ISO 27009: 2016 Sector-Specific Applications of ISO 27001


Cyber Attack 2


Daily stories in the media confirm that there is no organization, no matter how big or small, nor what sector it works in, that isn't susceptible to cybersecurity breaches -- with phishing attacks leading to ransom demands at an all-time high.  All information is valuable both to your own organization and to the interested parties who include your customers, your suppliers, governmental and regulatory authorities.  

Remember that you hold information owned by and/or of great value to them as well as your own.  Data needs to be protected from government organizations, competitors and others wishing to steal them on their own account or for sale to third parties.  The task of securing information effectively is formidable.

And for such information security arrangements to be effective, it is necessary to:

Get your retaliation in first

Allegedly, it was Willie John McBride many decades ago who, as captain of the Lions about to play against a South African team that played rugby with scant regards for the rules, told them to 'get your retaliation in first'  (by the way they did, and it worked).  The same expression definitely applies to your cybersecurity arrangements. But where does one start?

ISO 27000 Family of Standards

ISO/IEC 27001:2013 (commonly called ISO 27001), the international standard for information security itself, is only a starting point.  While it sets out the requirements for an information security management system (ISMS), it is only one of the ISO 27000 family of standards, which now has more than 35 members and growing.  These include:

  • Requirement Standards,
  • Guideline Standards,
  • Sector-specific guideline Standards,
  • Control-specific guideline  Standards, and a
  • Vocabulary Standard.


ISO 27001 and ISO 27002

The main companion to ISO 27001 is ISO 27002, a Code of Practice for information security controls.  It considers each of the vulnerabilities set out in Annex A of ISO 27001 and suggests typical controls that could be applied to reduce risk to an acceptable level.  

Annex A is intended as a list of 100+ common vulnerabilities that should be considered.  However, Annex A does not address sector-specific requirements.

Sector Specific Applications of the ISO 27000 Family of Standards

Application of the ISO 27000 family of standards to specific sectors have already been published, including  ISO/IEC 27011 for telecoms, ISO/IEC 27017 for cloud computing and ISO/IEC 27019 for the energy sector.

These standards are examples of where controls, additional to those in ISO/IEC 27001, have been defined to meet the requirements of the specific sectors concerned.

The infographic below shows some examples of the said applications.



Source: ISO 27000:2014


Importance of Following Sector-specific ISO 27001 Guidelines

If your Information Security Management System (ISMS) ignores these supplementary ISO 27000 Sectoral Standards, you are at risk of missing a vulnerability that is known to be significant for organizations in your business sector. 

Frankly, it would be stupid not to include all these known vulnerabilities in your Statement of Applicability and, where appropriate, mitigate the threat in your risk treatment.

ISO 27001 and ISO 27009

In developing these standards, it became clear that a harmonized structure and language, based on ISO/IEC 27001, and with detailed guidance, would make the development of future sector-specific standards more effective, and avoid duplication.  

The result is the recently published ISO/IEC 27009 that will help standards developers provide the necessary advice and guidance on how to create standards on the application of ISO/IEC 27001 to individual sectors.

For those implementing and maintaining an ISMS, it will speed the development of sector-specific guidance standards that will provide advice on:

  • how to add to, refine or interpret the requirements of ISO/IEC 27001 and
  • how to add or modify the implementation guidance of ISO/IEC 27002 for sector-specific use.


And with cyber-attacks 'exploding' at the present time, speed is of the essence.

For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.

A good source of information on all things to do with ISO 27001 is

Information on our Courses can be found at To select your ISO 27001 Auditor Course.


Gap Analysis ISO 27001


Related Articles

Note: First published in 2017, this Post was revised and updated in October 2020.

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. He spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates


Recent Posts

Posts by Topic