ISO27k standards

Information Security Management System

ISO27k information risk and security management standards

The following “ISO27k standards” are either published (and dated) or in preparation as of November 2022.

# Standard Published Title Notes

Information security management Overview/introduction to the ISO27k standards
1 ISO/IEC 27000 2018
systems — Overview and vocabulary as a whole plus a glossary of terms; FREE!

Information Security Management Formally specifies an ISMS against which

2 2022
ISO/IEC 27001 Systems — Requirements thousands of organisations have been certified

A reasonably comprehensive suite of good practice

3 2022 Information security controls
ISO/IEC 27002 information security controls

Sound advice on implementing ISO27k,

Information security management
4 ISO/IEC 27003 2017 expanding section-by-section on
system implementation guidance
the main body of ISO/IEC 27001

Information security management ―

5 ISO/IEC 27004 2016 Monitoring, measurement, analysis Useful advice on security metrics
and evaluation

Discusses information risk management principles

6 2022 Information security risk management in general terms without specifying or mandating
ISO/IEC 27005 particular methods

Requirements for bodies providing Formal guidance for certification bodies

7 ISO/IEC 27006 2015 audit and certification of information on the ISMS certification process: will become
security management systems ‘part 1’ at the next revision

Copyright © 2022 IsecT Ltd. Page 1 of 10

 ISO27k standards

# Standard Published Title Notes

Requirements for bodies providing
audit and certification of information
Formal guidance for certification bodies
8 ISO/IEC TS 27006-2 2021 security management systems —
on the PIMS certification process
Part 2: Privacy information
management systems

Guidelines for information security Auditing the management system

9 ISO/IEC 27007 2020
management systems auditing elements of the ISMS

Guidelines for auditors on assessment Auditing the information security

10 ISO/IEC TS 27008 2019
of information security controls elements of the ISMS

Sector-specific application of ISO/IEC Guidance for those developing new ISO27k

11 ISO/IEC 27009 2020
27001 – requirements standards for particular industries

Information security management for Sharing information on information security

12 ISO/IEC 27010 2015 inter-sector and inter-organisational between industry sectors and/or nations,
communications particularly those affecting “critical infrastructure”

Information security management Information security controls

13 ISO/IEC 27011 2016 guidelines for telecommunications for the telecoms industry;
organizations based on ISO/IEC 27002 also called “ITU-T Recommendation x.1051”

Guidance on the integrated

Combining ISO27k/ISMS with
14 ISO/IEC 27013 2021 implementation of ISO/IEC 27001 and
IT Service Management/ITIL
ISO/IEC 20000-1

Governance in the context of information security;

15 ISO/IEC 27014 2020 Governance of information security
also called “ITU-T Recommendation X.1054”

Information security management –

16 ISO/IEC TR 27016 2014 Economic theory applied to information security
Organizational economics
Copyright © 2022 IsecT Ltd. Page 2 of 10
 ISO27k standards

# Standard Published Title Notes

Code of practice for information
Information security controls for cloud computing;
17 ISO/IEC 27017 2015 security controls based on ISO/IEC
also called “ITU-T Recommendation X.1631”
27002 for cloud services

Code of practice for controls to protect

Privacy controls primarily for public cloud
18 ISO/IEC 27018 2019 personally identifiable information in
computing services
public clouds acting as PII processors

Information security for ICS/SCADA/embedded

Information security control for the
19 ISO/IEC 27019 2017 systems (not just used in the energy industry!),
energy utility industry
excluding the nuclear industry

Competence requirements for

Guidance on the skills and knowledge
20 ISO/IEC 27021 2017 information security management
necessary to work in this field
systems professionals
Guidance on information security
21 ISO/IEC 27022 2021 Describes an ISMS as a suite of processes
management system processes
Use of ISO/IEC 27001 family of
References various laws and regulations that refer
22 ISO/IEC TR 27024 DRAFT standards in governmental/regulatory
to or build on ISO27k
requirements

Advice on extending and using the control

23 ISO/IEC 27028 DRAFT Guidelines for ISO/IEC 27002 attributes
attributes from ISO/IEC 27002

ISO/IEC 27002 and ISO and IEC

24 ISO/IEC 27029 DRAFT ?? Too early to say !
standards

Guidelines for information and Continuity (i.e. resilience, incident management

25 ISO/IEC 27031 2011 communications technology readiness and disaster recovery) for ICT, supporting general
for business continuity business continuity; revision in progress

Copyright © 2022 IsecT Ltd. Page 3 of 10

 ISO27k standards

# Standard Published Title Notes

Ignore the vague title: this standard
26 ISO/IEC 27032 2012 Guidelines for cybersecurity
actually concerns Internet security

Network security overview and

27 -1 2015
concepts

Guidelines for the design and

28 -2 2012
implementation of network security

Reference networking scenarios -

29 -3 2010 threats, design techniques and control
issues
Securing communications between Various aspects of network security,
30 ISO/IEC 27033 -4 2014
networks using security gateways updating and replacing ISO/IEC 18028
Securing communications across
31 -5 2013 networks using Virtual Private
Networks (VPNs)

32 -6 2016 Securing wireless IP network access

33 -7 DRAFT Network virtualization security

Application security — Overview and

34 -1 2011
concepts
Multi-part application security standard
35 ISO/IEC 27034 -2 2015 Organization normative framework

Application security management

36 -3 2018
process

Copyright © 2022 IsecT Ltd. Page 4 of 10

 ISO27k standards

# Standard Published Title Notes

Application security verification and Promotes the concept of a reusable library of
37 -4 DRAFT information security control functions, formally
validation [cancelled]
specified, designed and tested
Protocols and application security
38 -5 2017
control data structure

TS -5-1 Protocols and application security

39
2018 control data structure, XML schemas

40 -6 2016 Case studies

Application security assurance

41 -7 2018
prediction framework
Information security incident
42 -1 2016 management — Principles of incident
management
Replaced ISO TR 18044
— Guidelines to plan and prepare for
43 -2 2016 Specifically concerns incidents affecting
ISO/IEC 27035 incident response
IT systems and networks (not all kinds of
— Guidelines for ICT incident response information security incident)
44 -3 2020
operations

45 -4 DRAFT — Coordination

Information security for supplier

46 -1 2014 relationships – Overview and concepts
(FREE!)
Information security aspects of
ISO/IEC 27036
47 -2 2022 — Requirements ICT outsourcing and services

— Guidelines for
48 -3 2013
ICT supply chain security

Copyright © 2022 IsecT Ltd. Page 5 of 10

 ISO27k standards

# Standard Published Title Notes

— Guidelines for security of
49 -4 2016
cloud services
Guidelines for identification, collection,
50 ISO/IEC 27037 2012 acquisition, and preservation of One of several IT forensics standards
digital evidence

Redaction of sensitive content in digital documents

51 ISO/IEC 27038 2014 Specification for digital redaction
prior to release/disclosure/publication

Selection, deployment and operations

52 ISO/IEC 27039 2015 of intrusion detection and prevention IDS/IPS
systems (IDPS)

53 ISO/IEC 27040 2015 Storage security IT security for stored data

Guidelines on assuring suitability

Assurance of the integrity of forensic evidence
54 ISO/IEC 27041 2015 and adequacy of incident
is absolutely vital
investigative method
Guidelines for the analysis and
55 ISO/IEC 27042 2015 IT forensics analytical methods
interpretation of digital evidence
Incident investigation
56 ISO/IEC 27043 2015 The basic principles of eForensics
principles and processes

Big data security and privacy - Will cover processes for security and privacy of big
57 ISO/IEC 27045 DRAFT
Processes data (whatever that turns out to mean)

Big data security and privacy -

58 ISO/IEC 27046 DRAFT How to implement the processes
Implementation guidelines

Copyright © 2022 IsecT Ltd. Page 6 of 10

 ISO27k standards

# Standard Published Title Notes

Electronic discovery –
59 -1 2019 More eForensics advice
overview and concepts
- Guidance for governance and
60 -2 2018 Advice on treating the risks relating to eForensics
management
ISO/IEC 27050
61 -3 2020 - Code of practice A how-to-do-it guide to eDiscovery

Guidance on eDiscovery technology

62 -4 2021 - Technical readiness
(tools, systems and processes)

Requirements for establishing

63 ISO/IEC 27070 2021 Concerns trusted cloud computing
virtualized roots of trust
Security recommendations for
64 ISO/IEC 27071 DRAFT establishing trusted connections Ditto
between devices and services

Guidance for addressing security Mitigating information risks in AI systems is going

65 ISO/IEC 27090 DRAFT threats and failures in artificial to be a tricky subject for standardisation
intelligence systems
Public key infrastructure - Information security management requirements
66 2022
ISO/IEC 27099 practices and policy framework for Certification Authorities

Cybersecurity – Despite the promising title, this is yet another

67 ISO/IEC TS 27100 2020
overview and concepts ISO27k standard that fails to define ‘cybersecurity’

Information security management - Advice on obtaining insurance to recover some of

68 ISO/IEC 27102 2019
guidelines for cyber-insurance the costs arising from cyber-incidents

Cybersecurity Explains how ISO27k and other ISO and IEC

69 ISO/IEC TR 27103 2018
and ISO and IEC standards standards relate to ‘cybersecurity’

Copyright © 2022 IsecT Ltd. Page 7 of 10

 ISO27k standards

# Standard Published Title Notes

Hopefully teachers will be able to explain what
70 ISO/IEC TR 27109 DRAFT Cybersecurity education
‘cybersecurity’ is!

Cybersecurity framework development Guidance on basic concepts to organize and

71 ISO/IEC TS 27110 2021
guidelines communicate cybersecurity activities

Concerns the information risk,

72 2022 IoT security and privacy - Guidelines
ISO/IEC 27400 security and privacy aspects of IoT

IoT security and privacy – Device

73 ISO/IEC 27402 DRAFT Basic controls expected of IoT things
baseline requirements

IoT security and privacy – Guidelines Advice on identifying and treating information risks
74 ISO/IEC 27403 DRAFT
for IoT-domotics for IoT in the home

IoT security and privacy – Cybersecurity How to label IoT things to indicate their security
75 ISO/IEC 27404 DRAFT
labelling for consumer IoT security and privacy status

Privacy engineering for system life How to address privacy throughout

76 ISO/IEC TR 27550 2019
cycle processes the lifecycle of IT systems

Requirements for attribute-based ABUEA allows people to authenticate

77 ISO/IEC 27551 DRAFT
unlinkable entity authentication while remaining anonymous

-1 Security requirements for

authentication using
78 2022
biometrics on mobile devices High-level requirements to standardize
ISO/IEC 27553 – local modes the use of biometrics on mobile devices

79 DRAFT -2 Security requirements for

authentication using

Copyright © 2022 IsecT Ltd. Page 8 of 10

 ISO27k standards

# Standard Published Title Notes

biometrics on mobile devices
– remote modes
Application of ISO 31000 for
About applying the ISO 31000 risk management
80 ISO/IEC 27554 DRAFT assessment of
process to identity management
identity management-related risk
Guidelines on personally identifiable
81 ISO/IEC 27555 2021 Advice on how to delete personal information
information deletion
User-centric framework for the
handling of personally identifiable How to handle and comply with the privacy
82 ISO/IEC 27556 2022
information (PII) based on privacy requirements expressed by data subjects
preferences
Organizational privacy risk
83 ISO/IEC 27557 2022 Another privacy standard!
management

Privacy-enhancing data About anonymizing personal data to allow its

84 ISO/IEC 27559 DRAFT
de-identification framework analysis and use without privacy implications

A data structure/format to store and share data

85 ISO/IEC TS 27560 DRAFT Consent record information structure
subjects’ privacy consents

Privacy operationalisation model and An approach to embedding privacy controls into

86 ISO/IEC 27561 DRAFT
method for engineering (POMME) systems

Guidance on handling privacy obligations in

87 ISO/IEC 27562 DRAFT Privacy guidelines for fintech services
financial services technology companies

Impact of security and privacy in Guidance on assessing security and privacy aspects
88 ISO/IEC TR 27563 DRAFT
artificial intelligence use cases of AI use cases in ISO/IEC TR 24030

Copyright © 2022 IsecT Ltd. Page 9 of 10

 ISO27k standards

# Standard Published Title Notes

Guidelines on privacy preservation Another method to anonymize personal data
89 ISO/IEC 27565 DRAFT
based on zero knowledge proofs shared between organisations

Guidance on incorporating privacy arrangements

90 ISO/IEC TS 27570 2021 Privacy guideline for smart cities
into the design of smart city infrastructures

Extension to ISO/IEC 27001 and to

Extends an ISO/IEC 27001 ISMS to manage
91 ISO/IEC 27701 2019 ISO/IEC 27002 for privacy management
privacy as well as information security
— Requirements and guidelines
Health informatics — Information
Infosec management advice
92 ISO 27799 2016 security management in health
for the healthcare/medical industry
using ISO/IEC 27002

Please consult the ISO website for

definitive information: this is not Copyright
an official ISO/IEC listing and may
be inaccurate and/or incomplete, This work is copyright © 2022, IsecT Limited, some rights reserved. It
given that the ISO27k standards is licensed under the Creative Commons Attribution-Noncommercial-Share Alike
are being actively developed and 3.0 License. You are welcome to reproduce, circulate, use and create derivative
maintained. works from this provided that (a) it is not sold or incorporated into a commercial
product, (b) it is properly attributed to SecAware (www.SecAware.com), and (c) if
shared, derivative works are shared under the same terms as this.
Visit www.SecAware.com for more templates, guidance and other materials.

Copyright © 2022 IsecT Ltd. Page 10 of 10

ISO/IEC 27031 ICT for business continuity

Search
Search this site

< Previous standard ^ Up a level ^ Next standard >

ISO/IEC 27031:2011 — Information technology — Security

techniques — Guidelines for information and
communication technology readiness for business
continuity (first edition)

Abstract
“ISO/IEC 27031:2011 describes the concepts and principles of information and comunication
technology (ICT) readiness for business continuity, and provides a framework of methods and
processes to identify and specify all aspects (such as performance criteria, design, and
implementation) for improving an organisation's ICT readiness to ensure business continuity ...”

[Source: ISO/IEC 27031:2011]

Introduction
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of Information and
https://www.iso27001security.com/html/27031.html (1 of 5)2/2/2024 6:41:31 PM
ISO/IEC 27031 ICT for business continuity

Communication Technology in ensuring business continuity.

The standard:

● Suggests a structure or framework (a coherent set or suite of methods and processes) for any
organisation – private, governmental, and non-governmental;

● Identifies and specifies all relevant aspects including performance criteria, design, and implementation
details, for improving ICT readiness as part of the organisation’s ISMS, helping to ensure business
continuity;

● Enables an organisation to measure its ICT continuity, security and hence readiness to survive a disaster
in a consistent and recognized manner.

Scope and purpose

The standard encompasses all events and incidents (not just information security related) that could have an
impact on ICT infrastructure and systems. It therefore extends the practices of information security incident
handling and management, ICT readiness planning and services.
ICT Readiness for Business Continuity [a general term for the processes described in the standard] supports
Business Continuity Management “by ensuring that the ICT services are as resilient as appropriate and can be
recovered to pre-determined levels within timescales required and agreed by the organisation.”
ICT readiness is important for business continuity purposes because:

● ICT is prevalent and many organisations are highly dependent on ICT supporting critical business
processes;

● ICT also supports incident, business continuity, disaster and emergency response, and related
management processes;

● Business continuity planning is incomplete without adequately considering and protecting ICT availability
and continuity.

ICT readiness encompasses:

● Preparing the organisation’s ICT (i.e. the IT infrastructure, operations and applications), plus the
associated processes and people, against unforeseeable events that could change the risk environment
and impact ICT and business continuity;

● Leveraging and streamlining resources among business continuity, disaster recovery, emergency response
and ICT security incident response and management activities.

ICT readiness should of course reduce the impact (meaning the extent, duration and/or consequences) of
information security incidents on the organisation.
The standard incorporates the cyclical Plan-Do-Check-Act Deming-style approach, extending the conventional
business continuity planning process to take greater account of ICT. It incorporates ‘failure scenario assessment
https://www.iso27001security.com/html/27031.html (2 of 5)2/2/2024 6:41:31 PM
ISO/IEC 27031 ICT for business continuity

methods’ such as Failure Modes and Effects Analysis, with a focus on identifying ‘triggering events’ that could
precipitate more or less serious incidents.
The SC 27 team responsible for ISO/IEC 27031 liaised with ISO Technical Committee 233 on business
continuity, to ensure alignment and avoid overlap or conflict.

Status of the standard

ISO/IEC 27031 was originally intended to be a multi-part standard, then two parts (a formal specification plus a
guideline) and finally a single part (just the guideline) which was first published in 2011.
The routine standard revision project ran into the buffers and was cancelled in 2020. A new SC 27 project is
once again revising the standard to cover the need for ICT support for business continuity arising from both
deliberate and accidental incidents.
The second edition is to be re-titled “Information technology — Cybersecurity — Information and
communication technology readiness for business continuity”.
The second edition is at Final Draft International Standard stage and should be published imminently.

Personal comments
The value of this standard is unclear, given that ISO 22301 does such a good job in this general area while ISO/
IEC 24762 covers ICT Disaster Recovery specifically.
If it is to remain a part of ISO27k, I personally feel it at least ought to be properly aligned with the current
2019 version of ISO 22301, and ideally extended beyond the ICT domain since ISO27k is about information risk
and security, not just “ICT” (a clumsy and unnecessary amplification of good old “IT” which in common usage
has included comms for, oh at least 50 years). However, the present scope is specific to ICT:
“The scope of this document is clearly delimited on information and communication technology (ICT)
readiness for business continuity. Readiness of ICT for business continuity means that ICT and its
operational capabilities demonstrate the ability to achieve desired business continuity objectives in
case of a disruption affecting ICT.”

Furthermore, to avoid any hint of overlap/conflict with the ISO 22300 standards, the revised ToR clearly states
that ’27031 will not replace a Business Continuity Management System. That said, the draft 2nd edition orbits
around “IRBC” (ICT Readiness for Business Continuity) ... which is essentially a systematic way to manage the
IT elements of business continuity, supplementing the BCMS as a whole.
Although the issued standard mentions resilience to as well as recovery from disastrous situations, the coverage
on resilience is quite light, perhaps because of the curious definition in the first edition: “Resilience: ability to
transform, renew, and recover, in timely response to events”. That’s just odd! Resilience in the information risk
and security context is about the organisation’s information processes, systems and networks bending rather
than breaking when under intense pressure. It’s about toughness and determination, keeping the essential
core business activities going despite adversity. It involves taking an engineering approach, deliberately and
competently designing things for stability, reliability/dependability and continuity. Common examples for high-
availability IT systems are load balancing between redundant servers and comms links, and automated failover.
Sound engineering concepts such as more-than-merely-adequate capacity, redundancy, robustness and
flexibility ensure that vital business operations are not materially degraded or halted by most incidents.
Preventive maintenance and proactive monitoring, extra-cautious change management and slick high-priority
incident responses are further controls that help maintain critical services.
https://www.iso27001security.com/html/27031.html (3 of 5)2/2/2024 6:41:31 PM
ISO/IEC 27031 ICT for business continuity

Meanwhile, however, the twelve year old standard’s conspicuous disregard for cloud computing is a clear
indication of its seriously outdated approach. Cloud is core to ICT for many organisations today, offering
performance, scaleability and flexibility that can significantly increase resilience, if properly engineered.
Unfortunately, the draft revised standard does not cover that either. The word ‘cloud’ appears just three times
in the 1st CD, noting that there are business continuity risks with cloud services. Its value as a business
continuity control isn’t covered.
Along similar lines, supply chain/network resilience is also conspicuously absent. The widespread coordination
and tight integration of companies in many industries thanks to the Internet has huge implications on business
continuity, but the draft revised standard offers little if any useful guidance in this critically important area.
Likewise again, Working From Home and Bring Your Own Device are significant parts of the global response to
COVID-19, yet they are not even mentioned - a classic example of the difficulties keeping up with the ever-
changing state of the art, given the inevitably slow pace of global standards work.
‘True contingency thinking’ involves the organisation’s flexibility, capability, resources and dogged
determination to cope with whatever situations actually eventuate, preparing for the uncertainties and
challenges ahead. The draft revised standard only refers once to ‘contingency’, as a garbled note to a definition
of “ICT readiness”.
In order to incorporate the cloud and supply chain aspects, broaden the brief beyond ICT and substantially
improve its coverage of resilience and contingency, I feel the standard should be substantially restructured and
rewritten. Maybe at the next revision? Meanwhile, ISO 22301 is a much more valuable resource IMNSHO.

< Previous standard ^ Up a level ^ Next standard >

https://www.iso27001security.com/html/27031.html (4 of 5)2/2/2024 6:41:31 PM

ISO/IEC 27031 ICT for business continuity

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights

https://www.iso27001security.com/html/27031.html (5 of 5)2/2/2024 6:41:31 PM