they are!) being mentioned during drafting: maybe this suggestion will be revisited when the standard is next revised. The standard incorporates the idea of a B ody o f K nowledge defined in the standard to cover the core aspects of governing and managing an ISMS, but extendable by organisations to address their specific additional requirements in this area. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27019 ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) Up Abstract ISO/IEC 27019 "provides information security controls for the energy utility industry, based on ISO/IEC 27002:2022, for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices; digital controllers and automation components such as control and field devices or programmable logic controllers (PLCs), including digital sensor and actuator elements; all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes; communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote-control technology; Advanced metering infrastructure (AMI) components, e.g. smart meters; measurement devices, e.g. for emission values; digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms; energy management systems, e.g. for distributed energy resources (DER), electric charging infrastructures, and for private households, residential buildings or industrial customer installations; distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations; all software, firmware and applications installed on above-mentioned systems, e.g. distribution management system (DMS) applications or outage management systems (OMS); any premises housing the abovementioned equipment and systems; remote maintenance systems for abovementioned systems.” [Source: ISO/IEC 27019:2024] Introduction This standard is intended to help organisations in “the energy utility industry” (such as conventional/non-nuclear electricity generators, plus suppliers of gas, oil and heating) to interpret and apply ISO/IEC 27002 in order to secure their industrial process control systems i.e. their O perational T echnology as opposed to I nformation T echnology. Scope Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems plus their associated safety and environmental criticality make some aspects particularly challenging for energy utilities. The standard therefore provides additional, more specific guidance on information security controls than the generic advice provided by ISO/IEC 27002 , tailored to the specific context of process control systems used by energy utilities for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. Note: given their unique and extreme risks, the scope of ISO/IEC 27019 explicitly excludes process control in nuclear facilities. See instead (for example) IEC 63096:2020 “Nuclear power plants - Instrumentation, control and electrical power systems - Security controls” . Structure ISO/IEC 27019 complements and must be read in conjunction with ISO/IEC 27002:2022 since it does not incorporate the content of ISO/IEC 27002. A dozen additional controls are offered for the energy sector. Main clauses: 5: Organizational controls - with 2 supplementary controls 6: People controls 7: Physical controls - 4 supplementary controls 8: Technological controls - 6 supplementary controls Annex A: Energy utility industry specific controls reference Annex B: Correspondence between this document and the first edition (ISO/IEC 27019:2017) The standard notes in clause 0.4: “In addition to the controls provided by a comprehensive information security management system, [ISO/IEC 27019] provides additional assistance and sector-specific measures for the process control systems used by the energy utility sector, taking into consideration the special requirements in these environments. If necessary, further controls can be developed to fulfil particular requirements. The selection of controls depends upon the decisions taken by the organization on the basis of its own risk acceptance criteria, the options for dealing with the risk and the general risk management approach of the organization. NOTE National and international law, legal ordinances and regulations can apply.” Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching I nformation S ecurity M anagement S ystem that encompasses process control/OT as well as general commercial systems, networks and processes, plus ISO/IEC 27005 concerning the management of information risk. Status A preliminary edition was published as a T echnical R eport in 2013 by fast-tracking the German standard DIN SPEC 27009:2012-04 based on ISO/IEC 27002:2005. The first International Standard was published in 2017, based on ISO/IEC 27001:2013 and ISO/IEC 27002:2013, plus IEC TC 57 standards, IEC TC 65 standards (IEC 62443-2-1) and IEC SC45A standards (IEC 62645). A corrigendum to replace a stray “should” with a “shall” in the annex was published to critical acclaim in 2019. Hurrah! Crisis averted! The corrected standard was confirmed unchanged in 2022 ... but then was revised anyway to reflect the themed restructure and controls resequence of ISO/IEC 27002:2022 adding 12 suggested “ENR” controls to ISO/IEC 27022’s 96. The current second edition was published in 2024 . Commentary The global energy industry has long had a strong safety culture since the devastating physical impacts caused by explosions, oil and chemical spills, radioactive releases etc. are painfully apparent (Bhopal , Three Mile Island , Chernobyl , Exxon Valdiz , Deepwater Horizon , Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental obligations both in terms of its own operations, the upstream primary industries (e.g. mining) and the downstream impacts of some of its products. F Furthermore, the industry has a strong culture of physical and information security due to the substantial risks arising from: Threats such as natural disasters and deliberate attacks (sabotage) from hackers, A dvanced P ersistent T hreats, spies and spooks, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, electromechanical failures, malware/ransomware, social engineers etc .; Vulnerabilities inherent in their systems and processes. Process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks are vulnerable to a panopoly of cyber-threats, including those resulting from design flaws and bugs in software especially if they are not well designed, managed and maintained (e.g . security patching is distinctly challenging on safety-critical systems, given the need for assurance that patches do not harm safety); and Impacts , particularly limited availability and/or integrity of business- or safety-critical information leading to supply interruptions (power cuts), out-of-specification supplies (e.g . over/under-voltage supplies), safety incidents (e.g . the catastrophic release of vast amounts of energy) and environmental incidents (e.g. oil/gas/chemical leaks). Energy utilities, both public and private, are generally classed as part of the critical national infrastructures (e.g. under NIS 2 in Europe) due to their obvious strategic significance. With an extremely high level of automation, the energy industry relies heavily on OT, principally electronic process control systems such as P rogrammable L ogic C ontrollers, I ndustrial I nternet o f T hings, I ndustrial C ontrol S ystems and S upervisory C ontrol A nd D ata A cquisition, plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend heavily on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup or emergency override functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely, sometimes very remotely, making physical access, monitoring and access control challenging and costly. In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions. Up Up Up This page last updated: 11 February 2026