Practical reference networking scenarios and threat risk analysis for implementing ISO/IEC 27033 security controls Overview of ISO/IEC 27033-3 ISO/IEC 27033-3:2010 defines reference networking scenarios that serve as templates for conducting threat risk analysis and selecting appropriate security controls. Rather than…

Techniques and controls for securing inter-network communications using gateways, firewalls, and cryptographic protocols Overview of ISO/IEC 27033-4 ISO/IEC 27033-4:2014 provides detailed guidance on securing communications between networks. It addresses scenarios where different networks — possibly under different administrative domains —…

Competence requirements for information security management system professionals ISO/IEC 27021:2017 specifies the competence requirements for professionals performing information security management system (ISMS) activities — including planning, implementing, maintaining, auditing, and improving an ISMS based on ISO/IEC 27001. It establishes a…

Guidelines for information and communication technology readiness for business continuity ISO/IEC 27031:2011 provides guidelines for the information and communication technology (ICT) readiness for business continuity within the broader context of organizational business continuity management (BCM). It bridges the gap between…

Guidelines for improving cybersecurity posture and managing cyber risks ISO/IEC 27032:2023 provides guidelines for improving an organization’s cybersecurity posture by addressing foundational aspects of cybersecurity — including the cybersecurity ecosystem, threat intelligence, attack surface management, and coordination among stakeholders. It…

Network security — Part 1: Overview and concepts ISO/IEC 27033-1:2015 is the introductory part of the ISO/IEC 27033 series, providing an overview of network security concepts, architecture guidance, and management practices. It establishes the foundational terminology, principles, and framework used…

Cloud-specific security controls and shared responsibility model implementation 1. Cloud-Specific Information Security Controls ISO/IEC 27017:2015 provides a code of practice for information security controls applicable to the provision and use of cloud services. It extends the comprehensive control set of…

Privacy controls and data subject rights framework for public cloud PII processing 1. Protecting PII in Public Cloud Environments ISO/IEC 27018:2019 establishes a code of practice for the protection of personally identifiable information (PII) in public cloud environments. As the…

Code of practice for information security controls applied to energy utility industry ISO/IEC 27019:2017 provides interpretation and implementation guidance for information security controls applied to energy utility organizations — including electricity, gas, oil, and heat suppliers, as well as associated…

Telecommunications-specific security controls and implementation guidance for ISMS 1. Telecommunications Security Framework ISO/IEC 27011:2016 provides a specialized code of practice for information security controls within the telecommunications sector, tailored from the comprehensive control set of ISO/IEC 27002. The telecommunications industry…

Integrating information security management and IT service management for operational excellence 1. Why Integrate ISO/IEC 27001 and ISO/IEC 20000-1? ISO/IEC 27013:2015 provides guidance on the integrated implementation of ISO/IEC 27001 (information security management) and ISO/IEC 20000-1 (service management). These two…

Strategic Oversight, Governance Principles, and the Evaluate-Direct-Monitor Cycle for Information Security ISO/IEC 27014:2020 (with its 2022 revision/amendment) establishes the governance framework for information security. Unlike operational standards such as ISO/IEC 27001 or 27002, which focus on the management and implementation…

Strategic framework for board-level information security governance 1. Governance Framework for Information Security ISO/IEC 27014:2020 (reaffirmed 2022) establishes a governance framework for information security that bridges the gap between executive leadership and operational security management. Unlike operational security standards that…

Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27006-1:2024 specifies requirements for bodies providing audit and certification of an Information Security Management System (ISMS) against ISO/IEC 27001. Unlike the guidance standards in the 27000 family…

Guidelines for auditing information security management systems, complementing ISO 19011 ISO/IEC 27007:2020 provides guidelines for auditing an Information Security Management System (ISMS), complementing the general auditing guidance of ISO 19011 with information security-specific considerations. It is written primarily for internal…

Requirements for creating sector-specific ISMS standards that extend ISO/IEC 27001 ISO/IEC 27009:2020 defines the requirements for creating sector-specific standards that add to or refine ISO/IEC 27001 requirements for particular industry sectors. It ensures consistency across all sector-specific ISMS standards by…

A comprehensive guide to secure information sharing across organizational boundaries 1. Understanding Cross-Organizational Information Security ISO/IEC 27010:2015 extends the ISMS family framework beyond the boundaries of a single organization to enable secure information sharing across sectors and between organizations. In…