ISO 27009: 2016 Sector-specific application of ISO 27001


Cyber Attack 2


Of benefit to developers of sector-specific guidelines to the application of ISO 27001

Daily stories in the media confirm that there is no organization, no matter how big or small, nor what sector it works in, that isn't susceptible to cyber security breaches. with phishing attacks leading to ransom demands at an all time high.  All information is valuable both to your own organization and to the interested parties who include your customers, your suppliers, governmental and regulatory authorities.  

Remember that you hold information owned by and/or of great value to them as well as your own.  Data needs to be protected from government organizations, competitors and others wishing to steal them on their own account or for sale to third parties.  The task of securing information effectively is formidable.

And for such information security arrangements to be effective, it is necessary to:

Get your retaliation in first

Allegedly, it was Willie John McBride many decade ago who, as captain of the Lions about to play against a South African team that played rugby with scant regards for the rules, told them to 'get your retaliation in first'  (by the way they did, and it worked).  The same expression definitely applies to your cyber security arrangements.  But where does one start?

ISO/IEC 27001:2013 (commonly called ISO 27001), the international standard for information security itself, is only a starting point.  While it sets out the requirements for an information security management system (ISMS), it is only one of the ISO 27000 family of standards, which now has more than 35 members and growing.  These include:

  • Requirement Standards,
  • Guideline Standards,
  • Sector-specific guideline Standards,
  • Control-specific guideline  Standards, and a
  • Vocabulary Standard.


The graphic below shows some examples.


2016 Sector-specific application of ISO 27001 Chart Source: ISO 27000:2014


The main companion to ISO 27001 is ISO 27002, a Code of Practice for information security controls.  It considers each of the vulnerabilities set out in Annex A of ISO 27001 and suggests typical controls that could be applied to reduce risk to an acceptable level.  

Annex A is intended as a list of 100+ common vulnerabilities that should be considered.  However, it does not address sector-specific requirements.

Several such sector-specific standards have already been published, including  ISO/IEC 27011 for telecoms, ISO/IEC 27017 for cloud computing and ISO/IEC 27019 for the energy sector. These standards are examples of where controls, additional to those in ISO/IEC 27001, have been defined to meet the requirements of the specific sectors concerned.

If your ISMS ignores these supplementary ISO 27000 Sectoral Standards...

You are at risk of missing a vulnerability that is know to be significant for organizations in your business sector.  Frankly, it would be stupid not to include all these known vulnerabilites in your Statement of Applicability and, where appropriate, mitigate the threat in your risk treatment.

Towards a harmonized structure, common language and detailed guidance

In developing these standards, it became clear that a harmonized structure and language, based on ISO/IEC 27001, and with detailed guidance would make the development of future sector-specific standards more effective, and avoid duplication.  

The result is the recently published ISO/IEC 27009 that will help standards developers provide the necessary advice and guidance on how to create standards on the application of ISO/IEC 27001 to individual sectors.

For those implementing and maintaining an ISMS, it will speed the development of sector specific guidance standards that will provide advice on:

  • how to add to, refine or interpret the requirements of ISO/IEC 27001 and
  • how to add or modify the implementation guidance of ISO/IEC 27002 for sector-specific use.


And with cyber attacks 'exploding' at the present time, speed is of the essence.

For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.

A good source of information on all things to do with ISO 27001 is

Information on our Courses can be found at To select your ISO 27001 Auditor Course.

Gap Analysis ISO 27001

Related Articles

Note: First published in 2017, this Post was revised and updated in October 2020.

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in the manufacturing industry, John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems.

Related Articles…