Topic-specific policies
ISO/IEC TR 27024

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT]



“This technical report ... provides references to laws, regulations, and guidelines relying on this family of standards to assist organisations from both public and private sectors, as well as individuals, to perform their activities, which require knowledge and understanding within the information security domain.”
[Source: introduction to the draft Technical Report (2021)]


This Technical Report intends to help organisations determine which ISO27k standards are recommended or required of them for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management.


Scope of the standard

It identifies a number of national laws, regulations and guidelines that depend and build upon the ISO27k standards.

It (explicitly) concerns information security, privacy/data protection, and digitalization and electronic archiving.

It does not (explicitly) concern other areas such as governance, contracts, product quality/fitness for purpose, cryptography, digital signatures, defence, official secrets, classified information, health and safety, financial data integrity, medical records, misinformation, and more. Taking a wide perspective, there are loads of laws and regs that have some relevance to the confidentiality, integrity or availability of information.


Content of the standard

The central chapter of the present draft contains just 18 clauses, each listing a selection of relevant laws and regs from a different country or region (such as the EU).


Status of the standard

A Technical Report has been derived from ISO/IEC Joint Technical Committee 1/Sub Committee 27’s Standing Document 7 - an internal committee reference document.

April status update Since SD7 is a mature document, the standard is already at Draft Technical Report stage but for some reason is not due to be published until March 2023.


Personal comments

This project faces a similar conundrum to ISO/IEC 27002. It would be good if the standard was truly comprehensive and could be relied upon as such, but ultimately that is an infeasible objective for a large, lumbering international committee of (primarily) information security experts rather than lawyers, in an area as open-ended and complicated as information security. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching which laws and regs are in fact applicable to them, particularly the obligatory ones - hopefully not you though, having read this warning!


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.