ISO IEC 27009:2020 pdf download.Information security cybersecurity and privacy protection Sectorspecific application of ISO/IEC 27001 Requirements.
ISO IEC 27009 specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market).
ISO IEC 27009 explains how to:
— include requirements in addition to those in ISO/IEC 27001,
— refine or interpret any of the ISO/IEC 27001 requirements,
— include controls in addition to those of ISO/IEC 27001:20 13, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— add guidance to or modify the guidance of lSO/IEC 27002.
ISO IEC 27009 specifies that additional or refined requirements do not invalidate the requirements in
lSO/IEC 27001.
This document is applicable to those involved in producing sector-specific standards.
The following documents are referred to in the text in such a way that some or all of their content constitutes requirement of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies,
ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements
lSO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO/IEC 27001 states that its requirements are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an organization to “determine all controls that are necessary to implement the information security risk treatment option(s) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above with those in [ISO/IEC 27001:2013,] Annex A, and verify that no necessary controls have been omitted [see 6.1.3 c)]”.
The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A, are included in ISO/IEC 27002.
ISO/IEC 27002 provides guidelines for information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment. The guidelines have a hierarchical structure that consists of clauses, control objectives, controls, implementation guidance and other information. The guidelines of ISO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
Addition of requirements to ISO/IEC 27001 requirements is permitted.
EXAMPLE A sector which has additional requirements for an information security policy can add them to the requirements for the policy specified in lSO/IEC 27001:2013, 5.2.
No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any of the requirements defined in ISO/IEC 27001.
Where applicable, sector-specific additions to ISO/IEC 27001 requirements shall follow the requirements and guidance set out in AnnexA.
5.3 Refinement of requirements in ISO/IEC 27001
Refinement of ISO/IEC 27001 requirements is permitted.
NOTE Refinements do not remove or invalidate any of the requirements in lSO/IEC 27001 (see 3.2).
Where applicable, sector-specific refinements of ISO/IEC 27001 requirements shall follow the
ISO IEC 27009 is NOT a new management system standard independent of ISO/IEC 27001, but rather specifies <sector>-specific requirements that are composed of refinements of and/or additions to requirements in ISO/IEC 27001.
(If the sector-specific standard is also related to ISO/IEC 27002, insert the following text instead of the above.)
ISO IEC 27009 is NOT a new management system standard independent of ISO/IEC 27001, but rather:
a) specifies <sector>-specific requirements that are composed of refinements of and/or additions to requirements in ISO/IEC 27001; and
b) specifies <sector>-specific guidance that supports additions to and/or modifications of ISO/IEC 27002 (see Clause 6).ISO-ISO-IEC-27009-2020