Topic-specific policies
ISO/IEC TR 27024


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT]

 

Abstract

“This document provides a list of national regulations that reference ISO/IEC 27001 as a requirement.”
[Source: ISO/IEC JTC 1/SC 27 SD11]
 

Introduction

This Technical Report intends to help organisations determine which ISO27k standards are recommended or required of them for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management.

 

Scope of the standard

The draft standard:

  • Identifies a number of national laws, regulations and guidelines that depend and build upon the ISO27k standards;
  • Explicitly concerns information security, privacy/data protection, and digitalization and electronic archiving;
  • Does not (explicitly) concern other areas such as governance, contracts, product quality/fitness for purpose, cryptography, digital signatures, defence, official secrets, classified information, health and safety, financial data integrity, medical records, misinformation, and more.
     

Content of the standard

The central chapter contains just 18 clauses, each listing a selection of relevant laws and regs from a different country or region (such as the EU).

 

Status of the standard

A Technical Report has been derived from ISO/IEC Joint Technical Committee 1/Sub Committee 27’s Standing Document 7 - an internal committee reference document.

Status update April Since SD7 is a mature document, the standard is already at Draft Technical Report stage and was due to be published in Q3 2023.  However, collating and  maintaining information on the sheer quantity and variety of laws and regs around the globe that are potentially in-scope risks overloading and delaying this project.

 

Personal comments

If this remained as a Standing Document without the formalities of becoming a standard, it would be easier, quicker and cheaper to update it as the referenced standards and laws/regs change, with the bonus of being freely available to those who need the information ... but it looks set to be published as a Technical Report.

Taking a wide perspective, there are loads of laws and regs that have some relevance to the confidentiality, integrity or availability of information.

This project faces a similar conundrum to ISO/IEC 27002. It would be good if the standard was truly comprehensive and could be relied upon as such, but ultimately that is infeasible. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching which laws and regs are in fact applicable - hopefully not you though, having read this cautionary note!

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights