ISO/IEC 27009:2020 — Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements (second edition)
This standard is intended to guide those who would develop ‘sector-specific’ standards based on or relating to ISO/IEC 27001, where ‘sector’ is shorthand for “field, application area or market sector” ... and so the muddle begins.
Scope and purpose
Quoting from the 2nd edition [FDIS] scope:
”This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market).
This document explains how to:
— include requirements in addition to those in ISO/IEC 27001,
— refine or interpret any of the ISO/IEC 27001 requirements,
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— add guidance to or modify the guidance of ISO/IEC 27002.
This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001.
This document is applicable to those involved in producing sector-specific standards.”
There are two main-body sections:
- Guidance on how to refine or even extend the generic management system requirements for a specific “sector” (adapting ISO/IEC 27001);
- Guidance on adding new information security controls or expanding on the implementation advice in ISO/IEC 27002 for a specific “sector”. [Note: this goes beyond the scope implied by the standard’s title.]
... plus three annexes:
- Two template for writing sector-specific variants of ‘27001 and/or ‘27002;
- An explanation of the pros and cons of different clause-numbering approaches in the annex on sector-specific variants of ‘27002 (!).
Status of the standard
The standard was first published in 2016.
An expanded second edition was published in June 2020.
Why on Earth did SC 27 think it worthwhile developing and publishing an International Standard about developing standards? Surely that is an internal matter, in other words a ‘Standing Document’ for the committee if anything. Why publish it formally as an IS??
I am gob-smacked that 96% of national standards bodies voted to publish this standard in the first place. What were they thinking? Who is expected to buy and use it? Presumably those mysterious “entities producing sector-specific standards”. Oh, that would be the SC 27 committee then, surely? If other bodies wish to create their own versions of any of the ISO27k standards, there’s nothing to stop them except copyright. I rather doubt any of them need to be told how to do it.
For me, this standard is a shining example of the nonsense that happens when committees tie themselves up in red tape. I honestly can’t think of anyone that will benefit from the publication of this standard ... not even SC 27 itself. The costs of developing the extended second version merely compound the issue. Where are the benefits to offset those not inconsiderable costs?
There lingers a further, deeper concern about the very concept of sector-specific variants of 27001/27002. As with BS 7799 before them, the ISO27k standards have always been deliberately generic and broadly applicable to all sort and sizes of organization. Each organization is required to identify, assess and treat its particular information risks, using a structured and systematic management system of the same general form. The implementation guidance and accredited certification processes are well established and work just fine. Surely that is good enough?
Question: how many pages does it take to say “Skim over everything relevant that is adequately covered by other standards, focusing solely on anything specific or unique to the industry”?
Answer: approximately 55 in the second edition, more than twice as long as the first.
In my admittedly rather cynical impression, the entire standard could be replaced by a diagram or a simple sentence along the lines of “A sector-specific standard is generated by adding, refining or interpreting the requirements in ISO/IEC 27001 and/or ISO/IEC 27002 for the sector concerned <full stop>”
< Previous standard ^ Up a level ^ Next standard >