Topic-specific policies
ISO/IEC TR 27024


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

Introduced in Oct  ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT]

 

Abstract

“This technical report ... provides references to laws, regulations, and guidelines relying on this family of standards to assist organisations from both public and private sectors, as well as individuals, to perform their activities, which require knowledge and understanding within the information security domain.”
[Source: introduction to the draft Technical Report (2021)]
 

Introduction

This Technical Report is intended to help organisations determine which ISO27k standards are recommended or required of them for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management.

 

Scope of the standard

It identifies a number of national laws, regulations and guidelines that depend and build upon the ISO27k standards.

It (explicitly) concerns information security, privacy/data protection, and digitalization and electronic archiving.

It does not (explicitly) concern other areas such as governance, contracts, product quality/fitness for purpose, cryptography, digital signatures, defence, official secrets, classified information, health and safety, financial data integrity, medical records, misinformation, and more. Taking a wide perspective, there are loads of laws and regs that have some relevance to the confidentiality, integrity or availability of information.

 

Content of the standard

The central chapter of the present draft contains just 18 clauses, each listing a selection of relevant laws and regs from a different country or region (such as the EU).

 

Status of the standard

The Draft Technical Report is derived from ISO/IEC Joint Technical Committee 1/Sub Committee 27’s Standing Document 7 - an internal committee reference document.

It is due to be published at some future point (the online SC27 work program is unavailable as I write this).

 

Personal comments

This project faces a similar risk to ISO/IEC 27002. It would be good if the standard was comprehensive and could be relied upon as such, but ultimately that is an infeasible objective for a large, lumbering international committee of (primarily) information security experts rather than lawyers, in an area as open-ended and complicated as information security. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching which laws and regs are in fact applicable to them, particularly the obligatory ones.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.