Search Results

Back Up Next ISO/IEC 27006-1 ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) Up Abstract ISO/IEC 27006 part 1 "specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in [ISO/IEC 27006-1] are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in [ISO/IEC 27006-1] provides additional interpretation of these requirements for bodies providing ISMS certification. NOTE [ISO/IEC 27006-1] can be used as a criteria document for accreditation, peer assessment or other audit processes.” [Source: ISO/IEC 27006-1:2024] Introduction ISO/IEC 27006-1 is the accreditation standard that guides C ertification B odies on the formal processes they must follow when auditing their clients’ I nformation S ecurity M anagement S ystems against ISO/IEC 27001 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited CBs are valid, consistent and meaningful. ISO/IEC 27006-1 specifies requirements and provides guidance for conformity auditing specifically in the context of ISMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011 . The conformity assessment/certification process involves auditing the information security management system for conformity with ISO/IEC 27001 . The standard provides guidance specific to ISMS certifications where applicable - for example, in order to remain independent and objective, the CB cannot also provide information security reviews or internal audits of the client’s ISMS. [Since no exclusion period is specified in the standard, this could be interpreted as a permanent or indefinite exclusion, or it may mean contemporaneously or within a few months or ... whatever.] Scope The scope is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001 . It is primarily intended to support the accreditation of certification bodies providing ISMS certification.” Any duly-accredited CB providing ISO/IEC 27001 conformity certificates must fulfill the requirements in ISO/IEC 27006-1 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly. This is necessary to ensure that issued ISO/IEC 27001 certificates are meaningful, and truly indicate that the organisation has fully satisfied the stated requirements. Since literally anyone can issue certificates without necessarily following the certification processes specified in this standard, even substantially non-conformant organisations could conceivably purchase their ISMS certificates or simply ‘self-certify’ (assert rather than demonstrate conformity), potentially discrediting the whole certification structure. In other words, accreditation is an important control for certification. Structure The standard follows the structure of ISO/IEC 17021-1 clause-by-clause: 4: Principles 5: General requirements 6: Structural requirements 7: Resource requirements 8: Information requirements 9: Process requirements 10: Management system requirements Annex A: Knowledge and skills for ISMS auditing and certification Annex B: Further competence considerations Annex C: Audit time - putting sufficient effort into the conformity assessment Annex D: Methods for audit time calculations - determining how much effort is 'sufficient' Annex E: Guidance for review of implemented ISO/IEC 27001:2022, Annex A controls Status The first edition of ISO/IEC 27006 was published in 2007 . The second edition was published in 2011 . The third edition was substantially revised and published in 2015 , with minor wording changes as an amendment in 2020. The fourth edition was published as ISO/IEC 27006-1 in 2024 . It builds upon two normative references - ISO/IEC 17021-1:2015 and ISO/IEC 27001:2022 . Meanwhile, SC 27 is working on the structure of ISO/IEC 27006-1 and other issues, including concerns raised but not entirely resolved in exchanges with CASCO . See also ISO/IEC 27007 for further guidance on auditing an ISMS plus ISO/IEC TS 27008 for guidance on auditing information security controls. [Note: ISO/IEC 27006-2 was published in 2021 covering PIMS certification against ISO/IEC 27701 but was renumbered in 2025, becoming ISO/IEC 27706 .] Commentary Certification auditors have limited interest in the organisation’s information risks and information security controls that are supposedly being managed through the ISMS, needing to confirm "whether controls are implemented and effective and meet their stated information security objectives". It is largely assumed that any organisation with an operational ISMS in conformity with the standard is, in fact, determining its objectives and managing its information risks diligently. ISO/IEC 27001 gives organisations latitude on how they design and document their ISMS, and hence certification auditors cannot simply follow a straightforward conformity checklist: they need to understand both management systems and information risk and security concepts. As far as I’m concerned, that’s a good thing! The requirement to specify the S tatement o f A pplicability on ISO/IEC 27001 conformity certificates has the unfortunate side-effect of impeding maintenance updates to an ISMS if that would affect the SoA e.g. responding to newly-identified information risks or to incorporate additional controls. Since that hampers a fundamental principle or purpose of having a management system, it may constitute a substantive defect in ISO/IEC 27006-1 ... and perhaps other ISO management system standards too. In practice, however, it appears nobody (except me?) has noticed and is bothered by this. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Up Abstract ISO/IEC 27018 "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, [ISO/IEC 27018] specifies guidelines based on ISO/IEC 27002:2022, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services ... The guidelines in [ISO/IEC 27018] can also be relevant to organizations acting as PII controllers.” [Source: ISO/IEC 27018:2025] Introduction This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing P ersonally I dentifiable I nformation entrusted to them. See also ISO/IEC 27017 covering the wider information security angles of cloud computing, aside from privacy. The standard development project had widespread support from national standards bodies plus the C loud S ecurity A lliance . Scope ISO/IEC 27018 intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001 , or as a guidance document for organisations for implementing commonly accepted PII protection controls” . The standard is primarily concerned with public-cloud computing service providers processing PII . “A public cloud service provider is a 'PII processor' when it processes PII for and according to the instructions of a cloud service customer” [according to the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls. The standard interprets rather than duplicates ISO/IEC 27002 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors. ISO/IEC 27000 , ISO/IEC 27001 and ISO/IEC 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788:2014 “Cloud computing - overview and vocabulary” (withdrawn - replaced by ISO/IEC 22123-1:2023 , a legitimate free download from ISO) and ISO/IEC 29100 “Privacy framework” (another free download!). Structure Main clauses: 4: Overview 5: Organizational controls 6: People controls 7: Physical controls 8: Technological controls Annex A: Public cloud PII processor extended control set for PII protection Annex B: Correspondence between this document and the first edition ISO/IEC 27018:2019 Status The first edition was published in 2014 . The second edition (a minor revision) was published in 2019 . The current third edition was published in 2025 , having been updated to reflect ISO/IEC 27002:2022 and offering an ‘extended control set’ aligned with ISO/IEC 29100:2024 Commentary The standard builds on ISO/IEC 27002 , expanding on its generic advice in a few areas, and referring to the OECD privacy principles that are enshrined in several privacy laws and regulations around the globe. In most sections, it simply says: “The objectives specified in, and the contents of, clause [whatever] of ISO/IEC 27002 apply.” The expansions or additions are straightforward - no surprises here. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27017 ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) Up Abstract “ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.” [Source: ISO/IEC 27017:2015/ITU-T X.1631] Introduction This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2013 and other ISO27k standards . Scope The 'code of practice' provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002:2013 , in the context of cloud computing. Structure The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each clause, mirroring the structure of ISO/IEC 27002:2013 Status The current first edition was published in 2015 . Having been developed jointly by ISO/IEC and ITU-T, the standard is dual-numbered ISO/IEC 27017 and ITU-T X.1631 with identical content. Work on a second edition started in 2022. It is being updated to “capture a full set of guidance for information security controls applicable to cloud services, both from the third [2022] edition of ISO/IEC 27002 and any additional controls specific related specifically to cloud services.” ISO/IEC SC 27 and SC 38, ITU-T SG17 and the C loud S ecurity A lliance are collaborating on the revision, requiring careful scheduling to coordinate several parallel activities. Substantial changes are coming in the second edition of this standard with a complete reorganisation of the controls as per ISO/IEC 27002:2022 . The title will become “Information security, cybersecurity and privacy protection - Information security controls based on ISO/IEC 27002 for cloud services ”. It is at F inal D raft I nternational S tandard stage and should be published during 2026. Commentary In my opinion, ISO/IEC 27017 takes an unrealistically simplistic view of cloud service provider and customer relationships as individual one-to-one interactions. In reality, cloud services are often provided by multiple suppliers to multiple clients in different organisations, and nothing remains static for long. In practice, inter-organisational business relationships often extend through complex cloud supply chains or supply networks, with multiple parties involved in collaborating to assemble, deliver and manage cloud services (e.g . network, data centre, physical servers, virtual servers, operating systems, database management systems and other layered software, applications, and all the associated services). Consequently, there are numerous supplier-customer relationship risks to manage, such as organisational interdependence, contracting and subcontracting, complexity, dynamics and compliance. There are risk visibility and trust issues, resourcing challenges, commercial angles, technological challenges and more to contend with. Cloud-related information risks are cloudy! Risk treatments for cloud and other information risks may include risk sharing, avoidance and acceptance - not just risk mitigation using security controls. Neither this standard nor ISO/IEC 27002 pay much attention to risk treatments other than mitigation using security controls. Particularly for small or immature organisations, cloud services providing email, file storage and office apps etc . may be treated as mere commodities, procured without adequate consideration of information risk, security, privacy etc . However, some cloud services may be critical for core business, and cloud generally increases the organisation’s attack surface and vulnerabilities. [This issue may be more relevant to ISO/IEC 27005 and ISO/IEC 27036 .] Cloud services proved their value for resilience and flexible working through COVID. There are general principles and lessons here that can help organisations be better prepared to cope with future widespread/global challenges such as further pandemics, wars, Internet connectivity issues etc. Our challenge now is to draw them out, consider and embed them where appropriate - possibly in this standard. The standard has widespread support from ISO/IEC JTC 1/SC 27, ITU-T SG17, national standards bodies and CSA among others. However, aligning disparate perspectives and objectives while remaining within the defined scope of the current update project is tricky. SC 27 decided not to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient and given pressure from ISO not to proliferate Management Systems Standards ‘unnecessarily’. Therefore, SC 27 does not intend to develop a formal requirements specification standard against which to certify the security of cloud service providers specifically. Providers can however be certified against ISO/IEC 27001 , ISO/IEC 27701 and other standards in the usual way, while there are non-ISO cloud security assessment and certification, classification, benchmarking or assurance schemes such as CSA STAR . Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Up Abstract “ISO/IEC TR 27016:2014 provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources. ISO/IEC TR 27016:2014 is applicable to all types and sizes of organisations and provides information to enable economic decisions in information security management by top management who have responsibility for information security decisions.” [Source: ISO/IEC TR 27016:2014] Introduction There are substantial economic, financial and resourcing aspects to the management of information risks and security controls. Scope The ISO catalogue says ISO/IEC TR 27016 “provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.” Structure Main clauses: 6: Information security economic factors - investment aspects 7: Economic objectives - asset values 8: Balancing information security economics for I nformation S ecurity M anagement - cost-benefit analysis Annex A: Identifcation of stakeholders and objectives for setting values Annex B: Economic decisions and key cost decision factors Annex C: Economic models appropriate for information security Annex D: Business cases calculation examples Status The current first edition was published in 2014 as a T echnical R eport since this was deemed a developing field of study. Evidently the field has not developed significantly (and I guess the first edition did such a good job) since work on a second edition ground to a halt due to lack of inputs from committee members. Commentary Some generic parts of the text may be more appropriate in the ISO27k overview sections of ISO/IEC 27000 . Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27014 ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) Up Abstract ISO/IEC 27014 "provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation. The intended audience for [ISO/IEC 27014] is: governing body and top management; those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance. [ISO/IEC 27014] is applicable to all types and sizes of organisations. All references to an ISMS in [ISO/IEC 27014] apply to an ISMS based on ISO/IEC 27001. [ISO/IEC 27014] focuses on the three types of ISMS organisations given in Annex B. However, [ISO/IEC 27014] can also be used by other types of organisations.” [Source: ISO/IEC 27014:2020/ITU-T X.1054] Introduction This standard, produced by ISO/IEC JTC 1/SC 27 in collaboration with the I nternational T elecommunications U nion’s T elecommunication Standardization Sector (ITU-T), is specifically aimed at helping organisations govern their information security arrangements . Scope ISO/IEC 27014 “provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation.” In a nutshell, through sound governance arrangements, information security management achieves business objectives - a very important and powerful concept. As with other ISO27k standards , it is “applicable to all types and sizes of organisations”, particularly those with one or more ISO 27001 -style ISMSs encompassing either the entirety or certain parts of the organisation, or where a single ISMS applies across several businesses or business units (e.g . within a group structure). Structure Main clauses: 6: Governance and management standards e.g. ISO/IEC 27001 and 38500. 7: Entity governance and information security governance - 6 objectives and 4 processes 8: The governing body’s requirements on the ISMS Annex A: Governance relationship Annex B: Types of ISMS organization - e.g. multiple or shared ISMSs in group structures Annex C: Examples of communication - a couple of situations where information security governance may need to be disclosed The standard explains four “processes” (key aspects of governance): Evaluation: senior management considers proposals and plans for information security management (e.g. "We will adopt an ISO27001 ISMS"); Direction: preparing strategies, policies and objectives for information security that align with and support the achievement of the organisation’s business objectives (e.g. “It is imperative that we both protect and exploit valuable information”); Monitoring the performance of information security through management information flows and internal reporting arrangements (e.g. “We track the following security metrics: ...”); Communication: ensures that all those within the organisation who are actively involved in directing, overseeing, driving, guiding and monitoring information security are 'singing from the same hymn sheet', while external stakeholders (such as its owners and regulatory authorities) are assured that information risk is being competently managed. It also lays out six information security objectives that the governance and management arrangements should satisfy: Establish integrated comprehensive entity-wide information security since the information at risk exists and is legitimately exploited, and hence deserves protection, throughout the organisation; Make decisions using a risk-based approach - fundamental to all the ISO27k standards and at all levels of the ISMS from governance and strategy through management to routine operations (e.g . risk-assessing identified incidents to determine the priority and nature of the responses required); Set the direction of acquisition - as in corporate mergers and acquisitions, as opposed to procuring goods and services; Ensure conformance with internal and external requirements through assurance such as auditing of information security activities; Foster a security-positive culture - an excellent suggestion, albeit easier said than done; Ensure the security performance meets current and future requirements of the entity - there is a need for suitable management oversight, monitoring and measurement (metrics) in relation to current requirements, of course, but what about the future ? Food for thought here. Status The first edition was published jointly by ISO/IEC and ITU-T in 2013 , dual-numbered as ISO/IEC 27014 and ITU-T recommendation X.1054 with identical text. The second edition was published by ISO/IEC in 2020 and then separately by ITU-T, released as X.1054 (04/2-21) - a free PDF download in 2021. Commentary ISO/IEC 27014 refers to ‘information risk management ’ - a minor but important distinction from the usual terms ‘information security risk’ and ‘information security management’. Security (as in controls to reduce/mitigate risk) is not the only way to treat risks to information: they can also be avoided, shared and accepted. Personally, I wish the remaining ISO27k standards would adopt ‘information risk’ (defined along the lines of “risk pertaining to information”) in place of ‘information security risk’ (a term that is not actually defined as such) but, so far, SC 27 management has blocked the move and we have not had the opportunity to debate it. I am merely a lone and tired kayaker nudging ISO’s supertanker. In the course of drafting the second edition, SC 27 discussed the application of principles from ISO 38500 (“Corporate governance of IT”) to information security, and considered the relationship between information security governance and other governance and management disciplines. ISO/IEC 27014 refers to governance for information security as an integral part of the organisation’s corporate governance with strong links to IT governance, but is arguably a bit vague on the details. The definition of ‘governing body’ obliquely notes that, along with ‘executive management’, both are parts of ‘top management’ which ISO/IEC 27000 defines as “the person or group of people who directs and controls an organisation at the highest level”. In essence, the standard hints that senior managers can have distinct or separable governance (strategic direction-setting) and hands-on executive management roles. The summary points out that the standard “provides the mandate essential for driving information security initiatives throughout the organisation.” At present, this is typically achieved in part by senior management mandating an overarching organisation-wide information security policy that is supported and amplified by lower level security policies, standards, procedures, guidelines and other security awareness materials. The standard does not go into depth on other related aspects such as the information security, risk and compliance management structures, reporting lines, divisions of responsibility, delegated authorities and so forth, largely I guess because of the differences between organisations. As an information security professional with a keen interest in security awareness , I am gratified to note that, in order to “establish a positive information security culture, the governing body should require, promote and support coordination of stakeholder activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs.” ‘A coherent direction’ indeed. Nice idea. I approve. ISO 37000:2021 “Guidance for the governance of organisations” could be the basis for updating ISO/IEC 27014 to utilise common concepts and terms. Maybe. At some point. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27013 ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) Up Abstract ISO/IEC 27013 "gives guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for organisations intending to: (a) implement ISO/IEC 27001 when ISO/IEC 20000-1 is already implemented, or vice versa; (b) implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; or (c) integrate existing management systems based on ISO/IEC 27001 and ISO/IEC 20000-1. [ISO/IEC 27013] focuses exclusively on the integrated implementation of an information security management system (ISMS) as specified in ISO/IEC 27001 and a service management system (SMS) as specified in ISO/IEC 20000-1.” [Source: ISO/IEC 27013:2021] Introduction This standard provides guidance on implementing an integrated information security and IT service management system , based on both ISO/IEC 27001 (ISMS) and ISO/IEC 20000-1 (IT service management specification, originally based on ITIL - the UK Government's IT I nfrastructure L ibrary). The benefits include: Credible provision of effective and secure information/IT services. Cost reduction, quicker implementation, better communication, increased reliability and efficiency, and easier certification process due to integration and commonality. Mutual understanding by service management and information security personnel. Scope ISO/IEC 27013 advises users on the processes and supporting documentation required to implement an integrated dual management system, for example helping them to: Implement ISO/IEC 27001 when they have already adopted ISO/IEC 20000-1 , or vice versa ; Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together from scratch (brave souls!); or Align and coordinate pre-existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems. The scope of this standard spans two ISO/IEC JTC 1 subcommittees. SC 27 and SC 7 collaborated to ensure that the information security and IT service management perspectives were both duly considered. Structure The standard proposes a framework for organising and prioritising activities, offering advice on: Aligning the information security and service management and improvement objectives; Coordinating multidisciplinary activities, leading to a more integrated and aligned approach (e.g . both donor standards specify incident management activities, with differing scopes for the incidents but otherwise quite similar); A collective system of processes and supporting documents (policies, procedures etc .); A common vocabulary and shared vision; Combined business benefits to customers and service providers plus additional benefits arising from the integration of both management systems; and Combined auditing of both management systems at the same time, with the consequent reduction in audit costs (we hope!). Main clauses: 4: Overview of ISO/IEC 27001 and ISO/IEC 20000-1 5: Approaches for integrated implementation 6: Integrated implementation considerations Two annexes compare the ISO/IEC 27001 and 20000 standards side-by-side A third annex compares the terms and definitions between the standards Status The first edition was published in 2012. The second edition was published in 2015 . The current third edition was published in 2021 . A 4-page amendment to the third edition was published in 2024 , updating references to the 2022 versions of ISO/IEC 27001 and 27002 , adding useful guidance on selection of information security controls for the S tatement o f A pplicability from Annex A or elsewhere (1 of the 4 pages!). Commentary Write out 1,000 times: “There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT ... ” Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27011 ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) Up Abstract “The scope of this Recommendation | International Standard is to provide guidelines supporting the implementation of information security controls in telecommunications organizations. The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant information security property.” [Source: ISO/IEC 27011:2024/ITU-T X.1051] Introduction This I nformation S ecurity M anagement S ystem implementation guide for the telecoms industry was developed jointly by ITU-T and ISO/IEC JTC 1/SC 27, with the identical text being dual-numbered as both ISO/IEC 27011 and ITU-T X.1051 . Scope ISO/IEC 27011 guides telecoms organisations on the information security controls worth considering and adopting to mitigate their unacceptable information risks. As with ISO/IEC 27002 , the controls are discretionary, not mandatory. Telecoms organisations are free to determine whether the controls are or are not applicable ("necessary") according to their information risks, and they may prefer custom versions, bespoke controls or controls suggested by other sources. Ideally, they would do so using an I nformation S ecurity M anagement S ystem modeled on ISO/IEC 27001 , managing and overseeing the controls and risks systematically. Structure Aside from minor variations/explanations to a few of the ISO/IEC 27002 controls, the ‘extended control set’ suggests 14 additional information security controls specifically for telecoms organisations. Main clauses: 4: Overview 5: Organizational controls - with 8 supplementary controls 6: People controls - with no supplementary controls 7: Physical controls - with 5 supplementary controls 8: Technological controls - - with 1 supplementary control For example, control 5.42 TEL - Non-disclosure of communications indicates that telecoms organisations should, if appropriate, secure metadata relating to the messages they handle for customers, as well as the messages themselves, unless they are legally obliged to disclose. Status The first edition was published in 2008 . The second edition was published in 2016 with minor corrigendum (correction) in 2018. Having been updated and substantially restructured to align with the 2022 version of ISO/IEC 27002 , the current third edition was published in 2024 . Commentary It is good to see continued productive collaboration between these well-respected international standards bodies, despite the challenge and delays caused by batting the draft standard back and forth between their formal processes like a tennis ball at a Wimbledon final. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27010 ISO/IEC 27010:2015 — Information tehttps://www.iso.org/standard/68427.html chnology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) Up Abstract "ISO/IEC 27010:2015 provides guidelines in addition to the guidance given in the ISO/IEC 27000 family of standards for implementing information security management within information sharing communities. This International Standard provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods. This International Standard is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organization's or nation state's critical infrastructure. It is designed to support the creation of trust when exchanging and sharing sensitive information, thereby encouraging the international growth of information sharing communities." [Source: ISO.com page about ISO/IEC 27010] Introduction ISO/IEC 27010 provides guidance on sharing information about information risks, security controls, issues and/or incidents between industry sectors and/or nations, particularly those affecting critical infrastructure . Sometimes it is necessary to share confidential information regarding information-related threats, vulnerabilities and/or incidents between or within a community of organisations. For example, when private companies, governments, law enforcement and CERTs collaborate on the investigation, assessment and resolution of serious pan-organisational and often international cyberattacks. Since such information is often highly sensitive, it typically needs to be restricted to certain individuals within specified recipient organisations. Information sources may need to be kept anonymous. Such information exchanges typically happen in a highly charged and stressful atmosphere under intense time pressures - hardly the most conducive environment for establishing trusted working relationships and agreeing on suitable information security controls. The standard lays out common ground-rules for information security within communities of interest. The standard provides guidance on methods, models, processes, policies, controls, protocols and other mechanisms for the sharing of information securely with trusted counterparties on the understanding that important information security principles will be respected. Scope ISO/IEC 27010 provides guidance on information security interworking and communications between industries in the same sectors, in different industry sectors and with governments. It applies both in times of crisis affecting critical infrastructure and under normal business circumstances to meet legal, regulatory and contractual obligations. The standard has the style of a 'sector-specific' elaboration on or augmenting ISO/IEC 27002, recommending a few additional/modified information security controls to protect information risk and security information shared within communities of interest. Structure Main clauses: 4: Concepts and justification 5: Information security policies 6: Organization of information security (no additional guidance beyond ISO/IEC 27002:2013) 7: Human resources security 8: Asset management 9: Access control (no additional guidance) 10: Cryptography 11: Physical and environmental security (no additional guidance) 12: Operations security 13: Communications security 14: Systems acquisition, development and maintenance (no additional guidance) 15: Supplier relationships 16: Information security incident management 17: Information security aspects of business continuity management 18: Compliance Annex A: Sharing sensitive information Annex B: Establishing trust in information exchanges Annex C: The traffic light protocol - based on ENISA's red, amber, green and white levels Annex D: Models for organizing an information sharing community - TICE and WARP The standard reflects the structure of ISO/IEC 27002:2013, pre-dating the restructuring of controls into 4 'themes' for the 2022 edition. Status The first edition was published in 2012 . The current second edition was published in 2015 and confirmed unchanged in 2021. Commentary While the actual information risks arising from the sharing of information concerning information security incidents etc . between disparate organisations will of course depend on the specifics of the particular situation at hand (e.g. the nature of the incidents, the protagonists, the victims and the organisations involved), the following generic list of potential information risks and security issues in this area exemplifies the broad range of matters that may need to be taken into account in practice: Addressing information security aspects of the process (e.g . writing and implementing policies and procedures along with training and awareness activities for those involved in the process, and conceivably independent assessment or audits to confirm that the arrangements conform to ISO/IEC 27010 and/or other applicable ISO27k standards such as ISO/IEC 27001 , ISO/IEC 27002 and ISO/IEC 27005 ); Disclosing initial information and knowledge about the situation at hand prior to formalizing the arrangements, in order to prompt the recipient/s to consider their role and for disclosing parties to consider the risks involved in disclosing further information; Building trusted relationships between the organisations directly concerned, communicating and collaborating; Trust relationships with other organisations that may also be involved (e.g . if communications are routed through some sort of agency) or are somehow drawn-in to the situation, including business partners and those that may have to be informed or engaged in the process as a statutory or other duty; Determining and declaring or defining specific information security requirements (implies some form of information risk analysis by the disclosing parties for sure, and perhaps by the receiving parties); Communicating information risks and security control requirements, obligations, expectations or liabilities unambiguously (e.g . using a mutually-understood lexicon of terms based on ISO27k, and comparable information classifications); Assessing and accepting security risks and obligations (e.g . in some form of contract or agreement, whose existence and contents may also be confidential); Communicating information securely (e.g. using suitable cryptographic controls), preventing it from being sent to the wrong counterparties, intercepted, deleted, spoofed, duplicated, repudiated, damaged, modified or otherwise called into doubt deliberately by some third party or through inadequate controls and errors; Version controls and appropriate authorization for both disclosure and acceptance of valuable information; Risks and controls relating to the collection, analysis, ownership, protection and onward disclosure of information regarding the situation at hand by the recipient parties engaged in an investigation (e.g. limitations on using the information for purposes not directly associated with the incident at hand); Adequately protecting the information and perhaps others assets entrusted to the recipient organisations and individuals; Compliance and where appropriate enforcement activities such as imposition of penalties etc . if promises are broken, trust is misplaced or accidents happen; Unacceptable delays or other constraints on the communication of important information due to the risk assessment, security and related activities; The possible effects on collection, handling, storage, analysis and presentation of forensic evidence; Any limitations on post-incident disclosures such as incident management reporting, public press-releases, legal action etc .; Systematic process improvement, leading to greater mutual trust and stronger security arrangements for future situations. The published standard doesn’t cover these aspects explicitly, unfortunately. I feel it would have been more comprehensive and valuable if it had. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC 27005 ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) Up Abstract ISO/IEC 27005 "provides guidance to assist organizations to: fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; [and] perform information security risk management activities, specifically information security risk assessment and treatment ...” [Source: ISO/IEC 27005:2022] Introduction The ISO27k standards are overtly risk-aligned, meaning that organisations are supposed to identify and assess risks to their information (called “information security risks ” in the ISO27k standards, despite that term being undefined) as a prelude to dealing with (“treating ”) them in various ways. Dealing with the most significant information risks as priorities makes sense from the practical implementation and management perspectives. Turning that on its head, failing to prioritise addressing the most significant risks represents a governance failure, arguably negligence or mismanagement. Scope The standard guides organisations interpreting and fulfilling ISO/IEC 27001 ’s requirements to address (identify, evaluate and treat) their information [security] risks. The approach is generic, flexible and not specific to an ISO/IEC 27001 I nformation S ecurity M anagement S ystem. It could be used, for instance, in conjunction with NIST's C yber S ecurity F ramework or SP800-53 , GDPR , NIS2 or SOC2 , or (with minor adaptations) to guide the proactive management of business risks, safety risks, supply chain risks etc . Structure Main clauses: 5: Information security risk management - introduces the concept of strategic (long term) and operational (short term) cycles, plus ad hoc responses to changes 6: Context establishment - determining stakeholders (e.g. risk owners), their objectives or requirements (e.g . risk appetite) and risk management methods 7: Information security risk assessment process - lengthy clause lays out the process of systematically identifying, analysing, evaluating and prioritising risks. 8: Information security risk treatment process - decide what to do, document it and do it. 9: Operation assessing and treating risks - short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur. 10: Leveraging related ISMS processes - basically a re-hash and amplification of ISO/IEC 27001 , offering implementation advice in a similar style to ISO/IEC 27003 . Annex A: Examples of techniques in support of the risk assessment process - risk matrices/heat-maps and risk modelling. Status The first (2008 ), second (2011 ) and third (2018 ) editions are ancient history. The current fourth edition was published in 2022 . ISO/IEC JTC 1/SC 27/WG 1 is preparing to revise ISO/IEC 27005:2022 by considering various approaches or options, such as whether a multi-part standard might be worthwhile. Its deliberations will presumably flow into a scope for the revision project in due course. Commentary Given that ISO27k is risk-based, identifying, evaluating and treating information risks is obviously fundamental to the approach. Each organisation is expected to consider the relevance and significance of its unique set of risks, tailoring its response to suit its business situation or context. With the fourth edition, ISO/IEC 27005 tackles the thorny issue of how to use ISO/IEC 27001 Annex A . The annex is described as an incomplete set of possible controls to be checked for relevance to mitigate the organisation’s identified information [security] risks - in other words, a controls-based approach to information risk management, supplementing the risk-, scenario-, event- and asset-based approaches mentioned elsewhere. There are advantages in exploring information risks from different perspectives. The standard primarily concerns using information security controls to ‘modify’ (mitigate or maintain) information [security] risks. Other equally valid risk treatment options (risk avoidance, sharing and acceptance) are barely even mentioned, heavily biasing the entire approach. ISO’s Technical Committee for Risk Management looks likely to review/clarify the definition of ‘risk’ in ISO 31000 (“effect of uncertainty on objectives”) and may also offer guidance on ‘opportunities’. It is possible the two terms will be distinguished, rather than being portrayed as flip sides as at present. I hope that will eventually make things easier for ISO27k and the other management systems standards, but it may stir the already muddy waters. Up Up Up This page last updated: 11 February 2026

Back Up Next ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Up Abstract ISO/IEC TS 27008 "provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation. [ISO/IEC TS 27008] offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organisations, including public and private companies, government entities, and not-for-profit organisations conducting information security reviews and technical compliance checks.” [Source: ISO/IEC TS 27008:2019] Introduction This standard (a T echnical S pecification) on “technical auditing” complements ISO/IEC 27007 . It is focused on auditing the information security controls (or rather the “technical controls”, which although undefined evidently means IT security or cybersecurity controls). In contrast, ISO/IEC 27007 is more concerned with the management system . Scope ISO/IEC TS 27008 provides guidance for all auditors/assessors regarding “information security management systems controls” [sic ] selected through a risk-based approach (e.g . as presented in a S tatement o f A pplicability) for information security management. It supports the information risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the organisation’s "necessary ISMS controls” satisfy its control objectives. Furthermore, it supports any organisation using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for the governance and management of information risk and security. Structure Main clauses: 5: Background 6: Overview of information security control assessments 7: Review methods 8: Control assessment process Annex A: Initial information gathering (other than IT) Annex B: Practice guide for technical security assessments Annex C:Technical assessment guide for cloud services (Infrastructure as a Service) With over 100 pages, this is a substantial standard. Status The first edition was published in 2011 as ISO/IEC TR 27008:2011, a Type 2 T echnical R eport. It set out to provide “Guidelines for auditors on information security controls”. The current second edition was published in 2019 as ISO/IEC TS 27008:2019, a T echnical S pecification reflecting the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002 . The title morphed into “Guidelines for the assessment of information security controls”, dropping the explicit reference to auditing. The third edition is in preparation, being revised to reflect ISO/IEC 27002:2022 . It will revert to a T echnical R eport. It is at D raft T echnical R eport stage, likely to emerge during 2026. Commentary ISO/IEC TS 27008 gives technology auditors background knowledge to help them review and evaluate the information security controls being managed through an I nformation S ecurity M anagement S ystem - or indeed any other structured governance approach (e.g. NIST's C yber S ecurity F ramework, or GDPR and NIS2 from Europe). The current second edition: Is applicable to organisations of all types and sizes; Supports planning and execution of ISMS audits and the information risk management process; Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g . in the ISO27k user organisations, assessing security elements of business processes, IT systems and IT operating environments); Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002:2013 ; Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organisation and intangibles such as reputation and image of the organisation and privacy, skills and experience of people); Supports an ISMS-based assurance and information security governance approach and audit thereof [?? That strays from the standard’s scope into the area of management systems auditing]; Supports effective and efficient use of audit resources, including the enhancement of technology auditors' skills, competence and knowledge. Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001 , ISO/IEC TS 27008 focuses on checking the information security controls themselves, such as (for example) those as in Annex A of ISO/IEC 27001 . ISO/IEC TS 27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organisation. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004 , ISO/IEC 27005 or ISO/IEC 27007 respectively.” 'Technical compliance checking/auditing' is explained as a process of examining ‘technical’ security controls, interviewing those associated with the controls (managers, technicians, users etc. ) and testing the controls. The methods should be familiar to experienced technology auditors. ‘Technical’ controls, while not explicitly defined in the standard, appear to be what are commonly known as IT security, cybersecurity or technological controls, in other words a subset of the information security controls listed in ISO/IEC 27001 Annex A and described in ISO/IEC 27002 . Furthermore, the correct term here is conformity, not compliance, since it is discretionary. But I digress. Liberal use of “technical” in phrases such as “technical compliance checking of information system controls”, “technical assessment” and “technical security controls”, indicates that this standard is concerned with technology , implying IT or data or cyber security, specifically, rather than information risk and security in general. While this standard is not intended to be used for certification, it remains inconsistent and ambiguous (frankly, unclear and confusing) in the use of key terms such as: review, assessment, test, validation, check and audit. For example, are “information security auditors” the same as “certification auditors”, “IT auditors”, “internal auditors”, “ISMS internal auditors”, “compliance auditors”, “conformity auditors”, or something else? There are no (zero) definitions in the second edition since all terms are supposedly defined in ISO/IEC 27000 : concerning that little list of terms, only “audit”, “information security” and “conformity” are defined, separately. “Risk assessment” is specifically defined but not “assessment” in general. So, conventional dictionary definitions presumably apply ... but don’t really help. For an international standard, it could hardly be more muddled. Up Up Up This page last updated: 11 February 2026