ISO/IEC TS 27103

ISO/IEC TS DTS 27103:2025(en)
ISO JTC1/IEC JTC 1/SC 27
Secretariat: DIN
Date: 2025-05-09
Cybersecurity – Guidance on using ISO and IEC standards in a Cybersecurity Framework

Warning for Drafts
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no
part of this publication may be reproduced or utilized otherwise in any form or by any means,
electronic or mechanical, including photocopying, or posting on the internet or an intranet, without
prior written permission. Permission can be requested from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright officeCopyright Office
Case postale 56 • CP 401 • CH-12111214 Vernier, Geneva 20
Tel. Phone: + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
ISO/IEC TR 27103
Foreward
Contents
Foreword . 4
Introduction.ix
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Document structure . 1
5 Background . 1
5.1 General . 1
5.2 Advantages of a risk-based approach to cybersecurity . 2
5.3 Stakeholders . 2
5.4 Activities of a cybersecurity framework and programme . 3
6 Concepts . 3
6.1 Overview of cybersecurity frameworks . 3
6.2 Cybersecurity framework functions . 4
6.2.1 General . 4
6.2.2 Identify . 5
6.2.3 Protect. 7
6.2.4 Detect . 8
6.2.5 Respond. 9
6.2.6 Recover .10
Annex A (informative) Subcategories . 13
Annex B (informative) Three principles of cybersecurity for top management . 33
Bibliography . 37
ISO/IEC TR 27103
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of document should be noted. This document was drafted in accordance with the editorial
rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawnISO and IEC draw attention to the possibility that some of the elementsimplementation
of this document may beinvolve the subjectuse of (a) patent rights.(s). ISO and IEC take no position
concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the
date of publication of this document, ISO and IEC had not received notice of (a) patent(s) which may be
required to implement this document. However, implementers are cautioned that this may not represent
the latest information, which may be obtained from the patent database available at www.iso.org/patents
and https://patents.iec.ch. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation onof the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL
www.iso.org/iso/foreword.html. www.iso.org/iso/foreword.html. In the IEC, see
www.iec.ch/understanding-standards.

The committee responsible for thisThis document iswas prepared by Joint Technical Committee ISO/IEC
JTC 1, Information technology, Subcommittee SC 27, Information security, cybersecurity and privacy
protection.
ISO/IEC TR 27103
Contents
Foreward . 2
Introduction. 6
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Document structure . 7
5 Background . 7
5.1 General . 7
5.2 Advantages of a risk-based approach to cybersecurity . 8
5.3 Stakeholders . 8
5.4 Activities of a cybersecurity framework and programme . 8
6 Concepts . 9
6.1 Overview of cybersecurity frameworks . 9
6.2 Cybersecurity framework functions . 9
6.2.1 Overview . 9
6.2.2 Identify . 10
6.2.3 Protect . 12
6.2.4 Detect . 13
6.2.5 Respond . 13
6.2.6 Recover . 14
Annex A . 16
A.1 General . 16
A.2 Identify Sub-categories . 16
A.2.1 Business Environment . 16
A.2.2 Risk Assessment . 17
A.2.3 Risk Management Strategy . 17
ISO/IEC TR 27103
A.2.4 Governance . 18
A.2.5 Asset Management . 18
A3 Protect Categories . 19
A.3.1 Access Control . 19
A.3.2 Awareness and Training. 19
A.3.3 Data Security . 20
A.3.4 Information Protection Processes and Procedures . 20
A.3.5 Maintenance . 21
A.3.6 Protective Technology. 22
A4 Detect Categories . 22
A.4.1 Anomalies and Events . 22
A.4.2 Security Continuous Monitoring . 23
A.4.3 Detection Processes . 23
A5 Respond Categories . 24
A.5.1 Response Planning . 24
A.5.2 Communications . 24
A.5.3 Analysis . 25
A.5.4 Mitigation . 25
A.5.5 Improvements . 25
A6 Recover Categories . 26
A.6.1 Recovery Planning . 26
A.6.2 Improvements . 26
A.6.3 Communications . 26
Annex B . 27
Three principles of the cybersecurity for top management . 27
B.1 General . 27
B2 Three principles of cybersecurity management . 27
ISO/IEC TR 27103
B.3 Ten essentials of cybersecurity management . 27
Bibliography . 30

ISO/IEC DTS 27103:2025(en)
This first edition of ISO/IEC TS 27103 cancels and replaces ISO/IEC TR 27103:2018, which has
been technically revised.
The main changes are as follows:
— updated to align with ISO/IEC 27002:2022.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
viii
ISO/IEC DTS 27103:2025(en)
Introduction
Security on the Internet and other networks is a subject of growing concern. Organizations
around the world, in both government and industry sectors, are seeking ways to address and
manage cybersecurity risks, including via baseline cybersecurity measures that may be
implemented as requirements or guidance. The demonstrated security and economic value of
utilisingutilizing existing best practices to develop approaches to cyber risk management has led
organizations to assess how to use and improve upon existing approaches.

Perspectives, and consequent approaches, to risk management are affected by the terminology
used, e.g.  “cybersecurity” versus “information security”. Where similar risks are addressed, this
different perspective maycan result in “cybersecurity” approaches focusing on external threats
and the need to use information for organizational purposes, while, in contrast,” information
security” approaches consider all risks whether from internal or external sources. There
mightcan also be a perception that cybersecurity risks are primarily related to antagonistic
threats, and that a lack of “cybersecurity” maycan create worse consequences to the organization
than a lack of “information security”. Thus, cybersecurity maycan be perceived as more relevant
to the organization than information security. This perception can cause confusion and also
reduces the effectiveness of risk assessment and treatment.

Regardless of perception, the concepts behind information security can be used to assess and
manage cybersecurity risks. The key question is how to manage cybersecurity risk in a
comprehensive and structured manner, and ensure that processes, governance and controls. are
addressed. This can be done through a management systems approach. An Information Security
Management Systemsystem (ISMS) as described in ISO/IEC 27001 is a well proven way for any
organization to implement a risk-based approach to cybersecurity.

This document demonstrates how a cybersecurity framework can utiliseutilize current
information security standards to achieve a well -controlled approach to cybersecurity
management.
© ISO/IEC 2025 – All rights reserved
ix
ISO/IEC DTS 27103:2025(en)
Technical Specification –
© ISO/IEC 2025 – All rights reserved
x
FINAL DRAFT Technical Specification ISO/IEC DTS 27103:2025(en)

Cybersecurity — Guidance on using ISO and IEC standards in a Cybersecurity Framework
1 Scope
This document provides guidance on how to leverage existing ISO and IEC standards in a
cybersecurity framework.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminologicalterminology databases for use in standardization at the
following addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• — ISO Online browsing platform: available at
http://www.iso.org/obphttps://www.iso.org/obp

— IEC Electropedia: available at https://www.electropedia.org/
3.1
Informationinformation security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2016 2.33]2018, 2.33, modified — note 1 to entry has been removed.]

4 Document structure
This document provides background on why having a risk-based, prioritized, flexible, outcome-
focused, and communications-enabling framework for cybersecurity is important. It then
describes the objectives of a strong cybersecurity framework and includes mapping to existing
standards that can be used to achieve these objectives.
5 Background
5.1 General
ISO, IEC, and ISO/IEC standards can be applied to help solve the challenges of cybersecurity.
Existing and emerging cybersecurity frameworks throughout the world reference ISO, IEC, and
ISO/IEC standards as useful sources of information.

© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Implementing cybersecurity framework, or a cybersecurity programme, requires a consistent
and iterative approach to identifying, assessing, and managing risk and evaluating
implementation of the framework. ISO/IEC 27001 already provides a risk management
framework that can be applied to prioritize and implement cybersecurity activities within an
organization.
5.2 Advantages of a risk-based approach to cybersecurity
A risk- based approach to cybersecurity:
• Enables— enables organizations to measure the impact of cybersecurity investments and
improve their cybersecurity risk management over time.;
• Is— is prioritized, flexible, and outcome-focused. ;
• Enables— enables organizations to make security investment decisions that address risk,
implement risk mitigations in a way that’sthat is most effective for their environments, and
advance security improvements and innovations. ;
• Facilitates— facilitates communication across boundaries, both within and between
organizations.
• Is— is responsive to the actual risks faced by an organization, while recognizing that
organizational resources are limited. ;
• Reflects— reflects a clear understanding of the organization’s particular business drivers
and security considerations.;
• Allows— allows an organization to manage risks in ways that are consistent with their
own business priorities.  ;
• Enables— enables organizations to have flexibility in a rapidly changing technology and
threat landscape, and helps to address the varying needs of organizations and sectors.

More detailed and prescriptive guidance (e.g. detailed standards and guidelines) required by
specific stakeholders for specific purposes can be provided on demand. Organizations that
implement a risk- based cybersecurity framework can therefore take advantage of the benefits
without being limited by the need for a full set of detailed implementation guidance.

5.3 Stakeholders
Stakeholders have toshould play an active role, beyond protecting their own assets, in order for
the organisationorganization to realiserealize the benefits of a connected global environment.
Internet-enabled systems and applications are expanding beyond the business-to-business,
business-to-consumer, and consumer-to-consumer models, to include many-to-many
interactions and transactions. Individuals and organizations need toshould be prepared to
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
address emerging security risks and challenges, and effectively prevent and respond to misuse
and criminal exploitation.
5.4 Activities of a cybersecurity framework and programme
The activities of a cybersecurity framework and programme are:

a) Describea) describing the organization’s current cybersecurity status;
b) Describeb) describing the organization’s target state for cybersecurity;
c) Identifyc) identifying and prioritizeprioritizing opportunities for improvement;
d) Assessd) assessing progress toward the target state;
e) Communicatee) communicating among internal and external stakeholders about
cybersecurity riskrisks.
6 Concepts
6.1 Overview of cybersecurity frameworks
A cybersecurity framework captures a set of desired cybersecurity outcomes that are common
across all sectors and organizations. A framework facilitates communication about
implementation of these desired outcomes and associated cybersecurity activities across the
organization, from the executive level to the implementation and operations levels. The
framework should consist of five functions, or high-level descriptions of desired outcomes, which
are concurrent and continuous.:
• — Identify (Clause 6.2.2)
• — Protect (Clause 6.2.3)
• — Detect (Clause 6.2.4)
• — Respond (Clause 6.2.5)
• — Recover (Clause 6.2.6)
When considered together, these functions provide a high-level, strategic view of an
organization’s management of cybersecurity risk. Within each function, there are also categories
and sub-categories,subcategories, which are a prioritized set of activities that are important for
achieving the specified outcomes.

Categories are the subdivisions of a function into groups of cybersecurity outcomes closely tied
to programmatic needs and particular activities. Subcategories further divide aeach category into
specific outcomes of either technical and/or management activities. , or both. They provide a set
of results that, while not exhaustive, help support achievement of the outcomes in each category.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Organizing a cybersecurity framework into multiple levels, such as functions, categories, and
subcategories, helps to enable communication across boundaries. While many executives may
seek to understand and make investments to more effectively mitigate organizational risk at the
level of functions, operational practitioners can benefit from the more nuanced description of
desired outcomes at the category or subcategory level. Importantly, though, if high-level and
more nuanced descriptions of outcomes are organized within a single reference point that uses a
common language, communication between executives and practitioners is facilitated,
supporting strategic planning.

NOTE: Annex B provides an example of another type of cybersecurity framework.

6.2 Cybersecurity framework functions
6.2.1 Overview
6.2.1 General
Functions organize basic cybersecurity outcomes and activities at their highest level. Important
functions to include in athe framework, as noted previouslyin 6.1, are:

• — Identify
•1.1.1 Protect
— Protect
• — Detect
•1.1.1 Respond
— Respond
• — Recover
Each of these functions represents an area that an organization can use to express how it manages
cybersecurity risk. These functions aid in organizing activities, enabling risk management
decisions, addressing threats, and improving by learning from previous experiences. The main
role of each function is as follows:

 The Identifyidentify function develops the organizational understanding to manage
cybersecurity risk to systems, assets, data and capabilities. The activities in the
Identifyidentify function are foundational for effective use of the framework.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Understanding the business context, the resources that support critical functions, and the
related cybersecurity risks enables an organization to focus and prioritize its efforts,
consistent with its risk management strategy and business needs.

 The Protectprotect function develops and implements the appropriate safeguards to
ensure delivery of critical infrastructure services. The ProtectThis function supports the
ability to limit or contain the impact of a potential cybersecurity event.

 The Detectdetect function develops and implements the appropriate activities to identify
the occurrence of a cybersecurity event. The DetectThis function enables timely
discovery of cybersecurity events.

 The Respondrespond function develops and implements the appropriate activities to take
action regarding a detected cybersecurity event. The RespondThis function supports the
ability to contain the impact of a potential cybersecurity event.

 The Recoverrecover function develops and implements the appropriate activities to
maintain plans for resilience and to restore any capabilities or services that were
impaired due to a cybersecurity event.

Annex A of this document examines each of the categories and breaks them down into possible
outcomes and activities (sub-categoriessubcategories), demonstrating how to leverage existing
ISO and IEC standards to better support the implementation of relevant activities.

The functions of Identify, Protect, Detect, Respondidentify, protect, detect, respond, and
Recoverrecover directly align with the cybersecurity concept attributes in ISO/IEC 27002:2022.

6.2.2  Identify
The Identifyidentify function develops organizational understanding to manage cybersecurity
risk to systems, assets, data and capabilities. The activities in the Identifyidentify function are
important for effective use of the framework. Understanding the business context, the resources
that support critical functions, and the related cybersecurity risks enables an organization to
focus and prioritize its efforts, consistent with its risk management strategy and business needs.
Within this function, there are activities that are vital to successful cyber risk management. To
be able to identify these activities , an organisationorganization should understand its
organisationalorganizational objectives and risk management strategy.

© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Within the Identifyidentify function, the categories that may be included are shown in Table 1.

Table 1- — Identify categories
Category Description References
Business Organization’sThe ISO/IEC 27001:2022, Clause 4
Environmentenvironment organization’s objectives,
ISO/IEC 27001:2022, Clause 5
stakeholders, and activities are
The ISO/IEC 27036 (all parts)series
understood and used to inform
ISO/IEC 20243:2015-1:2023,
roles, responsibilities and risk
Clause 4
management decisions.
Comprehensive security IEC 62443-2-1:2010 Clause 4.2.1
measures are necessary
a
coveringto cover the company
ISO 31000:2009 Clause, 5.33
itself, its group companies,
ISO/IEC 27005:2022 Clause, 6.1
business partners of its supply

chain and IT system control
outsourcing companies.
Risk Assessment OrganizationThe organization ISO/IEC 27001:2022, Clause 6
understands the risks to the
ISO/IEC 27014
organization’s operations and
ISO/IEC 20243:2015-1:2023,
assets. The management are
Clause 4
required to drive cybersecurity
IEC 62443-2-1:2010 Clause 4.2
risk measures, considering any
possible risk while in
ISO 31000
proceeding with the utilization
of IT.
ISO/IEC 38505
ISO/IEC 27005:2022, Clause 7
Risk Management Strategy An organization’s approach, the ISO/IEC 27001:2022 Clause, 9.3
management components and
ISO/IEC 20243:2015-1:2023,
resources to be applied to the
Clause 4
management of riskrisk.
ISO 31000:2018, Clause 4
ISO/IEC 27005:2022, Clause 6
Governance To monitor and manage the ISO/IEC 27002:2022 Clause, 5.1, 5.2,
organization’s regulatory, legal, 5.4
environmental and operational
ISO/IEC 38054
requirements. This information
ISO/IEC 38505-1
is then used to inform the
ISO/IEC 20243:2015-1:2023,
appropriate levels of
Clause 4
management.
IEC 62443-2-1:2010 Clause 4.3.2.3
Asset Management Identification and management ISO/IEC 27002:2022 Clause, 5.9,
of the systems, data, devices, 5.10, 5.11, 5.12, 5.13
people and facilities in relation
ISO/IEC 20243:2015-1:2023,
to the business.
Clause 4
IEC 62443-2-–1:2010 Clause, 4.2.3.4
ISO/IEC 27019:20132024, Clause 7
a
Cancelled and replaced by ISO 31000:2018.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
6.2.3 Protect
6.2.3  Protect
The Protectprotect function develops and implements appropriate safeguards to ensure the
delivery of resilient products and services. The Protectprotect function also supports the ability
to limit or contain the impact of a potential cybersecurity event.

Within the Protectprotect function, the categories that may be included are specified in Table 2.
Table 2 - — Protect categories
Category Description References
Access Controlcontrol Limiting access to facilities and ISO/IEC 27002:2022 Clause, 5.15,
assets to only authorized 5.16, 5.18, 5.17, 5.18, 8.2, 8.3, 8.4,
entities and associated activities. 8.5, 8.18
Included in access management
ISO/IEC 29146
is entity authentication.
ISO/IEC 29115
IEC 62443-2-1:2010 Clause 4.3.3.5
Awareness and Trainingtraining Ensuring users and stakeholders ISO/IEC 27002:2022 Clause, 6.3
are aware of policies,
ISO/IEC 20243:2015 Clause 4
procedures, and responsibilities
relating to cybersecurity
IEC 62443-2-1:20102023,
responsibilities.
Clause 4.3.2.4.2
Data Securitysecurity Responsible for the ISO/IEC 27002:2022 Clause, 5.12,
confidentiality, integrity, and 5.13, 7.10
availability of data and
information.
Information protection Security policies, processes, and ISO/IEC 27002:2022 Clause, 5.1,
processes and procedures procedures are maintained and 5.2, 5.3, 5.37
used to manage protection of
information systems.
Maintenance Processes and procedures for ISO/IEC 27002:2022 Clause ?, 5.37
ongoing maintenance and
ISO/IEC 20243:2015-1:2023,
modernization.
Clause 4
IEC 62443-2-–1:2010 Clause, 4.3.3
Protective Technical security solutions ISO/IEC 27002: 2022 Clause, 7.10,
Technologytechnology (such as logging, removable 7.12, Clause 8
media, least access principles,
ISO/IEC 27033 series
and network protection)).
IEC 62443-2-1:2010(all parts)
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Annex A of this document examines each of the categories and breaks them down into possible
outcomes and activities (subcategories), demonstrating how to leverage existing ISO and IEC
standards to better support the implementation of relevant activities.
6.2.4 Detect
The detect function identifies the occurrence of a cybersecurity event in a timely fashion.
Within the detect function, the categories that may be included are specified in Table 3.
Table 3 — Detect categories
Category Description References
sub-categories
Anomalies and events Detection of anomalies and ISO/IEC 27002:2022, 5.25, 5.26, 5.27,
events and understanding of the 5.28
impact of those events.
ISO/IEC 27035 (all parts)
Security continuous monitoring Systems being monitored on a ISO/IEC 27002:2022, 6.8
regular basis to validate the
effectiveness of security
measures in place.
Detection process Processes and procedures to ISO/IEC 27002:2022, 5.24
ensure timely awareness and
ISO/IEC 27035 (all parts)
communication of events.
Annex A examines each of the categories in Table 3 and breaks them down into possible outcomes
and activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to
better support the implementation of relevant activities.

6.2.4  Detect
The Detect function identifies the occurrence of a cybersecurity event in a timely fashion.

Within the Detect function, the categories that may be included are specified in Table 3:

Table 3 - Detect categories
Category Description References
Anomalies and Events Detection of anomalies and ISO/IEC 27002:2022 Clause 5.25,
events and understanding of the 5.26, 5.27, 5.28
impact of those events. ISO/IEC 27035 (all parts)
IEC 62443-2-1:2010 Clause 4.3.4.5
Security Continuous Monitoring Systems being monitored on a ISO/IEC 27002:2022 Clause 6.8
regular basis to validate the
effectiveness of security
measures in place.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Detection Process Processes and procedures to ISO/IEC 27002:2022 Clause 5.24
ensure timely awareness and ISO/IEC 27035 (all parts)
communication of events. IEC 62443-2-1:2010 Clause 4.3.4.5

Annex A of this document examines each of the categories and breaks them down into possible
outcomes and activities (sub-categories), demonstrating how to leverage existing ISO and IEC
standards to better support the implementation of relevant activities.

6.2.5 Respond
6.2.5 The RespondRespond
The respond function develops and implements appropriate activities to take action regarding a
detected cybersecurity event. The Respondrespond function supports the ability to contain the
impact of a potential cybersecurity event.

Within the Respondrespond function, the categories that may be included are specified in
Table 4:.
Table 4 - — Respond categories
Category Description References
Response Planningplanning Plan for how to respond to ISO/IEC 27002:2022 Clause, 5.24,
events in a timely manner 5.26
including processes and
ISO/IEC 27035 (all parts)
procedures for responding to
events.
IEC 62443-2-1:2010 Clause 4.3.4.5
Communications Processes and procedures for ISO/IEC 27002:2022 Clause, 5.5, 5.6,
communicating the timely 6.8
information to relevant parties.
ISO/IEC 27035 (all parts)
Companies need toshould
ISO/IEC 27014
communicate appropriately
with relevant parties by, for
IEC 62443-2-1:2010 Clause 4.3.4.5
example, disclosing information
on security measures or
response on regular basis or in
times of emergency.
Analysis Review of detected events, ISO/IEC 27002:2022 Clause, 5.25,
including categorization and 5.27
impact of events.
ISO/IEC 27035 (all parts)
IEC 62443-2-1:2010 Clause 4.3.4.5
Mitigation Activities that limit the ISO/IEC 27002:2022 Clause, 5.26
expansion of the event, mitigate
ISO/IEC 27035 (all parts)
the event and stop the event.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
IEC 62443-2-1:2010 Clause 4.3.4.5
Improvements OrganizationThe organization ISO/IEC 27002:2022 Clause, 5.27
reviews the response plan and
ISO/IEC 27035 (all parts)
improves it based on lessons
learned during an event.
IEC 62443-2-1:2010 Clause 4.3.4.5

Annex A of this document A examines each of the categories in Table 4 and breaks them down
into possible outcomes and activities (sub-categoriessubcategories), demonstrating how to
leverage existing ISO and IEC standards to better support the implementation of relevant
activities.
6.2.6  Recover
The Recoverrecover function develops and implements appropriate activities to maintain plans
for resilience and to restore any capabilities or services that were impaired due to a cybersecurity
event.
Within the Recoveryrecovery function, the categories that may be included are specified in
Table 5:.
Table 5 - — Recover categories
Category Description References
Recovery Planning Plan for how to recover from an ISO/IEC 27002:2022 Clause, 5.26,
event and the next steps after an 5.27
event.
ISO/IEC 27035 (all parts)
IEC 62443-2-1:2010 Clause 4.4.3.4
Communications Processes and procedures for ISO/IEC 27002:2022 Clause, 6.8
communicating the timely
ISO/IEC 27035 (all parts)
information to relevant parties.
IEC 62443-2-1:2010 Clause 4.4.3.4
Improvements OrganizationThe organization ISO/IEC 27002:2022 Clause, 5.27
takes the lessons learned during
ISO/IEC 27035 (all parts)
an event and feeds itthem back
into the process and procedures.
IEC 62443-2-1:2010 Clause 4.4.3.4

Annex A of this document A examines each of the categories in Table 5 and breaks them down
into possible outcomes and activities (sub-categoriessubcategories), demonstrating how to
leverage existing ISO and IEC standards to better support the implementation of relevant
activities.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Annex A
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103:2025(en)
Annex A
(informative)
Subcategories
A.1 A.1 General
As described in Clause 5, Background, effective approaches to cyber risk management are
flexible and outcome-focused, articulated in terms of desired security outcomes rather than
dictating how outcomes should be achieved. However, both outcome-focused and more
prescriptive guidance or controls have valuable functions in cyber risk management; while
objectives are likely to remain consistent, controls should be constantly revised to reflect
organizational and industry learnings, changing threat models, and new security techniques or
capabilities. Baseline cybersecurity measures should articulate desired outcomes, such as
functions and categories, and should remain applicable. Such baselines can reference more
prescriptive guidance, such as sub-categorysubcategory activities and associated standards, that
can be updated by governments and industry as they assess rapidly changing technology and
threat landscape.
In the context of functions and categories, this annex describes a set of sub-categorysubcategory
activities and lists associated standards, demonstrating how existing information security
standards can be used in a cybersecurity framework.

A.2 A.2 Identify Sub-categoriessubcategories
A.2.1 A.2.1 Business Environmentenvironment
Table A.1 describes the subcategory activities under the Business Environment category, along
with standards that can support the understanding and implementation of these activities.

Table A.1 - Identify Function: Business Environment Sub-categories
Description of Sub-category Standards Mapping
The organization’s role in the supply chain is identified and ISO/IEC 27002:2022 Clause 5.21, 5.22
communicated
ISO/IEC 27036-1
ISO/IEC 20243:2015 Clause 4
The organization’s place in critical infrastructure and its ISO/IEC 27001:2022 Clause 4.1.
industry sector is identified and communicated
IEC 62443-2-1:2010 Clause 4.2.2
© ISO/IEC 2025 – All rights reserved
-------
...

FINAL DRAFT
Technical
Specification
ISO/IEC DTS
27103.2
ISO/IEC JTC 1/SC 27
Cybersecurity — Guidance on
Secretariat: DIN
using ISO and IEC standards in a
Voting begins on:
cybersecurity framework
2025-10-28
Cybersécurité — Recommandations sur l'utilisation des normes
Voting terminates on:
ISO et IEC dans le cadre de la cybersécurité
2025-12-23
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
ISO/IEC DTS 27103.2:2025(en) © ISO/IEC 2025

FINAL DRAFT
ISO/IEC DTS 27103.2:2025(en)
Technical
Specification
ISO/IEC DTS
27103.2
ISO/IEC JTC 1/SC 27
Cybersecurity — Guidance on
Secretariat: DIN
using ISO and IEC standards in a
Voting begins on:
cybersecurity framework
Cybersécurité — Recommandations sur l'utilisation des normes
Voting terminates on:
ISO et IEC dans le cadre de la cybersécurité
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO/IEC 2025
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/IEC DTS 27103.2:2025(en) © ISO/IEC 2025

© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC DTS 27103.2:2025(en)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Document structure . 1
5 Background . 2
5.1 General .2
5.2 Advantages of a risk-based approach to cybersecurity .2
5.3 Interested parties .2
5.4 Activities of a cybersecurity framework and programme .2
6 Concepts . 3
6.1 Overview of cybersecurity frameworks .3
6.2 Cybersecurity framework functions . .3
6.2.1 General .3
6.2.2 Identify .4
6.2.3 Protect .5
6.2.4 Detect .6
6.2.5 Respond .6
6.2.6 Recover.7
Annex A (informative) Subcategories . 8
Annex B (informative) Three principles of cybersecurity for top management .16
Bibliography . 19

© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC DTS 27103.2:2025(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This first edition of ISO/IEC TS 27103 cancels and replaces ISO/IEC TR 27103:2018, which has been
technically revised.
The main changes are as follows:
— updated to align with ISO/IEC 27002:2022.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
iv
ISO/IEC DTS 27103.2:2025(en)
Introduction
Security on the Internet and other networks is a subject of growing concern. Organizations around the
world, in both government and industry sectors, are seeking ways to address and manage cybersecurity
risks, including via baseline cybersecurity measures that may be implemented as requirements or guidance.
The demonstrated security and economic value of utilizing existing best practices to develop approaches to
cyber risk management has led organizations to assess how to use and improve upon existing approaches.
Perspectives, and consequent approaches, to risk management are affected by the terminology used, e.g.
“cybersecurity” versus “information security”. Where similar risks are addressed, this different perspective
can result in “cybersecurity” approaches focusing on external threats and the need to use information for
organizational purposes, while, in contrast,” information security” approaches consider all risks whether
from internal or external sources. There can also be a perception that cybersecurity risks are primarily
related to antagonistic threats, and that a lack of “cybersecurity” can create worse consequences to the
organization than a lack of “information security”. Thus, cybersecurity can be perceived as more relevant
to the organization than information security. This perception can cause confusion and also reduces the
effectiveness of risk assessment and treatment.
Regardless of perception, the concepts behind information security can be used to assess and manage
cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and
structured manner, and ensure that processes, governance and controls are addressed. This can be done
through a management systems approach. An Information Security Management system (ISMS) as
described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to
cybersecurity.
This document demonstrates how a cybersecurity framework can utilize current information security
standards to achieve a well-controlled approach to cybersecurity management.

© ISO/IEC 2025 – All rights reserved
v
FINAL DRAFT Technical Specification ISO/IEC DTS 27103.2:2025(en)
Cybersecurity — Guidance on using ISO and IEC standards in
a cybersecurity framework
1 Scope
This document provides guidance on how to leverage existing ISO and IEC standards in a cybersecurity
framework.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2018, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC TS 27100:2020, Information technology — Cybersecurity — Overview and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TS 27100, ISO/IEC 27000 and
the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
information security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2018, 2.33, modified — note 1 to entry has been removed.]
3.2
cybersecurity framework
basic set of concepts used to organize and communicate cybersecurity activities
[SOURCE: ISO/IEC TS 27110:2021, 3.1]
4 Document structure
This document provides background on why having a risk-based, prioritized, flexible, outcome-focused, and
communications-enabling framework for cybersecurity is important. It then describes the objectives of a
strong cybersecurity framework and includes mapping to existing standards that can be used to achieve
these objectives.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:2025(en)
5 Background
5.1 General
ISO, IEC, and ISO/IEC standards can be applied to help solve the challenges of cybersecurity. Existing and
emerging cybersecurity frameworks throughout the world reference ISO, IEC, and ISO/IEC standards as
useful sources of information.
Implementing cybersecurity framework, or a cybersecurity programme, requires a consistent and iterative
approach to identifying, assessing, and managing risk and evaluating implementation of the framework.
ISO/IEC 27001 already provides a risk management framework that can be applied to prioritize and
implement cybersecurity activities within an organization.
5.2 Advantages of a risk-based approach to cybersecurity
A risk-based approach to cybersecurity:
— enables organizations to measure the impact of cybersecurity investments and improve their
cybersecurity risk management over time;
— is prioritized, flexible and outcome-focused;
— enables organizations to make security investment decisions that address risk, implement risk
mitigations in a way that is most effective for their environments, and advance security improvements
and innovations;
— facilitates communication across boundaries, both within and between organizations.
— is responsive to the actual risks faced by an organization, while recognizing that organizational resources
are limited;
— reflects a clear understanding of the organization’s particular business drivers and security
considerations;
— allows an organization to manage risks in ways that are consistent with their own business priorities;
— enables organizations to have flexibility in a rapidly changing technology and threat landscape, and
helps to address the varying needs of organizations and sectors.
More detailed and prescriptive guidance (e.g. detailed standards and guidelines) required by specific
interested parties for specific purposes can be provided on demand. Organizations that implement a risk-
based cybersecurity framework can therefore take advantage of the benefits without being limited by the
need for a full set of detailed implementation guidance.
5.3 Interested parties
Interested parties should play an active role, beyond protecting their own assets, in order for the organization
to realize the benefits of a connected global environment. Internet-enabled systems and applications are
expanding beyond the business-to-business, business-to-consumer, and consumer-to-consumer models, to
include many-to-many interactions and transactions. Individuals and organizations should be prepared to
address emerging security risks and challenges, and effectively prevent and respond to misuse and criminal
exploitation.
5.4 Activities of a cybersecurity framework and programme
The activities of a cybersecurity framework and programme are:
a) describing the organization’s current cybersecurity status;
b) describing the organization’s target state for cybersecurity;

© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:2025(en)
c) identifying and prioritizing opportunities for improvement;
d) assessing progress toward the target state;
e) communicating among internal and external interested parties about cybersecurity risks.
6 Concepts
6.1 Overview of cybersecurity frameworks
A cybersecurity framework captures a set of desired cybersecurity outcomes that are common across all
sectors and organizations. A framework facilitates communication about implementation of these desired
outcomes and associated cybersecurity activities across the organization, from the executive level to
the implementation and operations levels. The framework should consist of five functions, or high-level
descriptions of desired outcomes, which are concurrent and continuous:
— Identify (6.2.2)
— Protect (6.2.3)
— Detect (6.2.4)
— Respond (6.2.5)
— Recover (6.2.6)
When considered together, these functions provide a high-level, strategic view of an organization’s
management of cybersecurity risk. Within each function, there are also categories and subcategories, which
are a prioritized set of activities that are important for achieving the specified outcomes.
Categories are the subdivisions of a function into groups of cybersecurity outcomes closely tied to
programmatic needs and particular activities. Subcategories further divide each category into specific
outcomes of either technical or management activities, or both. They provide a set of results that, while not
exhaustive, help support achievement of the outcomes in each category.
Organizing a cybersecurity framework into multiple levels, such as functions, categories, and subcategories,
helps to enable communication across boundaries. While many executives may seek to understand and
make investments to more effectively mitigate organizational risk at the level of functions, operational
practitioners can benefit from the more nuanced description of desired outcomes at the category or
subcategory level. Importantly, though, if high-level and more nuanced descriptions of outcomes are
organized within a single reference point that uses a common language, communication between executives
and practitioners is facilitated, supporting strategic planning.
NOTE Annex B provides an example of another type of cybersecurity framework based on the Cybersecurity
[13]
Management Guidelines for Japanese Enterprise Executives Version 3.0.
6.2 Cybersecurity framework functions
6.2.1 General
Functions organize basic cybersecurity outcomes and activities at their highest level. Important functions
to include in the framework, as noted in 6.1, are:
— Identify
— Protect
— Detect
— Respond
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:2025(en)
— Recover
Each of these functions represents an area that an organization can use to express how it manages
cybersecurity risk. These functions aid in organizing activities, enabling risk management decisions,
addressing threats, and improving by learning from previous experiences. The main role of each function is
as follows:
— The identify function develops the organizational understanding to manage cybersecurity risk to
systems, assets, data and capabilities. The activities in the identify function are foundational for effective
use of the framework. Understanding the business context, the resources that support critical functions,
and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent
with its risk management strategy and business needs.
— The protect function develops and implements the appropriate safeguards to ensure delivery of critical
infrastructure services. This function supports the ability to limit or contain the impact of a potential
cybersecurity event.
— The detect function develops and implements the appropriate activities to identify the occurrence of a
cybersecurity event. This function enables timely discovery of cybersecurity events.
— The respond function develops and implements the appropriate activities to take action regarding a
detected cybersecurity event. This function supports the ability to contain the impact of a potential
cybersecurity event.
— The recover function develops and implements the appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a cybersecurity event.
Annex A of this document examines each of the categories and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
The functions of identify, protect, detect, respond, and recover directly align with the cybersecurity concept
attributes in ISO/IEC 27002:2022.
6.2.2 Identify
The identify function develops organizational understanding to manage cybersecurity risk to systems,
assets, data and capabilities. The activities in the identify function are important for effective use of the
framework. Understanding the business context, the resources that support critical functions, and the
related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its
risk management strategy and business needs. Within this function, there are activities that are vital to
successful cyber risk management. To be able to identify these activities, an organization should understand
its organizational objectives and risk management strategy.
Within the identify function, the categories that may be included are shown in Table 1.

© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:2025(en)
Table 1 — Identify categories
Category Description References
Business environment The organization’s objectives, ISO/IEC 27001:2022, Clause 4
interested parties and activities
ISO/IEC 27001:2022, Clause 5
are understood and used to inform
The ISO/IEC 27036 series
roles, responsibilities and risk man-
ISO/IEC 20243-1:2023, Clause 4
agement decisions. Comprehensive
ISO 31000:2018, 5.3
security measures are necessary to
ISO/IEC 27005:2022, 6.1
cover the company itself, its group
companies, business partners of its
supply chain and IT system control
outsourcing companies.
Risk Assessment The organization understands the ISO/IEC 27001:2022, Clause 6
risks to the organization’s opera-
ISO/IEC 27014
tions and assets. The management
ISO/IEC 20243-1:2023, Clause 4
is required to drive cybersecurity
ISO 31000
risk measures, considering any pos-
ISO/IEC 38505
sible risk while proceeding with the
ISO/IEC 27005:2022, Clause 7
utilization of IT.
Risk Management Strategy An organization’s approach, the ISO/IEC 27001:2022, 9.3
management components and
ISO/IEC 20243-1:2023, Clause 4
resources to be applied to the man-
ISO 31000:2018, Clause 4
agement of risk.
ISO/IEC 27005:2022, Clause 6
Governance To monitor and manage the ISO/IEC 27002:2022, 5.1, 5.2, 5.4
organization’s regulatory, legal,
ISO/IEC 38054
environmental and operational
ISO/IEC 38505-1
requirements. This information is
ISO/IEC 20243-1:2023, Clause 4
then used to inform the appropriate
levels of management.
Asset Management Identification and management of ISO/IEC 27002:2022, 5.9, 5.10, 5.11, 5.12,
the systems, data, devices, peo- 5.13
ple and facilities in relation to the
ISO/IEC 20243-1:2023, Clause 4
business.
IEC 62443-2–1:2010, 4.2.3.4
ISO/IEC 27019:2024, Clause 7
Annex A examines each of the categories in Table 1 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
6.2.3 Protect
The protect function develops and implements appropriate safeguards to ensure the delivery of resilient
products and services. The protect function also supports the ability to limit or contain the impact of a
potential cybersecurity event.
Within the protect function, the categories that may be included are specified in Table 2.

© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:2025(en)
Table 2 — Protect categories
Category Description References
Access control Limiting access to facilities and ISO/IEC 27002:2022, 5.15, 5.16, 5.18,
assets to only authorized entities 5.17, 5.18, 8.2, 8.3, 8.4, 8.5, 8.18
and associated activities. Included in
ISO/IEC 29146
access management is entity authen-
ISO/IEC 29115
tication.
Awareness and training Ensuring users and interested par- ISO/IEC 27002:2022, 6.3
ties are aware of policies, proce-
ISO/IEC 20243-1:2023, Clause 4
dures, and responsibilities relating
to cybersecurity responsibilities.
Data security Responsible for the confidentiality, ISO/IEC 27002:2022, 5.12, 5.13, 7.10
integrity, and availability of data and
information.
Information protection processes Security policies, processes, and ISO/IEC 27002:2022, 5.1, 5.2, 5.3, 5.37
and procedures procedures are maintained and used
to manage protection of information
systems.
Maintenance Processes and procedures for ongo- ISO/IEC 27002:2022, 5.37
ing maintenance and modernization.
ISO/IEC 20243-1:2023, Clause 4
IEC 62443-2–1:2010, 4.3.3
Protective technology Technical security solutions (such ISO/IEC 27002:2022, 7.10, 7.12, Clause 8
as logging, removable media, least
ISO/IEC 27033 (all parts)
access principles, and network pro-
tection).
Annex A examines each of the categories in Table 2 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
6.2.4 Detect
The detect function identifies the occurrence of a cybersecurity event in a timely fashion.
Within the detect function, the categories that may be included are specified in Table 3.
Table 3 — Detect categories
Category Description References
Anomalies and events Detection of anomalies and events ISO/IEC 27002:2022, 5.25, 5.26, 5.27, 5.28
and understanding of the impact of
ISO/IEC 27035 (all parts)
those events.
Security continuous monitoring Systems being monitored on a reg- ISO/IEC 27002:2022, 6.8
ular basis to validate the effective-
ness of security measures in place.
Detection process Processes and procedures to ensure ISO/IEC 27002:2022, 5.24
timely awareness and communica-
ISO/IEC 27035 (all parts)
tion of events.
Annex A examines each of the categories in Table 3 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
6.2.5 Respond
The respond function develops and implements appropriate activities to take action regarding a detected
cybersecurity event. The respond function supports the ability to contain the impact of a potential
cybersecurity event.
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:2025(en)
Within the respond function, the categories that may be included are specified in Table 4.
Table 4 — Respond categories
Category Description References
Response planning Plan for how to respond to events in ISO/IEC 27002:2022, 5.24, 5.26
a timely manner including process-
ISO/IEC 27035 (all parts)
es and procedures for responding
to events.
Communications Processes and procedures for com- ISO/IEC 27002:2022, 5.5, 5.6, 6.8
municating the timely information
ISO/IEC 27035 (all parts)
to relevant parties.
ISO/IEC 27014
Companies should communicate
appropriately with relevant parties
by, for example, disclosing infor-
mation on security measures or
responses on a regular basis or in
times of emergency.
Analysis Review of detected events, includ- ISO/IEC 27002:2022, 5.25, 5.27
ing categorization and impact of
ISO/IEC 27035 (all parts)
events.
Mitigation Activities that limit the expansion ISO/IEC 27002:2022, 5.26
of the event, mitigate the event and
ISO/IEC 27035 (all parts)
stop the event.
Improvements The organization reviews the re- ISO/IEC 27002:2022, 5.27
sponse plan and improves it based
ISO/IEC 27035 (all parts)
on lessons learned during an event.
Annex A examines each of the categories in Table 4 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities
...

Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
ISO/IEC DTS 27103:2025(en).2
Style Definition
...
ISO/IEC JTC 1/SC 27
Style Definition
...
Style Definition
...
Secretariat: DIN
Style Definition
...
Style Definition
Date: 2025-05-0910-14 .
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Cybersecurity – — Guidance on using ISO and IEC standards in a
Style Definition
...
cybersecurity framework
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
Cybersécurité — Recommandations sur l'utilisation des normes ISO et IEC dans le cadre de la cybersécurité
FDIS stage
Formatted: Font: 11 pt
ISO/IEC DTS 27103:2025(.2:(en)
Formatted: Font: 11 pt
Formatted: Font: Bold
Formatted: HeaderCentered, Left
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO'sISO’s member body in the country of the requester.
ISO Copyright Office copyright office Formatted: zzCopyright address
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Formatted: zzCopyright address
Phone: + 41 22 749 01 11
Email: copyright@iso.org
E-mail: copyright@iso.org
Website: www.iso.orgwww.iso.org
Formatted: German (Germany)
Formatted: German (Germany)
Published in Switzerland.
Formatted: zzCopyright address

Formatted: Font: Not Bold
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Space Before: 0 pt, Tab
stops: Not at 17.2 cm
Formatted: Font: 11 pt
Formatted: FooterPageRomanNumber, Left, Space After: 0
pt, Tab stops: Not at 17.2 cm
© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC DTS 27103.2:(en) Formatted: HeaderCentered, Line spacing: single
Contents
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Document structure . 2
5 Background . 2
5.1 General. 2
5.2 Advantages of a risk-based approach to cybersecurity . 2
5.3 Interested parties . 2
5.4 Activities of a cybersecurity framework and programme . 3
6 Concepts . 3
6.1 Overview of cybersecurity frameworks . 3
6.2 Cybersecurity framework functions . 4
Annex A (informative) Subcategories . 9
Annex B (informative) Three principles of cybersecurity for top management . 18
Bibliography . 21

Foreword . 4
Introduction . 5
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Document structure . 1
5 Background . 1
5.1 General. 1
5.2 Advantages of a risk-based approach to cybersecurity . 2
5.3 Stakeholders . 2
5.4 Activities of a cybersecurity framework and programme . 2
6 Concepts . 3
6.1 Overview of cybersecurity frameworks . 3
6.2 Cybersecurity framework functions . 3
6.2.1 General. 3
6.2.2 Identify. 4
6.2.3 Protect . 5
6.2.4 Detect . 6
6.2.5 Respond . 7
6.2.6 Recover . 7
Annex A (informative) Subcategories . 9
Annex B (informative) Three principles of cybersecurity for top management . 18
Formatted: Font: 11 pt
Bibliography . 21
Formatted: FooterPageRomanNumber, Space Before: 0 pt,
Line spacing: single, Tab stops: Not at 17.2 cm
iv © ISO #### /IEC 2025 – All rights reserved
iv
Formatted: Font: 11 pt
ISO/IEC DTS 27103:2025(.2:(en)
Formatted: Font: 11 pt
Formatted: Font: Bold
Foreword Formatted: HeaderCentered, Left
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members
of ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC
Directives, Part 2 (see www.iso.org/directiveswww.iso.org/directives or
www.iec.ch/members_experts/refdocs). Formatted: English (United Kingdom)
Field Code Changed
ISO and IEC draw attention to the possibility that the implementation of this document may involve the use of
(a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not received
notice of (a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent database
available at www.iso.org/patents and https://patents.iec.ch.www.iso.org/patents and https://patents.iec.ch.
ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html.www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding- Formatted: English (United Kingdom)
standards.
Field Code Changed
Formatted: Default Paragraph Font
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection. Formatted: Default Paragraph Font
Formatted: Default Paragraph Font
This first edition of ISO/IEC TS 27103 cancels and replaces ISO/IEC TR 27103:2018, which has been
Formatted: Default Paragraph Font
technically revised.
Formatted: Default Paragraph Font
Formatted: Default Paragraph Font
The main changes are as follows:
Formatted: Default Paragraph Font
— — updated to align with ISO/IEC 27002:2022.
Formatted: Font: Cambria
Formatted: Default Paragraph Font
Any feedback or questions on this document should be directed to the user’s national standards body. A
Formatted: Default Paragraph Font
complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-
Formatted: Default Paragraph Font
committeeswww.iso.org/members.html and www.iec.ch/national-committees.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers

Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Space Before: 0 pt, Tab
stops: Not at 17.2 cm
Formatted: Font: 11 pt
Formatted: FooterPageRomanNumber, Left, Space After: 0
pt, Tab stops: Not at 17.2 cm
© ISO/IEC 2025 – All rights reserved
v
ISO/IEC DTS 27103.2:(en) Formatted: HeaderCentered, Line spacing: single
Introduction
Security on the Internet and other networks is a subject of growing concern. Organizations around the world,
in both government and industry sectors, are seeking ways to address and manage cybersecurity risks,
including via baseline cybersecurity measures that may be implemented as requirements or guidance. The
demonstrated security and economic value of utilizing existing best practices to develop approaches to cyber
risk management has led organizations to assess how to use and improve upon existing approaches.
Perspectives, and consequent approaches, to risk management are affected by the terminology used, e.g.
“cybersecurity” versus “information security”. Where similar risks are addressed, this different perspective
can result in “cybersecurity” approaches focusing on external threats and the need to use information for
organizational purposes, while, in contrast,” information security” approaches consider all risks whether from
internal or external sources. There can also be a perception that cybersecurity risks are primarily related to
antagonistic threats, and that a lack of “cybersecurity” can create worse consequences to the organization than
a lack of “information security”. Thus, cybersecurity can be perceived as more relevant to the organization
than information security. This perception can cause confusion and also reduces the effectiveness of risk
assessment and treatment.
Regardless of perception, the concepts behind information security can be used to assess and manage
cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured
manner, and ensure that processes, governance and controls are addressed. This can be done through a
management systems approach. An Information Security Management system (ISMS) as described in ISO/IEC Formatted: Default Paragraph Font
27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity.
Formatted: Default Paragraph Font
This document demonstrates how a cybersecurity framework can utilize current information security
standards to achieve a well-controlled approach to cybersecurity management.
Formatted: Font: 11 pt
Formatted: FooterPageRomanNumber, Space Before: 0 pt,
Line spacing: single, Tab stops: Not at 17.2 cm
vi © ISO #### /IEC 2025 – All rights reserved
vi
FINAL DRAFT Technical Specification ISO/IEC DTS 27103:2025(en)
Formatted: Font: Not Bold
Formatted: Header, Space After: 0 pt, Line spacing: single
Formatted: Main Title 1
Cybersecurity — Guidance on using ISO and IEC standards in a
Formatted: Font: 16 pt
Cybersecurity Framework cybersecurity framework
1 Scope Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
This document provides guidance on how to leverage existing ISO and IEC standards in a cybersecurity
framework.
2 Normative references
There are no normative references in this document.
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2018, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC TS 27100:2020, Information technology — Cybersecurity — Overview and concepts
3 Terms and definitions Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
For the purposes of this document, the following terms and definitions apply given in ISO/IEC
27000 TS 27100, ISO/IEC TS 27100 27000 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses: Formatted: English (United Kingdom)
Formatted: Font: 11 pt, English (United Kingdom)
— — ISO Online browsing platform: available at https://www.iso.org/obphttps://www.iso.org/obp
Formatted: English (United Kingdom)
— — IEC Electropedia: available at https://www.electropedia.org/https://www.electropedia.org/ Formatted: English (United Kingdom)
3.1
Cybersecurity framework
Basic set of concepts used to organize and communicate cybersecurity activities

[SOURCE: ISO/IEC 27100:2021, 3.1]

3.1 3.1 Formatted: TermNum2, Adjust space between Latin and
Asian text, Adjust space between Asian text and numbers
information security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2018, 2.33, modified — note 1 to entry has been removed.] Formatted: Default Paragraph Font
Formatted: Default Paragraph Font
3.2
Formatted: Default Paragraph Font
cybersecurity framework
Formatted: Default Paragraph Font
basic set of concepts used to organize and communicate cybersecurity activities
[SOURCE: ISO/IEC TS 27110:2021, 3.1]
Formatted: Footer, Left, Space After: 0 pt, Tab stops: Not
at 17.2 cm
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:(en) Formatted: Font: Bold
Formatted: HeaderCentered
Formatted: Adjust space between Latin and Asian text,
4 Document structure
Adjust space between Asian text and numbers
This document provides background on why having a risk-based, prioritized, flexible, outcome-focused, and
communications-enabling framework for cybersecurity is important. It then describes the objectives of a
strong cybersecurity framework and includes mapping to existing standards that can be used to achieve these
objectives.
5 Background
5.1 General
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm
ISO, IEC, and ISO/IEC standards can be applied to help solve the challenges of cybersecurity. Existing and
Formatted: Adjust space between Latin and Asian text,
emerging cybersecurity frameworks throughout the world reference ISO, IEC, and ISO/IEC standards as useful
Adjust space between Asian text and numbers
sources of information.
Implementing cybersecurity framework, or a cybersecurity programme, requires a consistent and iterative
approach to identifying, assessing, and managing risk and evaluating implementation of the framework.
ISO/IEC 27001 already provides a risk management framework that can be applied to prioritize and Formatted: Default Paragraph Font
implement cybersecurity activities within an organization.
Formatted: Default Paragraph Font
5.2 Advantages of a risk-based approach to cybersecurity
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm
A risk-based approach to cybersecurity:
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
— — enables organizations to measure the impact of cybersecurity investments and improve their
Formatted: Adjust space between Latin and Asian text,
cybersecurity risk management over time;
Adjust space between Asian text and numbers, Tab stops: Not
at 0.7 cm + 1.4 cm + 2.1 cm + 2.8 cm + 3.5 cm + 4.2
— — is prioritized, flexible and outcome-focused;
cm + 4.9 cm + 5.6 cm + 6.3 cm + 7 cm
— — enables organizations to make security investment decisions that address risk, implement risk
mitigations in a way that is most effective for their environments, and advance security improvements and
innovations;
— — facilitates communication across boundaries, both within and between organizations.
— — is responsive to the actual risks faced by an organization, while recognizing that organizational
resources are limited;
— — reflects a clear understanding of the organization’s particular business drivers and security
considerations;
— — allows an organization to manage risks in ways that are consistent with their own business priorities;
— — enables organizations to have flexibility in a rapidly changing technology and threat landscape, and
helps to address the varying needs of organizations and sectors.
More detailed and prescriptive guidance (e.g. detailed standards and guidelines) required by specific Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Interestedinterested parties for specific purposes can be provided on demand. Organizations that implement
a risk-based cybersecurity framework can therefore take advantage of the benefits without being limited by
the need for a full set of detailed implementation guidance.
Formatted: Adjust space between Latin and Asian text,
5.3 Interested parties
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm
Interested parties should play an active role, beyond protecting their own assets, in order for the organization
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
to realize the benefits of a connected global environment. Internet-enabled systems and applications are
Formatted: FooterPageNumber
© ISO/IEC 2025 – All rights reserved
Formatted: Font: 11 pt
ISO/IEC DTS 27103:2025(.2:(en)
Formatted: Font: 11 pt
Formatted: Font: Bold
expanding beyond the business-to-business, business-to-consumer, and consumer-to-consumer models, to
Formatted: HeaderCentered, Left
include many-to-many interactions and transactions. Individuals and organizations should be prepared to
address emerging security risks and challenges, and effectively prevent and respond to misuse and criminal
exploitation.
5.4 Activities of a cybersecurity framework and programme Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm
The activities of a cybersecurity framework and programme are:
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
a) a) describing the organization’s current cybersecurity status;
Formatted: Numbered + Level: 1 + Numbering Style: a, b,
c, … + Start at: 1 + Alignment: Left + Aligned at: 0 cm +
b) b) describing the organization’s target state for cybersecurity;
Indent at: 0 cm, Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.7 cm + 1.4 cm + 2.1 cm + 2.8 cm + 3.5 cm + 4.2
c) c) identifying and prioritizing opportunities for improvement;
cm + 4.9 cm + 5.6 cm + 6.3 cm + 7 cm
d) d) assessing progress toward the target state;
e) e) communicating among internal and external Interestedinterested parties about cybersecurity
risks.
6 Concepts Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
6.1 Overview of cybersecurity frameworks Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm
A cybersecurity framework captures a set of desired cybersecurity outcomes that are common across all
Formatted: Adjust space between Latin and Asian text,
sectors and organizations. A framework facilitates communication about implementation of these desired
Adjust space between Asian text and numbers
outcomes and associated cybersecurity activities across the organization, from the executive level to the
implementation and operations levels. The framework should consist of five functions, or high-level
descriptions of desired outcomes, which are concurrent and continuous:
— Identify (6.2.2)
— Protect (6.2.3)
— Detect (6.2.4)
— Respond (6.2.5)
— Recover (6.2.6)
— Identify (6.2.2)
— Protect (6.2.3)
— Detect (6.2.4)
— Respond (6.2.5)
— Recover (6.2.6)
When considered together, these functions provide a high-level, strategic view of an organization’s Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
management of cybersecurity risk. Within each function, there are also categories and subcategories, which
are a prioritized set of activities that are important for achieving the specified outcomes.
Categories are the subdivisions of a function into groups of cybersecurity outcomes closely tied to
programmatic needs and particular activities. Subcategories further divide each category into specific
Formatted: FooterPageNumber
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:(en) Formatted: Font: Bold
Formatted: HeaderCentered
outcomes of either technical or management activities, or both. They provide a set of results that, while not
exhaustive, help support achievement of the outcomes in each category.
Organizing a cybersecurity framework into multiple levels, such as functions, categories, and subcategories,
helps to enable communication across boundaries. While many executives may seek to understand and make
investments to more effectively mitigate organizational risk at the level of functions, operational practitioners
can benefit from the more nuanced description of desired outcomes at the category or subcategory level.
Importantly, though, if high-level and more nuanced descriptions of outcomes are organized within a single
reference point that uses a common language, communication between executives and practitioners is
facilitated, supporting strategic planning.
NOTE Annex B Annex B provides an example of another type of cybersecurity framework based on the Cybersecurity
Formatted: Adjust space between Latin and Asian text,
[ ]
Adjust space between Asian text and numbers, Tab stops: Not
Management Guidelines for Japanese Enterprise Executives Version 3.0. 13
at 0.7 cm + 1.4 cm + 2.1 cm + 2.8 cm + 3.5 cm + 4.2
cm + 4.9 cm + 5.6 cm + 6.3 cm + 7 cm
6.2 Cybersecurity framework functions
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
6.2.1 General
at 0.71 cm
Formatted: Adjust space between Latin and Asian text,
Functions organize basic cybersecurity outcomes and activities at their highest level. Important functions to
Adjust space between Asian text and numbers, Tab stops: Not
include in the framework, as noted in 6.1,6.1, are:
at 0.71 cm + 0.99 cm + 1.27 cm
Formatted: Adjust space between Latin and Asian text,
— — Identify
Adjust space between Asian text and numbers
Formatted: Adjust space between Latin and Asian text,
— — Protect
Adjust space between Asian text and numbers, Tab stops: Not
at 0.7 cm + 1.4 cm + 2.1 cm + 2.8 cm + 3.5 cm + 4.2
cm + 4.9 cm + 5.6 cm + 6.3 cm + 7 cm
— — Detect
— — Respond
— — Recover
Each of these functions represents an area that an organization can use to express how it manages
cybersecurity risk. These functions aid in organizing activities, enabling risk management decisions,
addressing threats, and improving by learning from previous experiences. The main role of each function is as
follows:
Formatted: No bullets or numbering
— The identify function develops the organizational understanding to manage cybersecurity risk to
systems, assets, data and capabilities. The activities in the identify function are foundational for effective
use of the framework. Understanding the business context, the resources that support critical functions,
and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent
with its risk management strategy and business needs.
— The protect function develops and implements the appropriate safeguards to ensure delivery of
critical infrastructure services. This function supports the ability to limit or contain the impact of a
potential cybersecurity event.
— The detect function develops and implements the appropriate activities to identify the occurrence of
a cybersecurity event. This function enables timely discovery of cybersecurity events.
— The respond function develops and implements the appropriate activities to take action regarding a
detected cybersecurity event. This function supports the ability to contain the impact of a potential
cybersecurity event.
— The recover function develops and implements the appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Formatted: FooterPageNumber
© ISO/IEC 2025 – All rights reserved
Formatted: Font: 11 pt
ISO/IEC DTS 27103:2025(.2:(en)
Formatted
...
Formatted: HeaderCentered, Left
Annex AAnnex A of this document examines each of the categories and breaks them down into possible
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
outcomes and activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to
better support the implementation of relevant activities.
The functions of identify, protect, detect, respond, and recover directly align with the cybersecurity concept
attributes in ISO/IEC 27002:2022. Formatted
...
6.2.2 Identify
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm + 0.99 cm + 1.27 cm
The identify function develops organizational understanding to manage cybersecurity risk to systems, assets,
Formatted: Adjust space between Latin and Asian text,
data and capabilities. The activities in the identify function are important for effective use of the framework.
Adjust space between Asian text and numbers
Understanding the business context, the resources that support critical functions, and the related
Formatted: None, Adjust space between Latin and Asian
cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk
text, Adjust space between Asian text and numbers
management strategy and business needs. Within this function, there are activities that are vital to successful
Formatted: Font: Not Bold
cyber risk management. To be able to identify these activities, an organization should understand its
Formatted: Font: Not Bold
organizational objectives and risk management strategy.
Formatted: Font: Not Bold
Within the identify function, the categories that may be included are shown in Table 1.Table 1.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Table 1 — Identify categories
Formatted Table
Formatted
...
Category Description References
Formatted: Adjust space between Latin and Asian text,
Business environment The organization’s objectives, ISO/IEC 27001:2022, Clause 4
Adjust space between Asian text and numbers
Interestedinterested parties and
ISO/IEC 27001:2022, Clause 5
Formatted
...
activities are understood and used
The ISO/IEC 27036 series
Formatted
...
to inform roles, responsibilities
ISO/IEC 20243-1:2023, Clause 4
and risk management decisions. Formatted
...
a
Comprehensive security measures ISO 31000:2018, 5.3 3
Formatted
...
are necessary to cover the
ISO/IEC 27005:2022, 6.1
Formatted
...
company itself, its group
Formatted
companies, business partners of its .
supply chain and IT system control
Formatted: Adjust space between Latin and Asian text,
outsourcing companies. Adjust space between Asian text and numbers
Formatted
...
Risk Assessment The organization understands the ISO/IEC 27001:2022, Clause 6
risks to the organization’s Formatted
...
ISO/IEC 27014
operations and assets. The
Formatted
ISO/IEC 20243-1:2023, Clause 4 .
management is required to drive
Formatted
ISO 31000 .
cybersecurity risk measures,
Formatted
considering any possible risk while ISO/IEC 38505 .
proceeding with the utilization of
Formatted
ISO/IEC 27005:2022, Clause 7 .
IT.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Risk Management Strategy An organization’s approach, the ISO/IEC 27001:2022, 9.3
management components and Formatted
...
ISO/IEC 20243-1:2023, Clause 4
resources to be applied to the
Formatted
ISO 31000:2018, Clause 4 .
management of risk.
Formatted
ISO/IEC 27005:2022, Clause 6 .
Formatted
...
Governance To monitor and manage the ISO/IEC 27002:2022, 5.1, 5.2, 5.4
Formatted
organization’s regulatory, legal, .
ISO/IEC 38054
environmental and operational
Formatted
...
ISO/IEC 38505-1
requirements. This information is
Formatted
...
ISO/IEC 20243-1:2023, Clause 4
then used to inform the
Formatted
...
appropriate levels of management.
Formatted
...
Asset Management Identification and management of ISO/IEC 27002:2022, 5.9, 5.10, 5.11,
Formatted
...
the systems, data, devices, people 5.12, 5.13
Formatted
ISO/IEC 20243-1:2023, Clause 4 .
Formatted: FooterPageNumber
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:(en) Formatted: Font: Bold
Formatted: HeaderCentered
Category Description References Formatted: Font: Not Bold
and facilities in relation to the IEC 62443-2–1:2010, 4.2.3.4 Formatted: Font: Not Bold
business.
ISO/IEC 27019:2024, Clause 7 Formatted: Font: Not Bold
Formatted: Adjust space between Latin and Asian text,

Adjust space between Asian text and numbers
Formatted Table
Annex A of this documentAnnex A examines each of the categories in Table 1 and breaks them down into
Formatted
...
possible outcomes and activities (subcategories), demonstrating how to leverage existing ISO and IEC
Formatted
...
standards to better support the implementation of relevant activities.
Formatted: Space Before: 12 pt, Adjust space between
Latin and Asian text, Adjust space between Asian text and

6.2.3 Protect Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm + 0.99 cm + 1.27 cm
The protect function develops and implements appropriate safeguards to ensure the delivery of resilient
Formatted: Adjust space between Latin and Asian text,
products and services. The protect function also supports the ability to limit or contain the impact of a
Adjust space between Asian text and numbers
potential cybersecurity event.
Within the protect function, the categories that may be included are specified in Table 2.Table 2. Formatted: None, Adjust space between Latin and Asian
text, Adjust space between Asian text and numbers
Table 2 — Protect categories Formatted: Font: Not Bold
Formatted: Font: Not Bold
Category Description References
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Access control Limiting access to facilities and ISO/IEC 27002:2022, 5.15, 5.16, 5.18,
assets to only authorized entities 5.17, 5.18, 8.2, 8.3, 8.4, 8.5, 8.18
Formatted Table
and associated activities. Included
ISO/IEC 29146
Formatted: Font: Not Bold
in access management is entity
ISO/IEC 29115
Formatted: Adjust space between Latin and Asian text,
authentication.
Adjust space between Asian text and numbers
Awareness and training Ensuring users and ISO/IEC 27002:2022, 6.3
Formatted
...
Interestedinterested parties are
ISO/IEC 20243-1:2023, Clause 4
Formatted
...
aware of policies, procedures, and
Formatted
responsibilities relating to .
cybersecurity responsibilities.
Formatted
...
Formatted: Adjust space between Latin and Asian text,
Data security Responsible for the confidentiality, ISO/IEC 27002:2022, 5.12, 5.13, 7.10
Adjust space between Asian text and numbers
integrity, and availability of data

Formatted
and information.
...
Formatted
...
Information protection processes Security policies, processes, and ISO/IEC 27002:2022, 5.1, 5.2, 5.3, 5.37
Formatted: Adjust space between Latin and Asian text,
and procedures procedures are maintained and
Adjust space between Asian text and numbers
used to manage protection of
information systems. Formatted
...
Formatted: Adjust space between Latin and Asian text,
Maintenance Processes and procedures for ISO/IEC 27002:2022, 5.37
Adjust space between Asian text and numbers
ongoing maintenance and
ISO/IEC 20243-1:2023, Clause 4
Formatted
modernization.
...
IEC 62443-2–1:2010, 4.3.3
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Protective technology Technical security solutions (such ISO/IEC 27002:2022, 7.10, 7.12, Clause
as logging, removable media, least 8
Formatted
...
access principles, and network
ISO/IEC 27033 (all parts)
Formatted
...
protection).
Formatted
...
Formatted: Adjust space between Latin and Asian text,
Annex A of this documentAnnex A examines each of the categories in Table 2 and breaks them down into
Adjust space between Asian text and numbers
possible outcomes and activities (subcategories), demonstrating how to leverage existing ISO and IEC
Formatted
...
standards to better support the implementation of relevant activities.
Formatted: Space Before: 12 pt, Adjust space between
Latin and Asian text, Adjust space between Asian text and
Formatted: FooterPageNumber
© ISO/IEC 2025 – All rights reserved
Formatted: Font: 11 pt
ISO/IEC DTS 27103:2025(.2:(en)
Formatted
...
Formatted: HeaderCentered, Left
6.2.4 Detect
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm + 0.99 cm + 1.27 cm
The detect function identifies the occurrence of a cybersecurity event in a timely fashion.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Within the detect function, the categories that may be included are specified in Table 3.Table 3.
Table 3 — Detect categories Formatted: None, Adjust space between Latin and Asian
text, Adjust space between Asian text and numbers
Category Description References
Formatted: Font: Not Bold
Formatted: Font: Not Bold
Anomalies and events Detection of anomalies and events ISO/IEC 27002:2022, 5.25, 5.26, 5.27,
and understanding of the impact of 5.28
Formatted: Font: Not Bold
those events.
ISO/IEC 27035 (all parts)
Formatted: Left, Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Security continuous monitoring Systems being monitored on a ISO/IEC 27002:2022, 6.8
Formatted Table
regular basis to validate the
effectiveness of security measures
Formatted
...
in place.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Detection process Processes and procedures to ISO/IEC 27002:2022, 5.24
Formatted
ensure timely awareness and .
ISO/IEC 27035 (all parts)
communication of events.
Formatted
...
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Annex AAnnex A examines each of the categories in Table 3Table 3 and breaks them down into possible
outcomes and activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to Formatted
...
better support the implementation of relevant activities.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
6.2.5 Respond
Formatted
...
Formatted
...
The respond function develops and implements appropriate activities to take action regarding a detected
Formatted
...
cybersecurity event. The respond function supports the ability to contain the impact of a potential
Formatted
cybersecurity event. .
Within the respond function, the categories that may be included are specified in Table 4.Table 4.
Formatted
...
Table 4 — Respond categories
Formatted: Font: Not Bold
Formatted: Font: Not Bold
Category Description References
Formatted: Font: Not Bold
Response planning Plan for how to respond to events ISO/IEC 27002:2022, 5.24, 5.26
Formatted
in a timely manner including
...
ISO/IEC 27035 (all parts)
processes and procedures for
Formatted Table
responding to events.
Formatted
...
Communications Processes and procedures for ISO/IEC 27002:2022, 5.5, 5.6, 6.8
Formatted
...
communicating the timely
ISO/IEC 27035 (all parts)
Formatted
...
information to relevant parties.
ISO/IEC 27014
Formatted
...
Companies should communicate
Formatted
appropriately with relevant
...
parties by, for example, disclosing
Formatted
...
information on security measures
Formatted
...
or responses on a regular basis or
Formatted
in times of emergency. .
Formatted
...
Analysis Review of detected events, ISO/IEC 27002:2022, 5.25, 5.27
Formatted
including categorization and .
ISO/IEC 27035 (all parts)
impact of events. Formatted
...
Formatted
...
Formatted
...
Formatted: FooterPageNumber
© ISO/IEC 2025 – All rights reserved
ISO/IEC DTS 27103.2:(en) Formatted: Font: Bold
Formatted: HeaderCentered
Category Description References Formatted: Font: Not Bold
Formatted: Font: Not Bold
Mitigation Activities that limit the expansion ISO/IEC 27002:2022, 5.26
of the event, mitigate the event Formatted: Font: Not Bold
ISO/IEC 27035 (all parts)
and stop the event.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Improvements The organization reviews the ISO/IEC 27002:2022, 5.27
Formatted Table
response plan and improves it
ISO/IEC 27035 (all parts)
based on lessons learned during
Formatted
...
an event.
Formatted: Left, Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Annex AAnnex A examines each of the categories in Table 4Table 4 and breaks them down into possible
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
outcomes and activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to
better support the implementation of relevant activities. Formatted
...
Formatted
...
6.2.6 Recover
Formatted: Left, Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
The recover function develops and implements appropriate activities to maintain plans for resilience and to
Formatted: Adjust space between Latin and Asian text,
restore any capabilities or services that were impaired due to a cybersecurity event.
Adjust space between Asian text and numbers
Formatted
...
Within the recovery function, the categories that may be included are specified in Table 5.Table 5.
Formatted: Space Before: 12 pt, Adjust space between
Latin and Asian text, Adjust space between Asian text and
Table 5 — Recover categories
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
Category Description References
at 0.71 cm + 0.99 cm + 1.27 cm
Recovery Planning
...