ISO/IEC 27009:2020 pdf download – Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements.
4 Overview of this document 4.1 General ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO/IEC 27001 states that its requirements are generic and are intended to be applicable to all organizations, regardless of type, size or nature. ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an organization to “determine all controls that are necessary to implement the information security risk treatment option(s) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above with those in [ISO/IEC 27001:2013,] Annex A, and verify that no necessary controls have been omitted [see 6.1.3 c)]”. The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A, are included in ISO/IEC 27002. ISO/IEC 27002 provides guidelines for information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment. The guidelines have a hierarchical structure that consists of clauses, control objectives, controls, implementation guidance and other information. The guidelines of ISO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. While ISO/IEC 27001 and ISO/IEC 27002 are widely accepted in organizations, including commercial enterprises, government agencies and not-for-profit organizations, there are needs for sector-specific versions of these standards.
4.2 Structure of this document Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation of ISO/IEC 27001 requirements. Clause 6 provides requirements and guidance on how to provide control clauses, control objectives, controls, implementation guidance or other information that are additional to or modify ISO/IEC 27002 content. Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001. Annex B contains two templates which shall be used for sector-specific standards related to ISO/IEC 27002. For sector-specific standards related to both ISO/IEC 27001 (see Clause 5) and ISO/IEC 27002 (see Clause 6), both Annex A and Annex B apply. Annex C provides explanations about advantages and disadvantages of two different numbering approaches applied in the two templates in Annex B. In this document, the following concepts are used to adapt ISO/IEC 27001 requirements for a sector: — addition ― see 5.2; — refinement ― see 5.3; — interpretation ― see 5.4. In this document, the following concepts are used to adapt ISO/IEC 27002 guidance for a sector: — addition ― see 6.2; — modification ― see 6.3.
4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls Sector-specific standards related to ISO/IEC 27001 may add requirements or guidance to those of ISO/IEC 27001 or ISO/IEC 27002. The addition may expand the requirements or guidance beyond information security into their sector-specific topic. EXAMPLE ISO/IEC 27018 uses such expansions. ISO/IEC 27018:2019, Annex A contains a set of controls aimed at the protection of personally identifiable information and, therefore, expands the scope of ISO/IEC 27018 to cover PII protection in addition to information security. 5 Addition to, refinement or interpretation of ISO/IEC 27001 requirements 5.1 General Figure 1 illustrates how sector-specific requirements are constructed in relation to ISO/IEC 27001.
5.2 Addition of requirements to ISO/IEC 27001 Addition of requirements to ISO/IEC 27001 requirements is permitted. EXAMPLE A sector which has additional requirements for an information security policy can add them to the requirements for the policy specified in ISO/IEC 27001:2013, 5.2. No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any of the requirements defined in ISO/IEC 27001. Where applicable, sector-specific additions to ISO/IEC 27001 requirements shall follow the requirements and guidance set out in Annex A. 5.3 Refinement of requirements in ISO/IEC 27001 Refinement of ISO/IEC 27001 requirements is permitted. NOTE Refinements do not remove or invalidate any of the requirements in ISO/IEC 27001 (see 3.2). Where applicable, sector-specific refinements of ISO/IEC 27001 requirements shall follow the requirements and guidance set out in Annex A. EXAMPLE 1 A sector-specific standard could contain controls additional to ISO/IEC 27001:2013, Annex A. In this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013, 6.1.3 c) and d) need to be refined to include the additional controls given in the sector-specific standard. Specification of a particular approach to meeting requirements in ISO/IEC 27001 is also permitted. EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within the scope of the sector-specific management system. This requirement could refine the general requirement in ISO/IEC 27001:2013, 7.2.