Search Results

ISO27k standards List ISO/IEC 27000 Open ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) ISO/IEC 27001 Open ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) ISO/IEC 27002 Open ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) ISO/IEC 27003 Open ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) ISO/IEC 27004 Open ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) ISO/IEC 27005 Open ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) ISO/IEC 27006-1 Open ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) ISO/IEC 27007 Open ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) ISO/IEC TS 27008 Open ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) ISO/IEC 27010 Open ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) ISO/IEC 27011 Open ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) ISO/IEC 27013 Open ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) ISO/IEC 27014 Open ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) ISO/IEC 27015 Open ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) ISO/IEC TR 27016 Open ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) ISO/IEC 27018 Open ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) ISO/IEC 27019 Open ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) ISO/IEC 27021 Open ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals (first edition) ISO/IEC TS 27022 Open ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) ISO/IEC TR 27024 Open ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] ISO/IEC TS 27028 Open ISO/IEC TS 27028 — Information security, cybersecurity and privacy protection — Guideline on using information security control attributes [DRAFT] ISO/IEC 27031 Open ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity (second edition) ISO/IEC 27032 Open ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) ISO/IEC 27033-1 Open ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) ISO/IEC 27033-2 Open ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) ISO/IEC 27033-3 Open ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) ISO/IEC 27033-4 Open ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) ISO/IEC 27033-5 Open ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) ISO/IEC 27033-6 Open ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) ISO/IEC 27033-7 Open ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) ISO/IEC 27034-1 Open ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts (first edition) ISO/IEC 27034-2 Open ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework (first edition) ISO/IEC 27034-3 Open ISO/IEC 27034-3:2018 — Information technology — Security techniques — Application security — Part 3: Application security management process (first edition) ISO/IEC 27034-5 Open ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) ISO/IEC 27034-6 Open ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies (first edition) ISO/IEC 27034-7 Open ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) ISO/IEC 27035-1 Open ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition) ISO/IEC 27035-2 Open ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) ISO/IEC 27035-3 Open ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) ISO/IEC 27035-4 Open ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination (first edition) ISO/IEC 27036-1 Open ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) ISO/IEC 27036-2 Open ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements (second edition) ISO/IEC 27036-3 Open ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) ISO/IEC 27036-4 Open ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) ISO/IEC 27037 Open ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) ISO/IEC 27038 Open ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction (first edition) ISO/IEC 27039 Open ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operation of intrusion detection and prevention systems (IDPS) (first edition) ISO/IEC 27040 Open ISO/IEC 27040:2024 — Information technology — Security techniques — Storage security (second edition) ISO/IEC 27041 Open ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method (first edition) ISO/IEC 27042 Open ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) ISO/IEC 27043 Open ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes (first edition) ISO/IEC 27045 Open ISO/IEC 27045 — Information technology — Big data security and privacy — Guidelines for managing big data risks [DRAFT] ISO/IEC 27046 Open ISO/IEC 27046 — Information technology — Big data security and privacy — Implementation guidelines [DRAFT] ISO/IEC 27050-1 Open ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) ISO/IEC 27050-2 Open ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) ISO/IEC 27050-3 Open ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) ISO/IEC 27050-4 Open ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness (first edition) ISO/IEC 27070 Open ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) ISO/IEC 27071 Open ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services (first edition) ISO/IEC 27090 Open ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] ISO/IEC 27091 Open ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] ISO/IEC 27099 Open ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) ISO/IEC TS 27100 Open ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) ISO/IEC 27102 Open ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) ISO/IEC TR 27103 Open ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition) ISO/IEC TR 27109 Open ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] ISO/IEC TS 27110 Open ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development guidelines (first edition) ISO/IEC TS 27115 Open ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) ISO/IEC TS 27116-1 Open ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] ISO/IEC 27400 Open ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines (first edition) ISO/IEC 27402 Open ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] ISO/IEC 27403 Open ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) ISO/IEC 27404 Open ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [first edition] ISO/IEC TR 27550 Open ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) ISO/IEC 27551 Open ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) ISO/IEC 27553-1 Open ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: local modes (first edition) ISO/IEC 27553-2 Open ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) ISO/IEC 27554 Open ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] ISO/IEC 27555 Open ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) ISO/IEC 27556 Open ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) ISO/IEC 27557 Open ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) ISO/IEC 27559 Open ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection — Privacy-enhancing data de-identification framework (first edition) ISO/IEC TS 27560 Open ISO/IEC TS 27560:2023 — Privacy technologies — Consent record information structure (first edition) ISO/IEC 27561 Open ISO/IEC 27561:2024 — Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) ( first edition) ISO/IEC 27562 Open ISO/IEC 27562:2024 — Information technology — Security techniques — Privacy guidelines for fintech services (first edition) ISO/IEC TR 27563 Open ISO/IEC TR 27563:2023 — Security and privacy in artificial intelligence use cases — Best practices (first edition) ISO/IEC TS 27564 Open ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] ISO/IEC 27565 Open ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] ISO/IEC 27566-1 Open ISO/IEC 27566-1 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1 — Framework [DRAFT] ISO/IEC 27566-2 Open ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [PROPOSAL] ISO/IEC 27566-3 Open ISO/IEC 27566-3 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 3: Approaches to analysis or comparison [DRAFT] ISO/IEC TS 27568 Open ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] ISO/IEC TS 27569 Open ISO/IEC TS 27569 — Personal identifiable information (PII) processing record information structure [PROPOSAL] ISO/IEC TS 27570 Open ISO/IEC TS 27570:2021 — Privacy protection — Privacy guidelines for smart cities (first edition) ISO/IEC 27573 Open ISO/IEC 27573 — Privacy protection of user avatar and system avatar interactions in the metaverse [PROPOSAL] ISO/IEC 27574 Open ISO/IEC 27574 Information security, cybersecurity and privacy protection— Privacy in brain computer interface (BCI) applications [PROPOSAL] ISO/IEC 27701 Open ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition) ISO/IEC 27706 Open ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) ISO/IEC 27799 Open ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition)

All about the ISO/IEC 27000-series information risk and security management standards Introduction and overview of the ISO27k standards "ISO27k" refers to the ISO/IEC 27000 series standards, a set of 100 good practice guidelines for managing the risks affecting or involving business, commercial, national and personal information. "ISO/IEC" denotes the bodies that jointly developed and maintain the standards: ISO is the Geneva-based International Organization for Standardisation, a non-governmental federation of representatives from national standards bodies across the world - more info ; IEC is the I nternational E lectrotechnical C ommission, another Swiss-based non-governmental global body responsible for standardising various technologies - more info . Effective risk management serves to protect valuable information against harm whilst also permitting its use for legitimate purposes. Both aspects are important. Although in theory we might lock the information away forever, permanently blocking access by everyone, its value would decay to zero given such an excessive level of security. The ISO standards lay out guidance in the form of generic ‘management systems’ that are flexible enough to be adapted for any organisation's unique situation, and various topics. You may already be familiar with ISO 9001 (for quality) or ISO 14001 (for environmental management). Management systems are specified in ISO/IEC 27001 (for information security) and ISO/IEC 27701 (for privacy) . These structures support a systematic approach to: Identify risks of concern, analyse and evaluate them; Treat (avoid, share, mitigate or accept) the risks appropriately; Ensure the risk treatments are working properly in practice (assurance); and Handle changes and drive continual improvement (maturity). Other ISO27k standards expand on various aspects in more detail: ISO/IEC 27005 , for instance, elaborates on the information risk management process, while ISO/IEC 27004 offers advice on security metrics. Certified conformity to ISO/IEC 27001 and ISO/IEC 27701 demonstrates that an organisation is serious about managing information security and privacy. In short, ISO27k is about systematically protecting and legitimately exploiting valuable information for sound business reasons. The ISO27k standards are listed below: click to open any one for further details. The ISO27k standards ISO/IEC 27000 ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition) Open ISO/IEC 27001 ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition) Open ISO/IEC 27002 ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (third edition) Open ISO/IEC 27003 ISO/IEC 27003:2017 — Information technology — Security techniques — Information security management systems — Guidance (second edition) Open ISO/IEC 27004 ISO/IEC 27004:2016 — Information technology — Security techniques — Information security management ― Monitoring, measurement, analysis and evaluation (second edition) Open ISO/IEC 27005 ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition ) Open ISO/IEC 27006-1 ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) Open ISO/IEC 27007 ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition) Open ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Open ISO/IEC 27010 ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) Open ISO/IEC 27011 ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) Open ISO/IEC 27013 ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) Open ISO/IEC 27014 ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) Open ISO/IEC 27015 ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) Open ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Open ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Open ISO/IEC 27019 ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) Open ISO/IEC 27021 ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals (first edition) Open ISO/IEC TS 27022 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) Open ISO/IEC TR 27024 ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] Open ISO/IEC TS 27028 ISO/IEC TS 27028 — Information security, cybersecurity and privacy protection — Guideline on using information security control attributes [DRAFT] Open ISO/IEC 27031 ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity (second edition) Open ISO/IEC 27032 ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition) Open ISO/IEC 27033-1 ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts (second edition) Open ISO/IEC 27033-2 ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) Open ISO/IEC 27033-3 ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) Open ISO/IEC 27033-4 ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) Open ISO/IEC 27033-5 ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) Open ISO/IEC 27033-6 ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) Open ISO/IEC 27033-7 ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security (first edition) Open ISO/IEC 27034-1 ISO/IEC 27034-1:2011 — Information technology — Security techniques — Application security — Part 1: Overview and concepts (first edition) Open ISO/IEC 27034-2 ISO/IEC 27034-2:2015 — Information technology — Security techniques — Application security — Part 2: organisation normative framework (first edition) Open ISO/IEC 27034-3 ISO/IEC 27034-3:2018 — Information technology — Security techniques — Application security — Part 3: Application security management process (first edition) Open ISO/IEC 27034-5 ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Protocols and application security controls data structure (first edition) Open ISO/IEC 27034-6 ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies (first edition) Open ISO/IEC 27034-7 ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework (first edition) Open ISO/IEC 27035-1 ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition) Open ISO/IEC 27035-2 ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition) Open ISO/IEC 27035-3 ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) Open ISO/IEC 27035-4 ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination (first edition) Open ISO/IEC 27036-1 ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts (second edition) Open ISO/IEC 27036-2 ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements (second edition) Open ISO/IEC 27036-3 ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security (second edition) Open ISO/IEC 27036-4 ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services (first edition) Open ISO/IEC 27037 ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) Open ISO/IEC 27038 ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction (first edition) Open ISO/IEC 27039 ISO/IEC 27039:2015 — Information technology — Security techniques — Selection, deployment and operation of intrusion detection and prevention systems (IDPS) (first edition) Open ISO/IEC 27040 ISO/IEC 27040:2024 — Information technology — Security techniques — Storage security (second edition) Open ISO/IEC 27041 ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method (first edition) Open ISO/IEC 27042 ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence (first edition) Open ISO/IEC 27043 ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes (first edition) Open ISO/IEC 27045 ISO/IEC 27045 — Information technology — Big data security and privacy — Guidelines for managing big data risks [DRAFT] Open ISO/IEC 27046 ISO/IEC 27046 — Information technology — Big data security and privacy — Implementation guidelines [DRAFT] Open ISO/IEC 27050-1 ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (second edition) Open ISO/IEC 27050-2 ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) Open ISO/IEC 27050-3 ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) Open ISO/IEC 27050-4 ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness (first edition) Open ISO/IEC 27070 ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition) Open ISO/IEC 27071 ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services (first edition) Open ISO/IEC 27090 ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] Open ISO/IEC 27091 ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT] Open ISO/IEC 27099 ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) Open ISO/IEC TS 27100 ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts (first edition) Open ISO/IEC 27102 ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) Open ISO/IEC TR 27103 ISO/IEC TR 27103:2018 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards (first edition) Open ISO/IEC TR 27109 ISO/IEC TR 27109 — Information security, cybersecurity and privacy protection — Cybersecurity education and training [DRAFT] Open ISO/IEC TS 27110 ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development guidelines (first edition) Open ISO/IEC TS 27115 ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview (DRAFT) Open ISO/IEC TS 27116-1 ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] Open ISO/IEC 27400 ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines (first edition) Open ISO/IEC 27402 ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] Open ISO/IEC 27403 ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) Open ISO/IEC 27404 ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [first edition] Open ISO/IEC TR 27550 ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) Open ISO/IEC 27551 ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) Open ISO/IEC 27553-1 ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: local modes (first edition) Open ISO/IEC 27553-2 ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) Open ISO/IEC 27554 ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] Open ISO/IEC 27555 ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) Open ISO/IEC 27556 ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) Open ISO/IEC 27557 ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) Open ISO/IEC 27559 ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection — Privacy-enhancing data de-identification framework (first edition) Open ISO/IEC TS 27560 ISO/IEC TS 27560:2023 — Privacy technologies — Consent record information structure (first edition) Open ISO/IEC 27561 ISO/IEC 27561:2024 — Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) ( first edition) Open ISO/IEC 27562 ISO/IEC 27562:2024 — Information technology — Security techniques — Privacy guidelines for fintech services (first edition) Open ISO/IEC TR 27563 ISO/IEC TR 27563:2023 — Security and privacy in artificial intelligence use cases — Best practices (first edition) Open ISO/IEC TS 27564 ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition] Open ISO/IEC 27565 ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT] Open ISO/IEC 27566-1 ISO/IEC 27566-1 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1 — Framework [DRAFT] Open ISO/IEC 27566-2 ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [PROPOSAL] Open ISO/IEC 27566-3 ISO/IEC 27566-3 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 3: Approaches to analysis or comparison [DRAFT] Open ISO/IEC TS 27568 ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] Open ISO/IEC TS 27569 ISO/IEC TS 27569 — Personal identifiable information (PII) processing record information structure [PROPOSAL] Open ISO/IEC TS 27570 ISO/IEC TS 27570:2021 — Privacy protection — Privacy guidelines for smart cities (first edition) Open ISO/IEC 27573 ISO/IEC 27573 — Privacy protection of user avatar and system avatar interactions in the metaverse [PROPOSAL] Open ISO/IEC 27574 ISO/IEC 27574 Information security, cybersecurity and privacy protection— Privacy in brain computer interface (BCI) applications [PROPOSAL] Open ISO/IEC 27701 ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition) Open ISO/IEC 27706 ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) Open ISO/IEC 27799 ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition) Open

Up Up Up ISO/IEC 27015 ISO/IEC 27017:2015 / ITU-T X.1631 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (first edition) Up Abstract “ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.” [Source: ISO/IEC 27017:2015/ITU-T X.1631] Introduction This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2013 and other ISO27k standards . Scope The 'code of practice' provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002:2013 , in the cloud computing context. Structure The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section, mirroring the structure and controls sequence of ISO/IEC 27002:2013 Status The current first edition was published in 2015 . Having been developed jointly by ISO/IEC and ITU-T, the standard is dual-numbered ISO/IEC 27017 and ITU-T X.1631 with identical content. Work on a second edition started in 2022. It will be updated to “capture a full set of guidance for information security controls applicable to cloud services, both from the third [2022] edition of ISO/IEC 27002 and any additional controls specific related specifically to cloud services.” ISO/IEC SC 27 and SC 38, ITU-T SG17 and the C loud S ecurity A lliance are collaborating on the revision, requiring careful scheduling to coordinate several parallel activities. Substantial changes are coming in the second edition of this standard with a complete reorganisation of the controls as per ISO/IEC 27002:2022 . The title will become “Information security, cybersecurity and privacy protection - Information security controls based on ISO/IEC 27002 for cloud services ”. It is at D raft I nternational S tandard stage and may be published at the end of 2025, more likely in 2026. Commentary In my opinion, ISO/IEC 27017 takes an unrealistically simplistic view of cloud service provider and customer relationships as individual one-to-one interactions. In reality, cloud services are often provided by multiple suppliers to multiple clients in different organisations, and nothing remains static for long. In practice, inter-organisational business relationships often extend through complex cloud supply chains or supply networks, with multiple parties involved in collaborating to assemble, deliver and manage cloud services (e.g . network, data centre, physical servers, virtual servers, operating systems, databse management systems and other layered software, applications, and all the associated services). Consequently, there are numerous supplier-customer relationship risks to manage, such as organisational interdependence, contracting and subcontracting, complexity, dynamics and compliance. There are risk visibility and trust issues, resourcing challenges, commercial angles, technological challenges and more to contend with. Cloud-related information risks are cloudy! Risk treatments for cloud and other information risks may include risk sharing, avoidance and acceptance - not just risk mitigation using security controls. Neither ISO/IEC 27017 nor ISO/IEC 27002 pay much attention to risk treatments other than mitigation using security controls. Particularly for small or immature organisations, cloud services providing email, file storage and office apps etc . may be treated as mere commodities, procured without adequate consideration of information risk, security, privacy etc . However, some cloud services may be critical for core business, and cloud generally increases the organisation’s attack surface. [This issue may be more relevant to ISO/IEC 27005 and ISO/IEC 27036 .] Cloud services proved their value for resilience and flexible working through COVID. There are general principles and lessons here that can help organisations be better prepared to cope with future widespread/global challenges such as further pandemics, wars, Internet connectivity issues etc. Our challenge now is to draw them out, consider and embed them where appropriate - possibly in this standard. The standard has widespread support from ISO/IEC JTC 1/SC 27, ITU-T SG17, national standards bodies and CSA among others. However, aligning disparate perspectives and objectives while remaining within the defined scope of the current update project is tricky. SC 27 decided not to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient and given pressure from ISO not to proliferate Management Systems Standards ‘unnecessarily’. Therefore, SC 27 does not intend to develop a formal requirements specification standard against which to certify the security of cloud service providers specifically. Providers can however be certified against ISO/IEC 27001 , ISO/IEC 27701 and other standards in the usual way, while there are non-ISO cloud security assessment and certification, classification, benchmarking or assurance schemes such as CSA STAR . Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC TR 27016 ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics (first edition) Up Abstract “ISO/IEC TR 27016:2014 provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources. ISO/IEC TR 27016:2014 is applicable to all types and sizes of organisations and provides information to enable economic decisions in information security management by top management who have responsibility for information security decisions.” [Source: ISO/IEC TR 27016:2014] Introduction There are substantial economic, financial and resourcing aspects to the management of information risks and security controls. Scope The ISO catalogue says ISO/IEC TR 27016 “provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.” Structure Main sections: 6 - Information security economic factors 7 - Economic objectives 8: -Balancing information security economics for information security management Annex A - Identifcation of stakeholders and objectives for setting values Annex B - Economic decisions and key cost decision factors Annex C - Economic models appropriate for information security Annex D - Business cases calculation examples Status The current first edition was published in 2014 as a T echnical R eport since this was deemed a developing field of study. Evidently the field has not developed significantly (and the first edition did such a good job) since work on a second edition ground to a halt due to lack of inputs from committee members. Commentary Some of the more generic parts of the text may be more appropriate in the ISO27k overview sections of ISO/IEC 27000 . Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27006-1 ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General (fourth edition) Up Abstract ISO/IEC 27006 part 1 "specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in [ISO/IEC 27006-1] are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in [ISO/IEC 27006-1] provides additional interpretation of these requirements for bodies providing ISMS certification. NOTE [ISO/IEC 27006-1] can be used as a criteria document for accreditation, peer assessment or other audit processes.” [Source: ISO/IEC 27006-1:2024] Introduction Part 1 of ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal processes they must follow when auditing their clients’ I nformation S ecurity M anagement S ystems against ISO/IEC 27001 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited organisations are valid, consistent and meaningful. Scope The scope is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001 . It is primarily intended to support the accreditation of certification bodies providing ISMS certification.” Any properly-accredited body providing ISO/IEC 27001 conformity certificates must fulfill the requirements in ISO/IEC 27006 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly. This is necessary to ensure that issued ISO/IEC 27001 certificates are meaningful, and truly indicate that the organisation has fully satisfied the stated requirements. Since literally anyone can issue certificates without necessarily following the certification processes specified in this standard, even substantially non-conformant organisations could conceivably purchase their ISMS certificates or simply ‘self-certify’ (assert rather than demonstrate conformity), discrediting the whole certification structure. Structure ISO/IEC 27006-1 specifies requirements and provides guidance for conformity auditing specifically in the context of ISMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011 . The certification process involves auditing the information security management system for conformity with ISO/IEC 27001 . The information security control set is “not used for conformity assessment”, merely to determine that controls were included or excluded in accordance with ISO/IEC 27001 clause 6.1.3 d. A note to clause 9.1.1 states: “It is possible for an organization to design its own necessary controls or to select them from any source, therefore it is possible that an organization is certified to ISO/IEC 27001 even though none of its necessary controls are those specified in ISO/IEC 27001:2022, Annex A.” The standard follows the structure of ISO/IEC 17021-1 clause-by-clause, adding guidance specific to ISMS certifications where applicable - for example, in order to remain independent and objective, the certification body cannot also provide information security reviews or internal audits of the client’s ISMS. [Since no period is specified, this could be interpreted as a permanent or indefinite exclusion, or it may mean contemporaneously or within a few months or ... whatever.] Status The first edition of ISO/IEC 27006 was published in 2007 . The second edition was published in 2011 . The third edition was substantially revised and published in 2015 , with minor wording changes as an amendment in 2020. The fourth edition was published as ISO/IEC 27006-1 in 2024 . It builds upon two normative references - ISO/IEC 17021-1:2015 and ISO/IEC 27001:2022 . Meanwhile, SC 27 is working on the structure of ISO/IEC 27006-1 and other issues, including concerns raised but not entirely resolved in exchanges with CASCO . See also ISO/IEC 27007 for guidance on auditing the management system element of an ISMS and ISO/IEC 27008 for guidance on auditing information security controls. [A second part to '27006 was published in 2021 covering PIMS certification but was then renumbered in 2025 as ISO/IEC 27706 .] Commentary Certification auditors have only a passing interest in the organisation’s information risks and information security controls that are being managed, sufficient to confirm that the ISMS is operational. It is largely assumed that any organisation with an operational ISMS in conformity with the standard is, in fact, managing its information risks diligently. ISO/IEC 27001 gives organisations latitude on how they design and document their ISMS, and hence certification auditors cannot simply follow a straightforward conformity checklist: they need to understand both management systems and information risk and security concepts. As far as I’m concerned, that’s a good thing! The requirement to specify the S tatement o f A pplicability on ISO/IEC 27001 conformity certificates has the unfortunate side-effect of impeding maintenance updates to an ISMS if that would affect the SoA e.g. responding to newly-identified information risks or to incorporate additional controls. Since that hampers a fundamental principle or purpose of having a management system, it may constitute a substantive defect in ISO/IEC 27006-1 ... and perhaps other ISO management system standards too. In practice, nobody (except me?) seems bothered by this. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27014 ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition) Up Abstract ISO/IEC 27014 "provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation. The intended audience for [ISO/IEC 27014] is: governing body and top management; those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance. [ISO/IEC 27014] is applicable to all types and sizes of organisations. All references to an ISMS in [ISO/IEC 27014] apply to an ISMS based on ISO/IEC 27001. [ISO/IEC 27014] focuses on the three types of ISMS organisations given in Annex B. However, [ISO/IEC 27014] can also be used by other types of organisations.” [Source: ISO/IEC 27014:2020/ITU-T X.1054] Introduction This standard, produced by ISO/IEC JTC 1/SC 27 in collaboration with the I nternational T elecommunications U nion’s T elecommunication Standardization Sector (ITU-T), is specifically aimed at helping organisations govern their information security arrangements . Scope ISO/IEC 27014 “provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation.” In a nutshell, through sound governance arrangements, information security management achieves business objectives - a very important and powerful concept. As with other ISO27k standards , it is “applicable to all types and sizes of organisations”, particularly those with one or more ISO 27001 -style ISMSs encompassing either the entirety or certain parts of the organisation, or where a single ISMS applies across several businesses or business units (e.g . within a group structure). Structure The main clauses are: 6 - Governance and management standards; 7 - Entity governance and information security governance; 8 - The governing body’s requirements on the ISMS; Annex A - Governance relationship; Annex B - Types of ISMS organization; Annex C - Examples of communication. The standard explains four “processes” (key aspects of governance): Evaluation: senior management considers proposals and plans for information security management (e.g. "We will adopt an ISO27001 ISMS"); Direction: preparing strategies, policies and objectives for information security that align with and support the achievement of the organisation’s business objectives (e.g. “It is imperative that we both protect and exploit valuable information”); Monitoring the performance of information security through management information flows and internal reporting arrangements (e.g. “We track the following security metrics: ...”); Communication: ensures that all those within the organisation who are actively involved in directing, overseeing, driving, guiding and monitoring information security are 'singing from the same hymn sheet', while external stakeholders (such as its owners and regulatory authorities) are assured that information risk is being competently managed. It also lays out six information security objectives that the governance and management arrangements should satisfy: Establish integrated comprehensive entity-wide information security since the information at risk exists and is legitimately exploited, and hence deserves protection, throughout the organisation; Make decisions using a risk-based approach - fundamental to all the ISO27k standards and at all levels of the ISMS from governance and strategy through management to routine operations (e.g . risk-assessing identified incidents to determine the priority and nature of the responses required); Set the direction of acquisition - as in corporate mergers and acquisitions, as opposed to procuring goods and services; Ensure conformance with internal and external requirements through assurance such as auditing of information security activities; Foster a security-positive culture - an excellent suggestion, albeit easier said than done; Ensure the security performance meets current and future requirements of the entity - there is a need for suitable management oversight, monitoring and measurement (metrics) in relation to current requirements, of course, but what about the future ? Food for thought here. Status The first edition was published in 2013 , dual-numbered as ISO/IEC 27014 and ITU-T recommendation X.1054 with identical text. The second edition was published by ISO/IEC in 2020 and then released by ITU-T as a free PDF download in 2021. Commentary ISO/IEC 27014 refers to ‘information risk management ’ - a minor but important distinction from the usual terms ‘information security risk’ and ‘information security management’. Security (as in controls to reduce/mitigate risk) is not the only way to treat risks to information: they can also be avoided, shared and accepted. Personally, I wish the remaining ISO27k standards would adopt ‘information risk’ (defined along the lines of “risk pertaining to information”) in place of ‘information security risk’ (a term that is not actually defined as such) but, so far, SC 27 management has blocked the move and we have not had the opportunity to debate it. I am merely a lone and tired kayaker nudging ISO’s supertanker. In the course of drafting the second edition, SC 27 discussed the application of principles from ISO 38500 (“Corporate governance of IT”) to information security, and considered the relationship between information security governance and other governance and management disciplines. ISO/IEC 27014 refers to governance for information security as an integral part of the organisation’s corporate governance with strong links to IT governance, but is arguably a bit vague on the details. The definition of ‘governing body’ obliquely notes that, along with ‘executive management’, both are parts of ‘top management’ which ISO/IEC 27000 defines as “the person or group of people who directs and controls an organisation at the highest level”. In essence, the standard hints that senior management has distinct or separable governance (strategic direction-setting) and hands-on executive management roles. The summary points out that the standard “provides the mandate essential for driving information security initiatives throughout the organisation.” At present, this is typically achieved in part by senior management mandating an overarching organisation-wide information security policy that is supported and amplified by lower level security policies, standards, procedures, guidelines and other security awareness materials. The standard does not go into depth on other related aspects such as the information security, risk and compliance management structures, reporting lines, divisions of responsibility, delegated authorities and so forth, largely I guess because of the differences between organisations. As an information security professional with a keen interest in security awareness , I am gratified to note that, in order to “establish a positive information security culture, the governing body should require, promote and support coordination of stakeholder activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs.” ‘A coherent direction’ indeed. Nice idea. I approve. ISO 37000:2021 “Guidance for the governance of organisations” could be the basis for updating ISO/IEC 27014 to utilise common concepts and terms. Maybe. At some point. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27011 ISO/IEC 27011:2024 / ITU-T X.1051 — Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations (third edition) Up Abstract “The scope of this Recommendation | International Standard is to provide guidelines supporting the implementation of information security controls in telecommunications organizations. The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant information security property.” [Source: ISO/IEC 27011:2024/ITU-T X.1051] Introduction This I nformation S ecurity M anagement S ystem implementation guide for the telecoms industry was developed jointly by ITU-T and ISO/IEC JTC 1/SC 27, with the identical text being dual-numbered as both ISO/IEC 27011 and ITU-T X.1051 . Scope ISO/IEC 27011 guides telecoms organisations on the information security controls worth considering and adopting to mitigate their unacceptable information risks. As with ISO/IEC 27002 , the controls are discretionary, not mandatory. Telecoms organisations are free to determine whether the controls are or are not applicable ("necessary") according to their information risks, and they may prefer custom versions, bespoke controls or controls suggested by other sources. Ideally, they would do so using an I nformation S ecurity M anagement S ystem modeled on ISO/IEC 27001 , managing and overseeing the controls and risks systematically. Structure Aside from minor variations/explanations to a few of the ISO/IEC 27002 controls, the ‘extended control set’ suggests 14 additional information security controls specifically for telecoms organisations. For example, control 5.42 TEL - Non-disclosure of communications indicates that telecoms organisations should, if appropriate, secure metadata relating to the messages they handle for customers, as well as the messages themselves, unless they are legally obliged to disclose. Status The first edition was published in 2008 . The second edition was published in 2016 with minor corrigendum (correction) in 2018. Having been updated and substantially restructured to align with the 2022 version of ISO/IEC 27002 , the third edition was published in 2024 . Commentary It is good to see continued productive collaboration between these well-respected international standards bodies, despite the challenge and delays caused by batting the draft standard back and forth between their formal processes like a tennis ball at a Wimbledon final. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27013 ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition) Up Abstract ISO/IEC 27013 "gives guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for organisations intending to: (a) implement ISO/IEC 27001 when ISO/IEC 20000-1 is already implemented, or vice versa; (b) implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; or (c) integrate existing management systems based on ISO/IEC 27001 and ISO/IEC 20000-1. [ISO/IEC 27013] focuses exclusively on the integrated implementation of an information security management system (ISMS) as specified in ISO/IEC 27001 and a service management system (SMS) as specified in ISO/IEC 20000-1.” [Source: ISO/IEC 27013:2021] Introduction This standard provides guidance on implementing an integrated information security and IT service management system , based on both ISO/IEC 27001 (ISMS) and ISO/IEC 20000-1 (IT service management specification, originally based on ITIL - the UK Government's IT I nfrastructure L ibrary). The benefits include: Credible provision of effective and secure information/IT services. Cost reduction, quicker implementation, better communication, increased reliability and efficiency, and easier certification process due to integration and commonality. Mutual understanding by service management and information security personnel. Scope ISO/IEC 27013 advises users on the processes and supporting documentation required to implement an integrated dual management system, for example helping them to: Implement ISO/IEC 27001 when they have already adopted ISO/IEC 20000-1 , or vice versa ; Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together from scratch (brave souls!); or Align and coordinate pre-existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems. The scope of this standard spans two ISO/IEC JTC 1 subcommittees. SC 27 and SC 7 collaborated to ensure that the information security and IT service management perspectives were both duly considered. Structure The standard proposes a framework for organising and prioritising activities, offering advice on: Aligning the information security and service management and improvement objectives; Coordinating multidisciplinary activities, leading to a more integrated and aligned approach (e.g . both donor standards specify incident management activities, with differing scopes for the incidents but otherwise quite similar); A collective system of processes and supporting documents (policies, procedures etc .); A common vocabulary and shared vision; Combined business benefits to customers and service providers plus additional benefits arising from the integration of both management systems; and Combined auditing of both management systems at the same time, with the consequent reduction in audit costs (we hope!). Two annexes compare the ISO/IEC 27001 and 20000 standards side-by-side. Status The first edition was published in 2012. The second edition was published in 2015 . The current third edition was published in 2021 . A 4-page amendment to the third edition was published in 2024 , updating references to the 2022 versions of ISO/IEC 27001 and 27002 , adding useful guidance on selection of information security controls for the S tatement o f A pplicability from Annex A or elsewhere (1 of the 4 pages!). Commentary Write out 1,000 times: “There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT ... ” Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC TS 27008 ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition) Up Abstract ISO/IEC 27008 "provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation. [ISO/IEC 27008] offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organisations, including public and private companies, government entities, and not-for-profit organisations conducting information security reviews and technical compliance checks.” [Source: ISO/IEC TS 27008:2019] Introduction This standard (strictly speaking a T echnical S pecification) on “technical auditing” complements ISO/IEC 27007 . It is focused on auditing the information security controls (or rather the “technical controls”, which although undefined evidently means IT security or cybersecurity controls). In contrast, ISO/IEC 27007 concerns the management system . Scope ISO/IEC TS 27008 provides guidance for all auditors/assessors regarding “information security management systems controls” [sic ] selected through a risk-based approach (e.g . as presented in a S tatement o f A pplicability) for information security management. It supports the information risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the organisation’s "necessary ISMS controls” satisfy the control objectives. Furthermore, it supports any organisation using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for the governance and management of information risk and security. Structure Main sections: 5: Background 6: Overview of information security control assessments 7: Review methods 8: Control assessment process Annex A: Initial information gathering (other than IT) Annex B: Practice guide foir technical security assessments Annex C:Technical assessment guide for cloud services (Infrastructure as a Service) Status The first edition was published in 2011 as ISO/IEC TR 27008:2011, a Type 2 T echnical R eport. It set out to provide “Guidelines for auditors on information security controls”. The second edition was published in 2019 as ISO/IEC TS 27008:2019, a T echnical S pecification reflecting the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002 . The title morphed into “Guidelines for the assessment of information security controls”, dropping the explicit reference to auditing. The third edition is currently in preparation, being revised to reflect ISO/IEC 27002:2022 . It will revert to a T echnical R eport. It is at D raft T echnical R eport stage, likely to emerge during 2026. Commentary ISO/IEC TS 27008 gives technology auditors background knowledge to help them review and evaluate the information security controls being managed through an I nformation S ecurity M anagement S ystem. The current second edition: Is applicable to organisations of all types and sizes; Supports planning and execution of ISMS audits and the information risk management process; Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g . in the ISO27k user organisations, assessing security elements of business processes, IT systems and IT operating environments); Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002:2013 ; Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organisation and intangibles such as reputation and image of the organisation and privacy, skills and experience of people); Supports an ISMS-based assurance and information security governance approach and audit thereof [?? That strays from the standard’s scope into the area of management systems auditing]; Supports effective and efficient use of audit resources. Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001 , ISO/IEC TS 27008 focuses on checking the information security controls themselves, such as (for example) those as in Annex A of ISO/IEC 27001 . ISO/IEC TS 27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organisation. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004 , ISO/IEC 27005 or ISO/IEC 27007 respectively.” 'Technical compliance checking/auditing' is explained as a process of examining ‘technical’ security controls, interviewing those associated with the controls (managers, technicians, users etc. ), and testing the controls. The methods should be familiar to experienced technology auditors. ‘Technical’ controls, while not explicitly defined in the standard, appear to be what are commonly known as IT security or cybersecurity controls, in other words a subset of the information security controls listed in ISO/IEC 27001 Annex A and described in ISO/IEC 27002 . Furthermore, the correct term here is conformity, not compliance, since it is discretionary. But I digress. Liberal use of “technical” in phrases such as “technical compliance checking of information system controls”, “technical assessment” and “technical security controls”, indicates that this standard is concerned with technology , implying IT or cyber security, specifically, rather than information risk and security in general. While this standard is not intended to be used for certification, it remains inconsistent and ambiguous (frankly, unclear and confusing) in the use of key terms such as: review, assessment, test, validation, check and audit. For example, are “information security auditors” the same as “certification auditors”, “IT auditors”, “internal auditors”, “ISMS internal auditors”, “compliance auditors”, “conformity auditors”, or something else? There are no (zero) definitions in the second edition since all terms are supposedly defined in ISO/IEC 27000 : concerning that little list of terms, only “audit”, “information security” and “conformity” are defined, separately. “Risk assessment” is specifically defined but not “assessment” in general. So, conventional dictionary definitions presumably apply ... but don’t really help. For an international standard, it could hardly be more muddled. Up Up Up This page last updated: 11 December 2025

Up Up Up ISO/IEC 27010 ISO/IEC 27010:2015 — Information technology — Security techniques — Information security management for inter-sector and inter-organisational communications (second edition) Up Abstract “ISO/IEC 27010:2015 provides guidelines in addition to the guidance given in the ISO/IEC 27000 family of standards for implementing information security management within information sharing communities. This International Standard provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organisational and inter-sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods. This International Standard is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organisation's or nation state's critical infrastructure. It is designed to support the creation of trust when exchanging and sharing sensitive information, thereby encouraging the international growth of information sharing communities.” [Source: ISO/IEC 27010:2015] Introduction ISO/IEC 27010 provides guidance on sharing information about information risks, security controls, issues and/or incidents between industry sectors and/or nations, particularly those affecting critical infrastructure . Sometimes it is necessary to share confidential information regarding information-related threats, vulnerabilities and/or incidents between or within a community of organisations. For example, when private companies, governments, law enforcement and CERTs collaborate on the investigation, assessment and resolution of serious pan-organisational and often international cyberattacks. Since such information is often highly sensitive, it typically needs to be restricted to certain individuals within specified recipient organisations. Information sources may need to be kept anonymous. Such information exchanges typically happen in a highly charged and stressful atmosphere under intense time pressures - hardly the most conducive environment for establishing trusted working relationships and agreeing on suitable information security controls. The standard should help by laying out common ground-rules for security. The standard provides guidance on methods, models, processes, policies, controls, protocols and other mechanisms for the sharing of information securely with trusted counterparties on the understanding that important information security principles will be respected. Scope ISO/IEC 27010 provides guidance on information security interworking and communications between industries in the same sectors, in different industry sectors and with governments. It applies both in times of crisis affecting critical infrastructure and under normal business circumstances to meet legal, regulatory and contractual obligations. Structure Main sections: 4: Concepts and justification 5: Information security policies 6: Organization of information security 7: Human resources security 8: Asset management 9: Access control 10: Cryptography 11 Physical and environmental security 12: Operations security 13: Communications security 14: Systems acquisition, development and maintenance 15: Supplier relationships 16: Information security incident management 17: Information security aspects of business continuity management 18: Compliance Annex A: Sharing sensitive information Annex B: Establishing trust in information exchanges Annex C: The traffic light protocol. Annex D: Models for organizing an information sharing community Status The first edition was published in 2012 . The current second edition was published in 2015 and confirmed by SC 27 without change in 2021. Commentary While the actual information risks arising from the sharing of information concerning information security incidents etc . between disparate organisations will of course depend on the specifics of the particular situation at hand (e.g. the nature of the incidents, the protagonists, the victims and the organisations involved), the following generic list of potential information risks and security issues in this area exemplifies the broad range of matters that may need to be taken into account in practice: Addressing information security aspects of the process (e.g . writing and implementing policies and procedures along with training and awareness activities for those involved in the process, and conceivably independent assessment or audits to confirm that the arrangements conform to ISO/IEC 27010 and/or other applicable ISO27k standards such as ISO/IEC 27001 , ISO/IEC 27002 and ISO/IEC 27005 ); Disclosing initial information and knowledge about the situation at hand prior to formalizing the arrangements, in order to prompt the recipient/s to consider their role and for disclosing parties to consider the risks involved in disclosing further information; Building trusted relationships between the organisations directly concerned, communicating and collaborating; Trust relationships with other organisations that may also be involved (e.g . if communications are routed through some sort of agency) or are somehow drawn-in to the situation, including business partners and those that may have to be informed or engaged in the process as a statutory or other duty; Determining and declaring or defining specific information security requirements (implies some form of information risk analysis by the disclosing parties for sure, and perhaps by the receiving parties); Communicating information risks and security control requirements, obligations, expectations or liabilities unambiguously (e.g . using a mutually-understood lexicon of terms based on ISO27k, and comparable information classifications); Assessing and accepting security risks and obligations (e.g . in some form of contract or agreement, whose existence and contents may also be confidential); Communicating information securely (e.g. using suitable cryptographic controls), preventing it from being sent to the wrong counterparties, intercepted, deleted, spoofed, duplicated, repudiated, damaged, modified or otherwise called into doubt deliberately by some third party or through inadequate controls and errors; Version controls and appropriate authorization for both disclosure and acceptance of valuable information; Risks and controls relating to the collection, analysis, ownership, protection and onward disclosure of information regarding the situation at hand by the recipient parties engaged in an investigation (e.g. limitations on using the information for purposes not directly associated with the incident at hand); Adequately protecting the information and perhaps others assets entrusted to the recipient organisations and individuals; Compliance and where appropriate enforcement activities such as imposition of penalties etc . if promises are broken, trust is misplaced or accidents happen; Unacceptable delays or other constraints on the communication of important information due to the risk assessment, security and related activities; The possible effects on collection, handling, storage, analysis and presentation of forensic evidence; Any limitations on post-incident disclosures such as incident management reporting, public press-releases, legal action etc .; Systematic process improvement, leading to greater mutual trust and stronger security arrangements for future situations. The published standard doesn’t cover these aspects explicitly, unfortunately. I feel it would have been more comprehensive and valuable if it had. Up Up Up This page last updated: 11 December 2025