ISO/IEC 27009-2020 pdf free.Information security, cybersecurity and privacy protection – Sector – specific application of ISO/IEC 27001 – Requirements.
This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001. and complement or amend ISO/IEC 27002 to support a specific sector (domain. application area or market).
This document explains how to:
— include requirements in addition to those in ISO/IEC 27001,
— refine or interpret any of the ISO/IEC 27001 requirements,
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— add guidance to or modify the guidance of ISO/IEC 27002.
This document specifies that additional or refined requirements do not invalidate the requirements in
ISO/IEC 27001.
This document is applicable to those involved in producing sector-specific standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirement of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000. Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1 interpret interpretation explanation of an ISO/IEC 27001 requirement in a sector-specific context which does not invalidate any of the ISO/IEC 27001 requirements
Note ito entry: The explanation can pertain to either a requirement or guidance.
3.2 refine refinement supplementation or adaptation ofan ISO/IEC 27001 requirement in a sector-specific context which does not remove or invalidate any of the ISO/IEC 27001 requirements
4 Overview of this document
4.1 General
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO/IEC 27001 states that its requirements are generic and are intended to be applicable to all organizations, regardless of type. size or nature.
ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an organization to “determine all controls that are necessary to implement the information security risk treatment option(s) chosen Lsee 6.1.3 b)], and compare the controls determined in 6.1.3 b) above with those in [ISO/IEC 27001:2013,] Annex A, and verify that no necessary controls have been omitted [see 6.1.3 c)J”.
The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A, are included in ISO/IEC 27002.
ISO/IEC 27002 provides guidelines for information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment. The guidelines have a hierarchical structure that consists of clauses, control objectives, controls, implementation guidance and other information. The guidelines of ISO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless of type. size or nature.
While lSO/IEC 27001 and ISO/IEC 27002 are widely accepted in organizations, including commercial enterprises, government agencies and not-for-profit organizations, there are needs for sector-specific versions of these standards.ISO/IEC 27009 pdf download.