Topic-specific policies
ISO/IEC TS 27100

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC TS 27100:2020 — Information technology — Cybersecurity Overview and concepts (first edition)



“This document provides an overview of cybersecurity. This document: describes cybersecurity and relevant concepts, including how it is related to and different from information security; establishes the context of cybersecurity; does not cover all terms and definitions applicable to cybersecurity; and does not limit other standards in defining new cybersecurity-related terms for use.”
[Source: ISO/IEC TS 27100:2020]


According to this Technical Specification:

    “Cybersecurity is a broad term used differently through the world. This document defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security.

    Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.”


Scope of the standard

“This document provides an overview of cybersecurity ...”


Content of the standard

The standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management.



The standard was first published in 2020.


Personal notes

See also ISO/IEC 27032.

It seems to me two cyber worlds coexist on parallel planes:

  1. Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It could be a delaying tactic.
  2. Plain old IT security, network security and Internet security in particular: protecting digital data in general against deliberate attacks. This is the everyday world, nothing special - a subset of information security in fact. Move along please, nothing to see here.

Rather than clarifying the concepts and terminology, moving the field forward, the standard muddies the waters - possibly the desired outcome of #1 above.

Thankfully, it is just 17 pages and I suspect is destined to become a little-known cul de sac off the information superhighway, despite the project team’s desire for ISO to promote it as a substantial contribution to the field. They claim “cybersecurity is simply an evolution of information security” and that the standard “provides much needed explanation in the environment of general confusion about the differences and similarities between cybersecurity and information security”: ‘in the environment of general confusion’ is a very curious way of putting it. Ironic, really, for a standard that is meant to clarify things ...


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT LtdContact us re Intellectual Property Rights