Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements

This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: — include requirements in addition to those in ISO/IEC 27001, — refine or interpret any of the ISO/IEC 27001 requirements, — include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — add guidance to or modify the guidance of ISO/IEC 27002. This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001. This document is applicable to those involved in producing sector-specific standards.

Sécurité de l'information, cybersécurité et protection des données personnelles — Application de l’ISO/IEC 27001 à un secteur spécifique — Exigences

Informacijska tehnologija - Varnostne tehnike - Uporaba ISO/IEC 27001 za določen sektor - Zahteve

General Information

Status
Withdrawn
Publication Date
20-Apr-2020
Current Stage
9599 - Withdrawal of International Standard
Completion Date
03-May-2023

Relations

Buy Standard

Standard
ISO/IEC 27009:2020 - Information security, cybersecurity and privacy protection -- Sector-specific application of ISO/IEC 27001 -- Requirements
English language
18 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC DIS 27009:2019
English language
24 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 27009
Second edition
2020-04
Information security, cybersecurity
and privacy protection — Sector-
specific application of ISO/IEC 27001
— Requirements
Sécurité de l'information, cybersécurité et protection des données
personnelles — Application de l’ISO/IEC 27001 à un secteur
spécifique — Exigences
Reference number
ISO/IEC 27009:2020(E)
©
ISO/IEC 2020

---------------------- Page: 1 ----------------------
ISO/IEC 27009:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27009:2020(E)

Contents Page
Foreword .iv
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview of this document . 2
4.1 General . 2
4.2 Structure of this document . 3
4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls . . 3
5 Addition to, refinement or interpretation of ISO/IEC 27001 requirements .3
5.1 General . 3
5.2 Addition of requirements to ISO/IEC 27001 . 4
5.3 Refinement of requirements in ISO/IEC 27001 . 4
5.4 Interpretation of requirements in ISO/IEC 27001 . 4
6 Additional or modified ISO/IEC 27002 guidance . 4
6.1 General . 4
6.2 Additional guidance . 5
6.3 Modified guidance . 5
Annex A (normative) Template for developing sector-specific standards related to
ISO/IEC 27001 and optionally ISO/IEC 27002 . 6
Annex B (normative) Template for developing sector-specific standards related to
ISO/IEC 27002 . 9
Annex C (informative) Explanation of the advantages and disadvantages of numbering
approaches used within Annex B .16
Bibliography .18
© ISO/IEC 2020 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 27009:2020(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 27009:2016), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— the scope has been updated to more clearly reflect the content of this document;
— former Annex A has been divided into Annexes A and B;
— Annex C has been created.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved

---------------------- Page: 4 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27009:2020(E)
Information security, cybersecurity and privacy
protection — Sector-specific application of ISO/IEC 27001
— Requirements
1 Scope
This document specifies the requirements for creating sector-specific standards that extend
ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain,
application area or market).
This document explains how to:
— include requirements in addition to those in ISO/IEC 27001,
— refine or interpret any of the ISO/IEC 27001 requirements,
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— add guidance to or modify the guidance of ISO/IEC 27002.
This document specifies that additional or refined requirements do not invalidate the requirements in
ISO/IEC 27001.
This document is applicable to those involved in producing sector-specific standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirement of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security
controls
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
© ISO/IEC 2020 – All rights reserved 1

---------------------- Page: 5 ----------------------
ISO/IEC 27009:2020(E)

3.1
interpret
interpretation
explanation of an ISO/IEC 27001 requirement in a sector-specific context which does not invalidate any
of the ISO/IEC 27001 requirements
Note 1 to entry: The explanation can pertain to either a requirement or guidance.
3.2
refine
refinement
supplementation or adaptation of an ISO/IEC 27001 requirement in a sector-specific context which does
not remove or invalidate any of the ISO/IEC 27001 requirements
4 Overview of this document
4.1 General
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually
improving an information security management system. ISO/IEC 27001 states that its requirements
are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an
organization to “determine all controls that are necessary to implement the information security risk
treatment option(s) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above with
those in [ISO/IEC 27001:2013,] Annex A, and verify that no necessary controls have been omitted [see
6.1.3 c)]”.
The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A, are included in
ISO/IEC 27002.
ISO/IEC 27002 provides guidelines for information security management practices including the
selection, implementation and management of controls taking into consideration the organization’s
information security risk environment. The guidelines have a hierarchical structure that consists of
clauses, control objectives, controls, implementation guidance and other information. The guidelines
of ISO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless of type,
size or nature.
While ISO/IEC 27001 and ISO/IEC 27002 are widely accepted in organizations, including commercial
enterprises, government agencies and not-for-profit organizations, there are needs for sector-specific
versions of these standards.
EXAMPLES
The following documents have been developed to address these sector-specific needs are:
— ISO/IEC 27010, Information technology — Security techniques — Information security management for inter-
sector and inter-organizational communications
— ISO/IEC 27011, Information technology — Security techniques — Code of practice for Information security
controls based on ISO/IEC 27002 for telecommunications organizations
— ISO/IEC 27017, Information technology — Security techniques — Code of practice for information security
controls based on ISO/IEC 27002 for cloud services
— ISO/IEC 27018, Information technology — Security techniques — Code of practice for protection of personally
identifiable information (PII) in public clouds acting as PII processors
— ISO/IEC 27019, Information technology — Security techniques — Information security controls for the energy
utility industry
2 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 27009:2020(E)

Other organizations have also produced standards addressing sector-specific needs.
Sector-specific standards should be consistent with the requirements of the information security
management system. This document specifies requirements on how to create sector-specific standards
that extend ISO/IEC 27001 and complement or amend ISO/IEC 27002 (see Clause 1).
This document assumes that all requirements from ISO/IEC 27001 that are not refined or interpreted,
and all controls in ISO/IEC 27002 that are not modified, apply in the sector-specific context unchanged.
4.2 Structure of this document
Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation
of ISO/IEC 27001 requirements.
Clause 6 provides requirements and guidance on how to provide control clauses, control objectives,
controls, implementation guidance or other information that are additional to or modify ISO/IEC 27002
content.
Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001.
Annex B contains two templates which shall be used for sector-specific standards related to
ISO/IEC 27002.
For sector-specific standards related to both ISO/IEC 27001 (see Clause 5) and ISO/IEC 27002
(see Clause 6), both Annex A and Annex B apply.
Annex C provides explanations about advantages and disadvantages of two different numbering
approaches applied in the two templates in Annex B.
In this document, the following concepts are used to adapt ISO/IEC 27001 requirements for a sector:
— addition ― see 5.2;
— refinement ― see 5.3;
— interpretation ― see 5.4.
In this document, the following concepts are used to adapt ISO/IEC 27002 guidance for a sector:
— addition ― see 6.2;
— modification ― see 6.3.
4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls
Sector-specific standards related to ISO/IEC 27001 may add requirements or guidance to those of
ISO/IEC 27001 or ISO/IEC 27002. The addition may expand the requirements or guidance beyond
information security into their sector-specific topic.
EXAMPLE ISO/IEC 27018 uses such expansions. ISO/IEC 27018:2019, Annex A contains a set of controls
aimed at the protection of personally identifiable information and, therefore, expands the scope of ISO/IEC 27018
to cover PII protection in addition to information security.
5 Addition to, refinement or interpretation of ISO/IEC 27001 requirements
5.1 General
Figure 1 illustrates how sector-specific requirements are constructed in relation to ISO/IEC 27001.
© ISO/IEC 2020 – All rights reserved 3

---------------------- Page: 7 ----------------------
ISO/IEC 27009:2020(E)

Figure 1 — Construction of sector-specific requirements
5.2 Addition of requirements to ISO/IEC 27001
Addition of requirements to ISO/IEC 27001 requirements is permitted.
EXAMPLE A sector which has additional requirements for an information security policy can add them to
the requirements for the policy specified in ISO/IEC 27001:2013, 5.2.
No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any of the
requirements defined in ISO/IEC 27001.
Where applicable, sector-specific additions to ISO/IEC 27001 requirements shall follow the
requirements and guidance set out in Annex A.
5.3 Refinement of requirements in ISO/IEC 27001
Refinement of ISO/IEC 27001 requirements is permitted.
NOTE Refinements do not remove or invalidate any of the requirements in ISO/IEC 27001 (see 3.2).
Where applicable, sector-specific refinements of ISO/IEC 27001 requirements shall follow the
requirements and guidance set out in Annex A.
EXAMPLE 1 A sector-specific standard could contain controls additional to ISO/IEC 27001:2013, Annex A. In
this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013, 6.1.3 c) and d)
need to be refined to include the additional controls given in the sector-specific standard.
Specification of a particular approach to meeting requirements in ISO/IEC 27001 is also permitted.
EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within
the scope of the sector-specific management system. This requirement could refine the general requirement in
ISO/IEC 27001:2013, 7.2.
5.4 Interpretation of requirements in ISO/IEC 27001
Interpretation of ISO/IEC 27001 requirements is permitted.
NOTE Interpretations do not invalidate any of the ISO/IEC 27001 requirements but explain them or place
them into sector-specific context (see 3.1).
Where applicable, sector-specific interpretations of ISO/IEC 27001 requirements shall follow the
requirements and guidance set out in Annex A.
6 Additional or modified ISO/IEC 27002 guidance
6.1 General
Figure 2 illustrates how ISO/IEC 27002 guidance can be added to or modified.
4 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 27009:2020(E)

Figure 2 — Construction of sector-specific guidance
Each control shall only contain one instance of the word “should”.
NOTE In ISO/IEC 27001, Information security risk treatment requires an organization to state controls
that have been determined and justification of inclusions, and justification for exclusions of controls from
ISO/IEC 27001:2013, Annex A. Having only one use of “should” within a control statement eliminates the
possibility of ambiguity over the scope of the control.
6.2 Additional guidance
Addition of clauses, control objectives, controls, implementation guidance and other information to
ISO/IEC 27002 is permitted.
Where applicable, clauses, control objectives, controls, implementation guidance and other information
additional to ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B.
Before specifying additional clauses, control objectives or controls, entities producing sector-specific
standards related to ISO/IEC 27001 should consider whether a more effective approach would be
to modify existing ISO/IEC 27002 content, or achieve the desired result just through the addition of
sector-specific control objectives (instead of adding clauses), controls (instead of control objectives),
implementation guidance and other information (instead of controls) to the existing ISO/IEC 27002
content.
6.3 Modified guidance
Clauses, controls and their control objectives contained in ISO/IEC 27002 shall not be modified.
If there is a sector-specific need to include a control objective that contradicts a control objective
contained in ISO/IEC 27002, a new sector-specific control objective shall be introduced. The new control
objective shall have at least one sector-specific control. If there is a sector-specific need to include a
control that contradicts a control contained in ISO/IEC 27002, a new sector-specific control shall be
introduced.
Modification of implementation guidance and other information from ISO/IEC 27002 is permitted.
Where applicable, modified clauses, control objectives, controls, implementation guidance and other
information from ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B.
© ISO/IEC 2020 – All rights reserved 5

---------------------- Page: 9 ----------------------
ISO/IEC 27009:2020(E)

Annex A
(normative)

Template for developing sector-specific standards related to
ISO/IEC 27001 and optionally ISO/IEC 27002
A.1 Drafting instructions
In A.2, the following formatting conventions are used:
— the text in angle brackets should be replaced by suitable sector-specific text.
EXAMPLE For the telecommunications sector, the title of Clause 4 of the template in A.2, “-
specific requirements" is adapted as “Telecommunications-specific requirements".
— the text in braces and italics indicates how to use this part of the template; this text should be
deleted in the final version of the sector-specific standard.
— the text written without special formatting should be copied verbatim.
A.2 Template
Introduction
{Include how the requirements contained within this document relate to the requirements specified within
ISO/IEC 27001 and optionally how the guidance contained within the standard relate to the guidance in
ISO/IEC 27002 if the sector-specific standard is also related to ISO/IEC 27002.}
{Insert the following text.}
This document is NOT a new management system standard independent of ISO/IEC 27001, but rather
specifies -specific requirements that are composed of refinements of and/or additions to
requirements in ISO/IEC 27001.
{If the sector-specific standard is also related to ISO/IEC 27002, insert the following text instead of the above.}
This document is NOT a new management system standard independent of ISO/IEC 27001, but rather:
a) specifies -specific requirements that are composed of refinements of and/or additions to
requirements in ISO/IEC 27001; and
b) specifies -specific guidance that supports additions to and/or modifications of
ISO/IEC 27002 (see Clause 6).
1  Scope
{Include appropriate scope statements including the relationship of the standard to ISO/IEC 27001 and
optionally ISO/IEC 27002 if the sector-specific standard is also related to ISO/IEC 27002.}
2  Normative references
{Insert the relevant normative references, including ISO/IEC 27001 and optionally ISO/IEC 27002.}
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
6 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 27009:2020(E)

3  Terms and definitions
{Insert the following text to ensure that ISO/IEC 27000 is included.}
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 [and the
following] apply.
4  -specific requirements related to ISO/IEC 27001:2013
4.1  General
{Insert the following text.}
All requirements from ISO/IEC 27001:2013, Clauses 4 to 10, that do not appear below shall apply
unchanged.
{Add all sector-specific requirements. When adding a requirement, check first whether it is related to a
requirement already existing in ISO/IEC 27001. If additional requirements relate to existing requirements
from ISO/IEC 27001, add a title to them with a prefix of at least three letters for the sector, followed by the
subclause number and the original title of the subclause from ISO/IEC 27001.
EXAMPLE 4.2  CLD 4.1 Understanding the organization and its context.
If there is no relation to an existing requirement, place the additional requirement as a new subclause at the
end after all other subclauses in Clause 4 of the sector-specific standard.}
{Optionally, a sector-specific standard may have a table which indicates the relationship between the (sub)
clause of the sector-specific standard and those of ISO/IEC 27001. A table is a useful tool which helps readers
understand the placement of the clauses of the sector-specific standard compared to those of ISO/IEC 27001.}
Table 1 — Correspondence of -specific requirements with ISO/IEC 27001
Subclause in Title Subclause in Remarks
ISO/IEC 27001:2013 this document




{Indicate sector-specific requirements that are additional to the ISO/IEC 27001 requirements by insertion of
the following text.}
In addition to ISO/IEC 27001:2013, , the following applies.
{Indicate sector-specific requirements that refine ISO/IEC 27001:2013 requirements by insertion of the
following text.}
ISO/IEC 27001:2013, is refined as follows.
{Indicate sector-specific requirements that interpret ISO/IEC 27001:2013 requirements by insertion of the
following text.}
ISO/IEC 27001:2013, is interpreted as follows.
{If possible, show the added, refined or interpreted text by use of italics.}
{If the sector-specific standard has sector-specific controls, always insert the following text.}
ISO/IEC 27001:2013, 6.1.3 c), is refined as follows.
© ISO/IEC 2020 – All rights reserved 7

---------------------- Page: 11 ----------------------
ISO/IEC 27009:2020(E)

Compare the controls determined in 6.1.3 b) above with those in ISO/IEC 27001:2013, Annex A, and
with Annex A, to verify that no necessary controls have been omitted.
ISO/IEC 27001:2013, 6.1.3 d), is refined as follows.
Produce a Statement of Applicability that contains:
— the necessary controls [see ISO/IEC 27001:2013, 6.1.3 b) and c)];
— a justification for their inclusion;
— whether the necessary controls are implemented or not; and
— a justification for excluding any of the controls in Annex A and ISO/IEC 27001:2013, Annex A.
{The controls in ISO/IEC 27001:2013, Annex A, are not requirements. However, it is possible to mandate
controls. There are two different types of sources of mandated controls. If the set of mandated controls
comes from an external source, then add a requirement mandating the set of controls by referencing the
external source. If they are introduced in this document, specify them explicitly. Such mandated controls
should be placed in the most relevant clause (i.e. Clauses 4 to 10) in this document, for example Clause 8.
Insert the following text to specify the mandated controls as a refinement to ISO/IEC 27001 as an additional
clause.}
In addition to ISO/IEC 27001:2013, Clause , the following applies.
{If the sector-specific standard is also related to ISO/IEC 27002, use the template generated by combining
Clause 4 of this template and Clauses 4 to 6 in B.2 or Clauses 4 to 18 in B.3 appropriately so that the
structure of the sector-specific standard fits for its purpose.}
{If the sector-specific standard has sector-specific controls, add an Annex A in the same way as of
ISO/IEC 27001:2013, Annex A, with the following text.}
Annex A list of the -specific reference control objectives and controls which shall be applied as
additions to ISO/IEC 27001:2013, Annex A, as specified in 4.1.
Annex A
(normative)
< Sector > -specific reference control objectives and controls
{Introduce Table A.1 in the same format as ISO/IEC 27001:2013, Annex A, with the following text.}
The additional or modified control objectives and controls listed in Table A.1 are directly derived from
and aligned with those defined in this document and are to be used in context with ISO/IEC 27001:2013,
6.1.3, as refined by this document.
8 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 27009:2020(E)

Annex B
(normative)

Template for developing sector-specific standards related to
ISO/IEC 27002
B.1 Drafting instructions
B.1.1 Common instructions
In B.2 and B.3, the following formatting conventions are used:
— the text in angle brackets should be replaced by suitable sector-specific text;
EXAMPLE For the telecommunications sector, the title of Clause 6 of the template in B.2 or 4.3 of the
template in B.3, “-specific guidance” is adapted as “Telecommunications-specific guidance”.
— the text in braces and italics indicates how to use this part of the template; this text should be
deleted in the final version of the sector-specific standard;
— the text written without special formatting should be copied verbatim.
B.1.2 Instructions for two numbering approaches
There are two templates, B.2 and B.3, which apply different types of numbering approaches for sector-
specific clauses, control objectives, controls, implementation guidance and other information. In
producing sector-specific standards using this annex, one of the templates should be selected, that is
suitable to the reference standard. The numbering approaches are described in B.1.3 and B.1.4.
Annex C provides an explanation of the advantages and disadvantages of the two numbering approaches
given in B.2 and B.3.
B.1.3 Numbering approach to indicate all of sector-specific contents with three-letter
prefix in Clause 6 of the sector-specific standard (B.2)
Numbers and titles with a three-letter prefix for the sector (along with the subclause number of the
sector-specific document) are used as the titles of subclauses in Clause 6 of the sector-specific standard
for additional or modified clauses, control objectives, controls, implementation guidance and
...

SLOVENSKI STANDARD
oSIST ISO/IEC DIS 27009:2019
01-september-2019
Informacijska tehnologija - Varnostne tehnike - Uporaba ISO/IEC 27001 za določen
sektor - Zahteve
Information technology -- Security techniques -- Sector-specific application of ISO/IEC
27001 -- Requirements
Technologies de l'information -- Techniques de sécurité -- Application de lISO/IEC 27001
à un secteur spécifique -- Exigences
Ta slovenski standard je istoveten z: ISO/IEC DIS 27009:2019
ICS:
03.100.70 Sistemi vodenja Management systems
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
oSIST ISO/IEC DIS 27009:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST ISO/IEC DIS 27009:2019

---------------------- Page: 2 ----------------------
oSIST ISO/IEC DIS 27009:2019
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27009
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2019-06-28 2019-09-20
Information technology — Security techniques — Sector-
specific application of ISO/IEC 27001 — Requirements
Technologies de l'information — Techniques de sécurité — Application de l’ISO/IEC 27001 à un secteur
spécifique — Exigences
ICS: 03.100.70; 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27009:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2019

---------------------- Page: 3 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

Contents Page
Foreword .iv
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview of this document . 2
4.1 General . 2
4.2 Structure of this document . 3
4.3 Expanding ISO/IEC 27001:2013 requirements or ISO/IEC 27002:2013 controls . 3
5 Addition to, refinement or interpretation of ISO/IEC 27001:2013 requirements .4
5.1 General . 4
5.2 Addition of requirements to ISO/IEC 27001:2013 . 4
5.3 Refinement of requirements in ISO/IEC 27001:2013. 4
5.4 Interpretation of requirements in ISO/IEC 27001:2013 . 4
6 Additional or modified ISO/IEC 27002:2013 guidance . 5
6.1 General . 5
6.2 Additional guidance . 5
6.3 Modified guidance . 5
Annex A (normative) Template for developing sector-specific standards related to ISO/
IEC 27001:2013 and optionally ISO/IEC 27002:2013 . 6
Annex B (normative) Template for developing sector-specific standards related to ISO/
IEC 27002:2013 . 9
Annex C (informative) Explanation of the advantages and disadvantages of numbering
approaches used within Annex B .16
Bibliography .18
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 27009:2016), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— the scope was updated to more clearly reflect the content of this document;
— the template in the previous Annex A was divided into two annexes – Annex A for a sector-specific
standard related to ISO/IEC 27001:2013 and Annex B for a sector-specific standard related to ISO/
IEC 27002:2013 (for a standard related to both ISO/IEC 27001:2013 and ISO/IEC 27002:2013, Annex
A and Annex B can be jointly used in accordance with instructions provided in Annex A);
— Annex C was newly produced to provide explanation on two numbering approaches presented in
B.2 and B.3 to help readers when they decide to apply one of the two approaches to their sector-
specific standards.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

[Revision Criteria Notes:
In responding to the CD ballot for ISO/IEC 27009, WG 1 would like to draw National Bodies attention to the
following revision criteria that has been identified and discussed at the previous WG 1 editing meetings
(Berlin October 2017, Wuhan April 2018 and Gjøvik September 2018- see also WG 1 N1326 editors meeting
report). WG 1 would therefore request National Body comments, that are submitted as a result of this ballot,
take account of the criteria in order that the issues raised in this criteria are resolved and finalised.
Revision Criteria
a. There should be two or three different templates;
Two types of templates were discussed in response to the comments in N987 and N930 that clarification is
necessary on how sector-specific standards can be produced in accordance with ISO/IEC 27009, Annex A.
These templates are: one for refinements of ISO/IEC 27001 and the other for additions or modifications to
ISO/IEC 27002. Editors will include the two templates in the WD as a starting point.
Once this is finalized, the situation will be reviewed and it will be decided whether a combined template for
ISO/IEC 27001 & ISO/IEC 27002 will be needed.
-->For a sector-specific standard that relates to both ISO/IEC 27001 and ISO/IEC 27002, it was decided to
apply both Annex A and Annex B instead of having the combined template at the Gjøvik meeting.
b. Explanatory text should be added in the template (and maybe also in the main body) to make things
clearer for the end user of the new standards;
It was agreed that ambiguity in the application of Annex A of ISO/IEC 27009, which was raised in N930,
should be resolved by adding a sentence to explain that ISO/IEC 27009 is in place to enable entities, such as
ISO committees, to produce sector-specific standards based on ISO/IEC 27001 and/or ISO/IEC 27002; it is
not the intent that new management standards are produced.
--> The text was discussed and modified at the Wuhan meeting - see “0 Introduction” of Annex A and Annex B.
c. No specific title for the sector-specific standards;
It was confirmed that it was already agreed to remove the specific title for the sector-specific standards
at the Abu-Dhabi meeting. Editors removed the text related to this point in this document. (--> this was
resolved.)
d. Numbering of the sector-specific controls;
This topic was discussed in the ISO/IEC 27009 revision meeting and also in the meeting for SD 8 (27009 Use
Cases). The final agreements made in these meetings are:
Both options (the one applied by ISO/IEC 27010, ISO/IEC 27011 and ISO/IEC 27017, and the one applied by
ISO/IEC 27019) will be included in the text.
It was agreed that editors will include these two numbering approaches with descriptive text (background)
for information so that the two approaches can be compared. An Editor’s note asking for comments will also
be included.
The ITTF secretariat kindly attended the meeting and advised us that ITTF can accept letter prefixes to
ISO/IEC 27002 numbers, conceptually they then become unnumbered headings which are permissible.
--> at the Wuhan meeting, it was discussed and agreed to have both approaches in Annex B and add a new
Annex C for guidance to the approaches – see Annex B and Annex C.
e. The scope might need to be updated to clarify the purpose of the document
It was pointed out that due care should be taken for scope change since it needs a ballot that will affect the
schedule of the ISO/IEC 27009 revision, and agreed to add following editors’ note from experts:
© ISO/IEC 2019 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

Editor’s note: if there is any problems with the current scope and title, please provide explanation and
example if you have any such cases.
--> The scope was modified based on the comments to the editors’ note and agreed at the Wuhan meeting
–, the JTC 1 endorsed the scope change (see SC 27 WG 1 N1468). It was also decided that 27009 is for those
who produce sector-specific standards that extend ISO/IEC 27001:2013 and complement or amend ISO/
IEC 27002, which mean that the sector-specific standards solely based on ISO/IEC 27002 without any link to
ISO/IEC 27001 are out of the scope of 27009.)
As the general structure and content of ISO/IEC 27009:2016 were agreed to by all National Bodies, it was also
agreed that the above points constitute the targets of the revision at the meeting in Berlin, October 2017.]
vi © ISO/IEC 2019 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST ISO/IEC DIS 27009:2019
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27009:2019(E)
Information technology — Security techniques — Sector-
specific application of ISO/IEC 27001 — Requirements
1 Scope
This document specifies the requirements for creating sector-specific standards that extend ISO/
IEC 27001:2013, and complement or amend ISO/IEC 27002:2013 to support a specific sector (domain,
application area or market).
This document explains how to;
— include requirements in addition to those in ISO/IEC 27001:2013,
— refine or interpret any of the ISO/IEC 27001:2013 requirements,
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002:2013,
— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002:2013,
— add guidance to or modify the guidance of ISO/IEC 27002:2013.
This document specifies that additional or refined requirements do not invalidate the requirements in
ISO/IEC 27001:2013.
This document is applicable to those involved in producing sector-specific standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirement of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information
security controls
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at http: //www .iso .org/obp
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

3.1
interpret
interpretation
explanation of an ISO/IEC 27001:2013 requirement in a sector-specific context which does not
invalidate any of the ISO/IEC 27001:2013 requirements
Note 1 to entry: to entry The explanation can pertain to either a requirement or guidance.
3.2
refine
refinement
supplementation or adaptation of an ISO/IEC 27001:2013 requirement in a sector-specific context
which does not remove or invalidate any of the ISO/IEC 27001:2013 requirements
4 Overview of this document
4.1 General
ISO/IEC 27001:2013 is an International Standard that defines the requirements for establishing,
implementing, maintaining and continually improving an information security management system.
ISO/IEC 27001:2013 states that its requirements are generic and are intended to be applicable to all
organizations, regardless of type, size or nature.
NOTE Management system standards within ISO are built in accordance with ISO/IEC Directives, Part 1,
[1]
Consolidated ISO Supplement, 2018.
ISO/IEC 27001:2013 includes normative Annex A which provides control objectives and controls. ISO/
IEC 27001:2013 requires an organization to “determine all controls that are necessary to implement
the information security risk treatment option(s) chosen (see 6.1.3 b))”, and “compare the controls
determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been
omitted (see 6.1.3 c))”. The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A
are included in ISO/IEC 27002:2013.”
ISO/IEC 27002:2013 is an International Standard that provides guidelines for information security
management practices including the selection, implementation and management of controls taking
into consideration the organization’s information security risk environment. The guidelines have a
hierarchical structure that consists of clauses, control objectives, controls, implementation guidance
and other information. The guidelines of ISO/IEC 27002:2013 are generic and are intended to be
applicable to all organizations, regardless of type, size or nature.
While ISO/IEC 27001:2013 and ISO/IEC 27002:2013 are widely accepted in organizations, including
commercial enterprises, government agencies and not-for-profit organizations, there are needs for
sector-specific versions of these standards. Examples of standards which have been developed to
address these sector-specific needs are:
[2]
— ISO/IEC 27010 , Information security management for inter-sector and inter-organizational
communications;
[3]
— ISO/IEC 27011 , Code of practice for information security controls based on ISO/IEC 27002:2013
for telecommunications organizations;
[4]
— ISO/IEC 27017 , Code of practice for information security controls based on ISO/IEC 27002:2013
for cloud services;
[5]
— ISO/IEC 27018 , Code of practice for protection of personally identifiable information (PII) in
public clouds acting as PII processors; and
[6]
— ISO/IEC 27019:2017 , Information security controls for the energy utility industry.
Organizations outside of ISO/IEC have also produced standards addressing sector-specific needs.
2 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

Sector-specific standards should be consistent with the requirements of the information security
management system. This document specifies requirements on how to create sector-specific standards
that extend ISO/IEC 27001:2013 and complement or amend ISO/IEC 27002:2013 (see Clause 1).
This document assumes that all requirements from ISO/IEC 27001:2013 that are not refined or
interpreted, and all controls in ISO/IEC 27002:2013 that are not modified, apply in the sector-specific
context unchanged.
4.2 Structure of this document
Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation
of ISO/IEC 27001:2013 requirements.
Clause 6 provides requirements and guidance on how to provide control clauses, control objectives,
controls, implementation guidance or other information that are additional to or modify ISO/
IEC 27002:2013 content.
Annex A contains a template which should be used for sector-specific standards related to ISO/
IEC 27001:2013.
Annex B contains two templates which should be used for sector-specific standards related to ISO/
IEC 27002:2013.
For sector-specific standards related to both ISO/IEC 27001:2013 (see Clause 5) and ISO/IEC 27002:2013
(see Clause 6), both Annex A and Annex B apply.
Annex C provides explanations about advantages and disadvantages of two different numbering
approaches applied in the two templates in Annex B.
Within this document, the following concepts are used to adapt ISO/IEC 27001:2013 requirements for
a sector:
— Addition – see 5.2;
— Refinement – see 5.3;
— Interpretation – see 5.4.
Within this document, the following concepts are used to adapt ISO/IEC 27002:2013 guidance for a sector:
— Addition – see 6.2;
— Modification – see 6.3.
NOTE Any sector-specific guidance that is developed following the requirements and guidance in this
[1]
document cannot be contained within a Technical Report. The ISO/IEC Directives define a Technical Report
as a document that does not contain requirements, and any sector-specific standard developed based on this
document contains requirements (see Clause 4 of the template in A.2, Clause 5 of the template in B.2, and 4.2 of
the template in B.3).
4.3 Expanding ISO/IEC 27001:2013 requirements or ISO/IEC 27002:2013 controls
Sector-specific standards related to ISO/IEC 27001:2013 may add requirements or guidance to those
of ISO/IEC 27001:2013 or ISO/IEC 27002:2013. The addition may expand the requirements or guidance
beyond information security into their sector-specific topic.
EXAMPLE ISO/IEC 27018, Code of practice for protection of personally identifiable information (PII) in public
[5]
clouds acting as PII processors uses such expansions. ISO/IEC 27018:2014 , Annex A contains a set of controls
aimed at the protection of personally identifiable information and, therefore, expands the scope of ISO/
[5]
IEC 27018 to cover PII protection in addition to information security.
© ISO/IEC 2019 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

5 Addition to, refinement or interpretation of ISO/IEC 27001:2013 requirements
5.1 General
Figure 1 illustrates how sector-specific requirements are constructed in relationship to ISO/
IEC 27001:2013.
Figure 1 — Construction of sector-specific requirements
5.2 Addition of requirements to ISO/IEC 27001:2013
Addition of requirements to ISO/IEC 27001:2013 requirements is permitted.
EXAMPLE A sector which has additional requirements for an information security policy can add them to
the requirements for the policy specified in ISO/IEC 27001:2013, 5.2.
No requirement that is added to those in ISO/IEC 27001:2013 shall remove or invalidate any of
the requirements defined in ISO/IEC 27001:2013. Sector-specific additions to ISO/IEC 27001:2013
requirements shall, where applicable, follow the requirements and guidance set out in Annex A of this
document.
5.3 Refinement of requirements in ISO/IEC 27001:2013
Refinement of ISO/IEC 27001:2013 requirements is permitted.
NOTE Refinements do not remove or invalidate any of the requirements in ISO/IEC 27001:2013 (see 3.2).
Sector-specific refinements of ISO/IEC 27001:2013 requirements shall, where applicable, follow the
requirements and guidance set out in Annex A of this document.
EXAMPLE 1 A sector-specific standard could contain controls additional to ISO/IEC 27001:2013, Annex A. In
this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013, 6.1.3 c) and d)
need to be refined to include the additional controls given in the sector-specific standard.
Specification of a particular approach to meeting requirements in ISO/IEC 27001:2013 is also permitted.
EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within
the scope of the sectors-specific management system. This requirement could refine the general requirement in
ISO/IEC 27001:2013, 7.2.
5.4 Interpretation of requirements in ISO/IEC 27001:2013
Interpretation of ISO/IEC 27001:2013 requirements is permitted.
NOTE Interpretations do not invalidate any of the ISO/IEC 27001:2013 requirements but explain them or
place them into sector-specific context (see 3.1).
Sector-specific interpretations of ISO/IEC 27001:2013 requirements shall, where applicable, follow the
requirements and guidance set out in Annex A of this document.
4 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

6 Additional or modified ISO/IEC 27002:2013 guidance
6.1 General
Figure 2 illustrates how ISO/IEC 27002:2013 guidance can be added to or modified.
Figure 2 — Construction of sector-specific guidance
Each control shall only contain one instance of the word “should”.
NOTE In ISO/IEC 27001:2013, Information security risk treatment requires an organization to state
controls that have been determined and justification of inclusions, and justification for exclusions of controls
from Annex A. Having only one use of “should” within a control statement eliminates the possibility of ambiguity
over the scope of the control.
6.2 Additional guidance
Addition of clauses, control objectives, controls, implementation guidance and other information to
ISO/IEC 27002:2013 is permitted.
Clauses, control objectives, controls, implementation guidance and other information additional to ISO/
IEC 27002:2013 shall, where applicable, follow the requirements and guidance set out in Annex B of this
document.
Before specifying additional clauses, control objectives or controls, entities producing sector-specific
standards related to ISO/IEC 27001:2013 should consider whether a more effective approach would
be to modify existing ISO/IEC 27002:2013 content, or achieve the desired result just through the
addition of sector-specific control objectives (instead of adding clauses), controls (instead of control
objectives), implementation guidance and other information (instead of controls) to the existing ISO/
IEC 27002:2013 content.
6.3 Modified guidance
Clauses, controls and their control objectives contained in ISO/IEC 27002:2013 shall not be modified.
If there is a sector-specific need to contradict a control objective contained in ISO/IEC 27002:2013, a
new sector-specific control objective with at least one sector-specific control shall be introduced. If
there is a sector-specific need to contradict a control contained in ISO/IEC 27002:2013, a new sector-
specific control shall be introduced.
Modification of implementation guidance and other information from ISO/IEC 27002:2013 is permitted.
Modified clauses, control objectives, controls, implementation guidance and other information from
ISO/IEC 27002:2013 shall, where applicable, follow the requirements and guidance set out in Annex B of
this document.
© ISO/IEC 2019 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

Annex A
(normative)

Template for developing sector-specific standards related to ISO/
IEC 27001:2013 and optionally ISO/IEC 27002:2013
A.1 Drafting instructions
Within A.2 the following formatting convention is used:
— Text in angle brackets should be replaced by suitable sector-specific text.
EXAMPLE For the sector telecommunications, the title of Clause 4 of the template in A.2, “-specific
requirements …”, should read “Telecommunications-specific requirements …”.
— Text in braces and italics indicates how to use this part of the template; this text should be deleted
in the final version of the sector-specific standard.
— Text written without special formatting should be copied verbatim.
A.2 Template
0  Introduction
{Include how the requirements contained within this standard relate to the requirements specified within
ISO/IEC 27001:2013 and optionally how the guidance contained within this
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.