Of benefit to developers of sector-specific guidelines to the application of ISO 27001
Daily stories in the media confirm that there is no organization, no matter how big or small, nor what sector it works in, that isn't susceptible to cyber security breaches. with phishing attacks leading to ransom demands at an all time high. All information is valuable both to your own organization and to the interested parties who include your customers, your suppliers, governmental and regulatory authorities.
Remember that you hold information owned by and/or of great value to them as well as your own. Data needs to be protected from government organizations, competitors and others wishing to steal them on their own account or for sale to third parties. The task of securing information effectively is formidable.
And for such information security arrangements to be effective, it is necessary to:
Get your retaliation in first
Allegedly, it was Willie John McBride many decade ago who, as captain of the Lions about to play against a South African team that played rugby with scant regards for the rules, told them to 'get your retaliation in first' (by the way they did, and it worked). The same expression definitely applies to your cyber security arrangements. But where does one start?
ISO/IEC 27001:2013 (commonly called ISO 27001), the international standard for information security itself, is only a starting point. While it sets out the requirements for an information security management system (ISMS), it is only one of the ISO 27000 family of standards, which now has more than 35 members and growing. These include:
- Requirement Standards,
- Guideline Standards,
- Sector-specific guideline Standards,
- Control-specific guideline Standards, and a
- Vocabulary Standard.
The graphic below shows some examples.
The main companion to ISO 27001 is ISO 27002, a Code of Practice for information security controls. It considers each of the vulnerabilities set out in Annex A of ISO 27001 and suggests typical controls that could be applied to reduce risk to an acceptable level.
Annex A is intended as a list of 100+ common vulnerabilities that should be considered. However, it does not address sector-specific requirements.
Several such sector-specific standards have already been published, including ISO/IEC 27011 for telecoms, ISO/IEC 27017 for cloud computing and ISO/IEC 27019 for the energy sector. These standards are examples of where controls, additional to those in ISO/IEC 27001, have been defined to meet the requirements of the specific sectors concerned.
If your ISMS ignores these supplementary ISO 27000 Sectoral Standards...
You are at risk of missing a vulnerability that is know to be significant for organizations in your business sector. Frankly, it would be stupid not to include all these known vulnerabilites in your Statement of Applicability and, where appropriate, mitigate the threat in your risk treatment.
Towards a harmonized structure, common language and detailed guidance
In developing these standards, it became clear that a harmonized structure and language, based on ISO/IEC 27001, and with detailed guidance would make the development of future sector-specific standards more effective, and avoid duplication.
The result is the recently published ISO/IEC 27009 that will help standards developers provide the necessary advice and guidance on how to create standards on the application of ISO/IEC 27001 to individual sectors.
For those implementing and maintaining an ISMS, it will speed the development of sector specific guidance standards that will provide advice on:
- how to add to, refine or interpret the requirements of ISO/IEC 27001 and
- how to add or modify the implementation guidance of ISO/IEC 27002 for sector-specific use.
And with cyber attacks 'exploding' at the present time, speed is of the essence.
For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.
A good source of information on all things to do with ISO 27001 is iso27001security.com.
Information on our Courses can be found at To select your ISO 27001 Auditor Course.
- Why have an ISMS - Information Security Management System?
- Information Security Standards other than ISO 27001
Note: First published in 2017, this Post was revised and updated in October 2020.