ISO IEC 27009:2020 pdf free.Information security, cybersecurity and privacy protection – Sector-specific application of ISO/IEC 27001 – Requirements.
4.1 General
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO/IEC 27001 states that its requirements are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an organization to “determine all controls that are necessary to implement the information security risk treatment option(s) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above with those in [lSO/IEC 27001:2013,] Annex A, and verify that no necessary controls have been omitted [see 6.1.3 c)]”.
The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A, are included in ISO/IEC 27002.
ISO/IEC 27002 provides guidelines for information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment. The guidelines have a hierarchical structure that consists of clauses, control objectives, controls, implementation guidance and other information. The guidelines of ISO/LEC 27002 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
While ISO/IEC 27001 and lSO/IEC 27002 are widely accepted in organizations, including commercial enterprises, government agencies and not-for-profit organizations, there are needs for sector-specific versions of these standards.
EXAMPLES
The following documents have been developed to address these sector-specific needs are:
— ISO/IEC 27010, Information technology — Security techniques — information security management for inter- sector and inter-organizational communications
— ISO/IEC 27011, Information technology — Security techniques — Code of practice for Information security controls based on JSO/IEC 2 7002 for telecommunications organizations
— ISO/IEC 27017, information technology — Security techniques — Code of practice for information security controls based on iSO/fEC 27002 for cloud services
— ISO/IEC 27018, Information technology — Security techniques — Code of practice for protection of personally identifiable information (P11) in public clouds acting as P1! processors
— ISO/IEC 27019, Information technology — Security techniques — information security controls for the energy utility industry Other organizations have also produced standards addressing sector-specific needs.
Sector-specific standards should be consistent with the requirements of the information security management system. This document specifies requirements on how to create sector-specific standards that extend ISO/IEC 27001 and complement or amend ISO/IEC 27002 (see Clause 1).
This document assumes that all requirements from ISO/IEC 27001 that are not refined or interpreted, and all controls in ISO/IEC 27002 that are not modified, apply in the sector-specific context unchanged.
4.2 Structure of this document
Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation of ISO/IEC 27001 requirements.
Clause 6 provides requirements and guidance on how to provide control clauses, control objectives, controls, implementation guidance or other information that are additional to or modify ISO/IEC 27002 content.
Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001.
Annex B contains two templates which shall be used for sector-specific standards related to
ISO/IEC 27002.
For sector-specific standards related to both ISO/IEC 27001 (see Clause 5) and ISO/IEC 27002 (see Clause 6), both Annex A and Annex B apply.
Annex C provides explanations about advantages and disadvantages of two different numbering approaches applied in the two templates in Annex B.ISO IEC 27009 pdf download.