ISO/IEC TS 27103:2026

Technical
Specification
ISO/IEC TS 27103
First edition
Cybersecurity — Guidance on
2026-02
using ISO and IEC standards in a
cybersecurity framework
Cybersécurité — Recommandations sur l'utilisation des normes
ISO et IEC dans le cadre de la cybersécurité
Reference number
© ISO/IEC 2026
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2026 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Document structure . 1
5 Background . 2
5.1 General .2
5.2 Advantages of a risk-based approach to cybersecurity .2
5.3 Interested parties .2
5.4 Activities of a cybersecurity framework and programme .2
6 Concepts . 3
6.1 Overview of cybersecurity frameworks .3
6.2 Cybersecurity framework functions . .3
6.2.1 General .3
6.2.2 Identify .4
6.2.3 Protect .5
6.2.4 Detect .6
6.2.5 Respond .6
6.2.6 Recover.7
Annex A (informative) Subcategories . 8
Annex B (informative) Three principles of cybersecurity for top management .16
Bibliography . 19

© ISO/IEC 2026 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This first edition of ISO/IEC TS 27103 cancels and replaces ISO/IEC TR 27103:2018, which has been
technically revised.
The main changes are as follows:
— updated to align with ISO/IEC 27002:2022.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2026 – All rights reserved
iv
Introduction
Security on the Internet and other networks is a subject of growing concern. Organizations around the
world, in both government and industry sectors, are seeking ways to address and manage cybersecurity
risks, including via baseline cybersecurity measures that may be implemented as requirements or guidance.
The demonstrated security and economic value of utilizing existing best practices to develop approaches to
cyber risk management has led organizations to assess how to use and improve upon existing approaches.
Perspectives, and consequent approaches, to risk management are affected by the terminology used, e.g.
“cybersecurity” versus “information security”. Where similar risks are addressed, this different perspective
can result in “cybersecurity” approaches focusing on external threats and the need to use information for
organizational purposes, while, in contrast,” information security” approaches consider all risks whether
from internal or external sources. There can also be a perception that cybersecurity risks are primarily
related to antagonistic threats, and that a lack of “cybersecurity” can create worse consequences to the
organization than a lack of “information security”. Thus, cybersecurity can be perceived as more relevant
to the organization than information security. This perception can cause confusion and also reduces the
effectiveness of risk assessment and treatment.
Regardless of perception, the concepts behind information security can be used to assess and manage
cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and
structured manner, and ensure that processes, governance and controls are addressed. This can be done
through a management systems approach. An Information Security Management system (ISMS) as
described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to
cybersecurity.
This document demonstrates how a cybersecurity framework can utilize current information security
standards to achieve a well-controlled approach to cybersecurity management.

© ISO/IEC 2026 – All rights reserved
v
Technical Specification ISO/IEC TS 27103:2026(en)
Cybersecurity — Guidance on using ISO and IEC standards in
a cybersecurity framework
1 Scope
This document provides guidance on how to leverage existing ISO and IEC standards in a cybersecurity
framework.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2018, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC TS 27100:2020, Information technology — Cybersecurity — Overview and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TS 27100, ISO/IEC 27000 and
the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
information security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2018, 2.33, modified — note 1 to entry has been removed.]
3.2
cybersecurity framework
basic set of concepts used to organize and communicate cybersecurity activities
[SOURCE: ISO/IEC TS 27110:2021, 3.1]
4 Document structure
This document provides background on why having a risk-based, prioritized, flexible, outcome-focused, and
communications-enabling framework for cybersecurity is important. It then describes the objectives of a
strong cybersecurity framework and includes mapping to existing standards that can be used to achieve
these objectives.
© ISO/IEC 2026 – All rights reserved
5 Background
5.1 General
ISO, IEC, and ISO/IEC standards can be applied to help solve the challenges of cybersecurity. Existing and
emerging cybersecurity frameworks throughout the world reference ISO, IEC, and ISO/IEC standards as
useful sources of information.
Implementing cybersecurity framework, or a cybersecurity programme, requires a consistent and iterative
approach to identifying, assessing, and managing risk and evaluating implementation of the framework.
ISO/IEC 27001 already provides a risk management framework that can be applied to prioritize and
implement cybersecurity activities within an organization.
5.2 Advantages of a risk-based approach to cybersecurity
A risk-based approach to cybersecurity:
— enables organizations to measure the impact of cybersecurity investments and improve their
cybersecurity risk management over time;
— is prioritized, flexible and outcome-focused;
— enables organizations to make security investment decisions that address risk, implement risk
mitigations in a way that is most effective for their environments, and advance security improvements
and innovations;
— facilitates communication across boundaries, both within and between organizations.
— is responsive to the actual risks faced by an organization, while recognizing that organizational resources
are limited;
— reflects a clear understanding of the organization’s particular business drivers and security
considerations;
— allows an organization to manage risks in ways that are consistent with their own business priorities;
— enables organizations to have flexibility in a rapidly changing technology and threat landscape, and
helps to address the varying needs of organizations and sectors.
More detailed and prescriptive guidance (e.g. detailed standards and guidelines) required by specific
interested parties for specific purposes can be provided on demand. Organizations that implement a risk-
based cybersecurity framework can therefore take advantage of the benefits without being limited by the
need for a full set of detailed implementation guidance.
5.3 Interested parties
Interested parties should play an active role, beyond protecting their own assets, in order for the organization
to realize the benefits of a connected global environment. Internet-enabled systems and applications are
expanding beyond the business-to-business, business-to-consumer, and consumer-to-consumer models, to
include many-to-many interactions and transactions. Individuals and organizations should be prepared to
address emerging security risks and challenges, and effectively prevent and respond to misuse and criminal
exploitation.
5.4 Activities of a cybersecurity framework and programme
The activities of a cybersecurity framework and programme are:
a) describing the organization’s current cybersecurity status;
b) describing the organization’s target state for cybersecurity;

© ISO/IEC 2026 – All rights reserved
c) identifying and prioritizing opportunities for improvement;
d) assessing progress toward the target state;
e) communicating among internal and external interested parties about cybersecurity risks.
6 Concepts
6.1 Overview of cybersecurity frameworks
A cybersecurity framework captures a set of desired cybersecurity outcomes that are common across all
sectors and organizations. A framework facilitates communication about implementation of these desired
outcomes and associated cybersecurity activities across the organization, from the executive level to
the implementation and operations levels. The framework should consist of five functions, or high-level
descriptions of desired outcomes, which are concurrent and continuous:
— Identify (6.2.2)
— Protect (6.2.3)
— Detect (6.2.4)
— Respond (6.2.5)
— Recover (6.2.6)
When considered together, these functions provide a high-level, strategic view of an organization’s
management of cybersecurity risk. Within each function, there are also categories and subcategories, which
are a prioritized set of activities that are important for achieving the specified outcomes.
Categories are the subdivisions of a function into groups of cybersecurity outcomes closely tied to
programmatic needs and particular activities. Subcategories further divide each category into specific
outcomes of either technical or management activities, or both. They provide a set of results that, while not
exhaustive, help support achievement of the outcomes in each category.
Organizing a cybersecurity framework into multiple levels, such as functions, categories, and subcategories,
helps to enable communication across boundaries. While many executives may seek to understand and
make investments to more effectively mitigate organizational risk at the level of functions, operational
practitioners can benefit from the more nuanced description of desired outcomes at the category or
subcategory level. Importantly, though, if high-level and more nuanced descriptions of outcomes are
organized within a single reference point that uses a common language, communication between executives
and practitioners is facilitated, supporting strategic planning.
NOTE Annex B provides an example of another type of cybersecurity framework based on the Cybersecurity
[14]
Management Guidelines for Japanese Enterprise Executives Version 3.0.
6.2 Cybersecurity framework functions
6.2.1 General
Functions organize basic cybersecurity outcomes and activities at their highest level. Important functions
to include in the framework, as noted in 6.1, are:
— Identify
— Protect
— Detect
— Respond
© ISO/IEC 2026 – All rights reserved
— Recover
Each of these functions represents an area that an organization can use to express how it manages
cybersecurity risk. These functions aid in organizing activities, enabling risk management decisions,
addressing threats, and improving by learning from previous experiences. The main role of each function is
as follows:
— The identify function develops the organizational understanding to manage cybersecurity risk to
systems, assets, data and capabilities. The activities in the identify function are foundational for effective
use of the framework. Understanding the business context, the resources that support critical functions,
and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent
with its risk management strategy and business needs.
— The protect function develops and implements the appropriate safeguards to ensure delivery of critical
infrastructure services. This function supports the ability to limit or contain the impact of a potential
cybersecurity event.
— The detect function develops and implements the appropriate activities to identify the occurrence of a
cybersecurity event. This function enables timely discovery of cybersecurity events.
— The respond function develops and implements the appropriate activities to take action regarding a
detected cybersecurity event. This function supports the ability to contain the impact of a potential
cybersecurity event.
— The recover function develops and implements the appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a cybersecurity event.
Annex A of this document examines each of the categories and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
The functions of identify, protect, detect, respond, and recover directly align with the cybersecurity concept
attributes in ISO/IEC 27002:2022.
6.2.2 Identify
The identify function develops organizational understanding to manage cybersecurity risk to systems,
assets, data and capabilities. The activities in the identify function are important for effective use of the
framework. Understanding the business context, the resources that support critical functions, and the
related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its
risk management strategy and business needs. Within this function, there are activities that are vital to
successful cyber risk management. To be able to identify these activities, an organization should understand
its organizational objectives and risk management strategy.
Within the identify function, the categories that may be included are shown in Table 1.

© ISO/IEC 2026 – All rights reserved
Table 1 — Identify categories
Category Description References
Business environment The organization’s objectives, ISO/IEC 27001:2022, Clause 4
interested parties and activities
ISO/IEC 27001:2022, Clause 5
are understood and used to inform
The ISO/IEC 27036 series
roles, responsibilities and risk man-
ISO/IEC 20243-1:2023, Clause 4
agement decisions. Comprehensive
ISO 31000:2018, 5.3
security measures are necessary to
ISO/IEC 27005:2022, 6.1
cover the company itself, its group
companies, business partners of its
supply chain and IT system control
outsourcing companies.
Risk Assessment The organization understands the ISO/IEC 27001:2022, Clause 6
risks to the organization’s opera-
ISO/IEC 27014
tions and assets. The management
ISO/IEC 20243-1:2023, Clause 4
is required to drive cybersecurity
ISO 31000
risk measures, considering any pos-
ISO/IEC 38505
sible risk while proceeding with the
ISO/IEC 27005:2022, Clause 7
utilization of IT.
Risk Management Strategy An organization’s approach, the ISO/IEC 27001:2022, 9.3
management components and
ISO/IEC 20243-1:2023, Clause 4
resources to be applied to the man-
ISO 31000:2018, Clause 4
agement of risk.
ISO/IEC 27005:2022, Clause 6
Governance To monitor and manage the ISO/IEC 27002:2022, 5.1, 5.2, 5.4
organization’s regulatory, legal,
ISO/IEC TR 38504
environmental and operational
ISO/IEC 38505-1
requirements. This information is
ISO/IEC 20243-1:2023, Clause 4
then used to inform the appropriate
levels of management.
Asset Management Identification and management of ISO/IEC 27002:2022, 5.9, 5.10, 5.11, 5.12,
the systems, data, devices, peo- 5.13
ple and facilities in relation to the
ISO/IEC 20243-1:2023, Clause 4
business.
IEC 62443-2–1:2010, 4.2.3.4
ISO/IEC 27019:2024, Clause 7
Annex A examines each of the categories in Table 1 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
6.2.3 Protect
The protect function develops and implements appropriate safeguards to ensure the delivery of resilient
products and services. The protect function also supports the ability to limit or contain the impact of a
potential cybersecurity event.
Within the protect function, the categories that may be included are specified in Table 2.

© ISO/IEC 2026 – All rights reserved
Table 2 — Protect categories
Category Description References
Access control Limiting access to facilities and ISO/IEC 27002:2022, 5.15, 5.16, 5.18,
assets to only authorized entities 5.17, 5.18, 8.2, 8.3, 8.4, 8.5, 8.18
and associated activities. Included in
ISO/IEC 29146
access management is entity authen-
ISO/IEC 29115
tication.
Awareness and training Ensuring users and interested par- ISO/IEC 27002:2022, 6.3
ties are aware of policies, proce-
ISO/IEC 20243-1:2023, Clause 4
dures, and responsibilities relating
to cybersecurity responsibilities.
Data security Responsible for the confidentiality, ISO/IEC 27002:2022, 5.12, 5.13, 7.10
integrity, and availability of data and
information.
Information protection processes Security policies, processes, and ISO/IEC 27002:2022, 5.1, 5.2, 5.3, 5.37
and procedures procedures are maintained and used
to manage protection of information
systems.
Maintenance Processes and procedures for ongo- ISO/IEC 27002:2022, 5.37
ing maintenance and modernization.
ISO/IEC 20243-1:2023, Clause 4
IEC 62443-2–1:2010, 4.3.3
Protective technology Technical security solutions (such ISO/IEC 27002:2022, 7.10, 7.12, Clause 8
as logging, removable media, least
ISO/IEC 27033 (all parts)
access principles, and network pro-
tection).
Annex A examines each of the categories in Table 2 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
6.2.4 Detect
The detect function identifies the occurrence of a cybersecurity event in a timely fashion.
Within the detect function, the categories that may be included are specified in Table 3.
Table 3 — Detect categories
Category Description References
Anomalies and events Detection of anomalies and events ISO/IEC 27002:2022, 5.25, 5.26, 5.27, 5.28
and understanding of the impact of
ISO/IEC 27035 (all parts)
those events.
Security continuous monitoring Systems being monitored on a reg- ISO/IEC 27002:2022, 6.8
ular basis to validate the effective-
ness of security measures in place.
Detection process Processes and procedures to ensure ISO/IEC 27002:2022, 5.24
timely awareness and communica-
ISO/IEC 27035 (all parts)
tion of events.
Annex A examines each of the categories in Table 3 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
6.2.5 Respond
The respond function develops and implements appropriate activities to take action regarding a detected
cybersecurity event. The respond function supports the ability to contain the impact of a potential
cybersecurity event.
© ISO/IEC 2026 – All rights reserved
Within the respond function, the categories that may be included are specified in Table 4.
Table 4 — Respond categories
Category Description References
Response planning Plan for how to respond to events in ISO/IEC 27002:2022, 5.24, 5.26
a timely manner including process-
ISO/IEC 27035 (all parts)
es and procedures for responding
to events.
Communications Processes and procedures for com- ISO/IEC 27002:2022, 5.5, 5.6, 6.8
municating the timely information
ISO/IEC 27035 (all parts)
to relevant parties.
ISO/IEC 27014
Companies should communicate
appropriately with relevant parties
by, for example, disclosing infor-
mation on security measures or
responses on a regular basis or in
times of emergency.
Analysis Review of detected events, includ- ISO/IEC 27002:2022, 5.25, 5.27
ing categorization and impact of
ISO/IEC 27035 (all parts)
events.
Mitigation Activities that limit the expansion ISO/IEC 27002:2022, 5.26
of the event, mitigate the event and
ISO/IEC 27035 (all parts)
stop the event.
Improvements The organization reviews the re- ISO/IEC 27002:2022, 5.27
sponse plan and improves it based
ISO/IEC 27035 (all parts)
on lessons learned during an event.
Annex A examines each of the categories in Table 4 and breaks them down into possible outcomes and
activities (subcategories), demonstrating how to leverage existing ISO and IEC standards to better support
the implementation of relevant activities.
6.2.6 Recover
The recover function develops and implements appropriate activities to maintain plans for resilience and to
restore any capabilities or services that were impaired due to a cybersecurity event.
Within the recovery function, the categories that may be included are specified in Table 5.
Table 5 — Recover categories
Category Description References
Recovery Planning Plan for how to recover from an ISO/IEC 27002:2022, 5.26, 5.27
event and the next steps after an
ISO/IEC 27035 (all parts)
event.
Communications Processes and procedures for com- ISO/IEC 27002:2022, 6.8
municating the timely information
ISO/IEC 27035 (all parts)
to relevant parties.
Improvements The organization takes the lessons ISO/IEC 27002:2022, 5.27
learned during an event and feeds
ISO/I
...