EN ISO/IEC 27019:2025

SLOVENSKI STANDARD
01-oktober-2025
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Kontrole
informacijske varnosti za energetske operaterje (ISO/IEC 27019:2017, popravljena
različica 2019-08)
Information security, cybersecurity and privacy protection - Information security controls
for the energy utility industry (ISO/IEC 27019:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Informationssicherheitsmaßnahmen für die Energieversorgung (ISO/IEC 27019:2024)
Sécurité de l'information, cybersécurité et protection de la vie privée - Mesures de
sécurité de l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC
27019:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27019
ICS:
03.100.70 Sistemi vodenja Management systems
27.010 Prenos energije in toplote na Energy and heat transfer
splošno engineering in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

International
Standard
ISO/IEC 27019
Second edition
Information security, cybersecurity
2024-10
and privacy protection —
Information security controls for
the energy utility industry
Sécurité de l'information, cybersécurité et protection de la vie
privée — Mesures de sécurité de l'information pour l'industrie
des opérateurs de l'énergie
Reference number
ISO/IEC 27019:2024(en) © ISO/IEC 2024

ISO/IEC 27019:2024(en)
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC 27019:2024(en)
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 2
3 Terms, definitions and abbreviated terms . 2
3.1 Terms and definitions .2
3.2 Abbreviated terms .4
4 Structure of this document . 4
5 Organizational controls . 4
5.1 Policies for information security . .4
5.2 Information security roles and responsibilities .4
5.3 Segregation of duties.4
5.4 Management responsibilities .4
5.5 Contact with authorities .5
5.6 Contact with special interest groups . .5
5.7 Threat intelligence .5
5.8 Information security in project management .5
5.9 Inventory of information and other associated assets .6
5.10 Acceptable use of information and other associated assets .6
5.11 Return of assets .6
5.12 Classification of information .6
5.13 Labelling of information .7
5.14 Information transfer .7
5.15 Access control .7
5.16 Identity management .7
5.17 Authentication information .8
5.18 Access rights .8
5.19 Information security in supplier relationships .8
5.20 Addressing information security within supplier agreements .8
5.21 Managing information security in the ICT supply chain .9
5.22 M onitoring, review and change management of supplier services .9
5.23 Information security for use of cloud services .9
5.24 Information security incident management planning and preparation .9
5.25 A ssessment and decision on information security events .9
5.26 Response to information security incidents .9
5.27 Learning from information security incidents .9
5.28 Collection of evidence . .9
5.29 Information security during disruption .9
5.30 ICT readiness for business continuity .9
5.31 L egal, statutory, regulatory and contractual requirements .10
5.32 Intellectual property rights .10
5.33 Protection of records .10
5.34 Privacy and protection of PII .10
5.35 Independent review of information security .10
5.36 C ompliance with policies, rules and standards for information security .10
5.37 Documented operating procedures .10
5.38 ENR – Identification of risks related to external business partners .10
5.39 ENR – Addressing security when dealing with customers .11
6 People controls .12
6.1 Screening . 12
6.2 Terms and conditions of employment . 12
6.3 Information security awareness, education and training . 12
6.4 Disciplinary process . 12

© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC 27019:2024(en)
6.5 Responsibilities after termination or change of employment. 12
6.6 Confidentiality or non-disclosure agreements . 12
6.7 Remote working . 13
6.8 Information security event reporting. 13
7 Physical controls .13
7.1 Physical security perimeters . 13
7.2 Physical entry . 13
7.3 Securing offices, rooms and facilities . 13
7.4 Physical security monitoring . . 13
7.5 Protecting against physical and environmental threats .14
7.6 Working in secure areas .14
7.7 Clear desk and clear screen .14
7.8 Equipment siting and protection .14
7.9 Security of assets off-premises .14
7.10 Storage media . 15
7.11 Supporting utilities . 15
7.12 Cabling security . 15
7.13 Equipment maintenance . 15
7.14 Secure disposal or re-use of equipment . 15
7.15 ENR – Securing control centres . 15
7.16 ENR – Securing equipment rooms .16
7.17 ENR – Securing peripheral sites.18
7.18 ENR – Interconnected control and communication systems .18
8 Technological controls . 19
8.1 User endpoint devices .19
8.2 Privileged access rights . 20
8.3 Information access restriction . 20
8.4 Access to source code . 20
8.5 Secure authentication . 20
8.6 Capacity management . 20
8.7 Protection against malware . 20
8.8 Management of technical vulnerabilities .21
8.9 Configuration management .21
8.10 Information deletion .21
8.11 Data masking .21
8.12 Data leakage prevention .21
8.13 Information backup.21
8.14 Redundancy of information processing facilities .21
8.15 Logging .21
8.16 M onitoring activities . 22
8.17 Clock synchronization . 22
8.18 Use of privileged utility programs . 22
8.19 Installation of software on operational systems . 22
8.20 Networks security . 22
8.21 Security of network services . 22
8.22 Segregation of networks . 23
8.23 Web filtering . 23
8.24 Use of cryptography . 23
8.25 Secure development life cycle . 23
8.26 Application security requirements . 23
8.27 Secure system architecture and engineering principles . 23
8.28 Secure coding. 23
8.29 Security testing in development and acceptance . 23
8.30 Outsourced development . 23
8.31 Separation of development, test and production environments. 23
8.32 Change management .24
8.33 Test information .24
8.34 Protection of information systems during audit testing .24

© ISO/IEC 2024 – All rights reserved
iv
ISO/IEC 27019:2024(en)
8.35 ENR – Treatment of legacy systems .24
8.36 ENR – Integrity and availability of safety functions . 25
8.37 ENR – Securing process control data communication . 25
8.38 ENR – Logical connection of external process control systems . 26
8.39 ENR – Least functionality .27
8.40 ENR – Emergency communication .27
Annex A (informative) Energy utility industry specific controls reference .29
Annex B (informative) Correspondence between this document and the first edition (ISO/IEC
27019:2017).30
Bibliography .38

© ISO/IEC 2024 – All rights reserved
v
ISO/IEC 27019:2024(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 27019:2017), which has been technically
revised.
The main changes are as follows:
— alignment of the controls to the organizational, people, physical and technological themes covered in
ISO/IEC 27002:2022;
— the “Guidance” and “Other information” in Clauses 5 to 8 have been updated, to avoid redundancies with
ISO/IEC 27002:2022;
— attributes have been added to the controls specific to this document.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
vi
ISO/IEC 27019:2024(en)
Introduction
0.1  Background and context
This document provides guidance based on ISO/IEC 27002:2022 for information security management when
applied to process control systems used in the energy utility industry. The aim of this document is to extend
the contents of ISO/IEC 27002:2022 to the domain of process control systems and automation technology for
the energy industry.
In addition to the security objectives and measures that are set forth in ISO/IEC 27002:2022, the process
control systems used by energy utilities and energy suppliers are subject to further special requirements.
In comparison with conventional information and communication technology (ICT) environments (e.g.
office information technology, energy trading systems), there are fundamental and significant differences
with respect to the development, operation, repair, maintenance and operating environment of process
control systems. Furthermore, the process technology referred to in this document can represent integral
components of critical infrastructures. This means they are therefore essential for the secure and reliable
operation of such infrastructures. These distinctions and characteristics should be taken into due
consideration by the management processes for process control systems and justify separate consideration
within ISO/IEC 27001 and related standards.
From the viewpoint of design and function, process control systems used by the energy utility industry are
in fact information processing systems. They collect process data and monitor the status of the physical
processes using sensors. The systems then process this data and generate control outputs that regulate
actions using actuators. The control and regulation are automatic, but manual intervention by operating
personnel is also possible. Information and information processing systems are therefore an essential part
of operational processes within energy utilities. It is important that appropriate controls be applied in the
same manner as for other organizational units.
Software and hardware (e.g. programmable logic) components based on standard ICT technology are
increasingly utilized in process control environments and are also covered in this document. Furthermore,
process control systems in the energy utility industry are increasingly interconnected to form complex
systems. Risks arising from this trend should be considered in a risk assessment.
The information and information processing systems in process control environments are also exposed to
an increasing number of threats and vulnerabilities.
Effective information security in the process control domain of the energy utility industry can be achieved
by establishing, implementing, monitoring, reviewing and, if necessary, improving the applicable controls
set forth in this document, in order to attain the specific security and business objectives of the organization.
It is important to give particular consideration here to the special role of the energy utilities in society
and to the economic necessity of a secure and reliable energy supply. Ultimately, the overall success of the
cybersecurity of energy industries is based on collaborative efforts by all stakeholders (vendors, suppliers,
customers, etc.).
0.2  Security considerations for process control systems used by energy utilities
The requirement for a general and overall information security framework for the process control domain of
the energy utility industry is based on several basic requirements:
a) Customers expect a secure and reliable energy supply.
b) Legal requirements demand safe, reliable and secure operation of energy supply systems.
c) Energy providers require information security in order to safeguard their business interests, meet
customers’ needs and comply with legal regulations.

© ISO/IEC 2024 – All rights reserved
vii
ISO/IEC 27019:2024(en)
0.3  Information security requirements
It is essential that energy utility organizations identify their security requirements. There are three main
sources of security requirements:
a) the assessment of risks to the organization, taking into account the organization’s overall business
strategy and objectives. This can be facilitated or supported through an information security-specific
risk assessment. This should result in the determination of the controls necessary to ensure that the
residual risk to the organization meets its risk acceptance criteria;
b) the legal, statutory, regulatory and contractual requirements that an organization and its interested
parties (trading partners, service providers, etc.) are expected to comply with and their socio-cultural
environment;
c) the set of principles, objectives and business requirements for all the steps of the life cycle of information
that an organization has developed to support its operations.
NOTE It is important that energy utility organizations ensure that security requirements of process control
systems are analysed and adequately covered in policies for information security. The analysis of the information
security requirements and objectives include the consideration of all relevant criteria for a secure energy supply and
delivery, such as:
— impairment of the security of energy supply;
— restriction of energy flow;
— affected share of population;
— danger of physical injury;
— effects on other critical infrastructures;
— effects on information privacy;
— financial impacts.
0.4  Determining controls
Once the security requirements and risks have been identified and decisions taken on how to deal with the
risks, appropriate controls are then selected and implemented in order to ensure that the risks are reduced
to an acceptable level.
In addition to the controls provided by a comprehensive information security management system, this
document provides additional assistance and sector-specific measures for the process control systems used
by the energy utility industry, taking into consideration the special requirements in these environments.
If necessary, further controls can be developed to fulfil particular requirements. The selection of controls
depends upon the decisions taken by the organization on the basis of its own risk acceptance criteria, the
options for dealing with the risk and the general risk management approach of the organization.
NOTE National and international law, legal ordinances and regulations can apply.
0.5  Audience
This document is targeted at the persons responsible for the operation of process control systems used by
energy utilities, information security managers, vendors, system integrators and auditors. For this target
group, this document details the fundamental controls according to the objectives of ISO/IEC 27002:2022
and defines specific measures for process control systems in the energy utility industry, their supporting
systems and the associated infrastructure.

© ISO/IEC 2024 – All rights reserved
viii
International Standard ISO/IEC 27019:2024(en)
Information security, cybersecurity and privacy protection —
Information security controls for the energy utility industry
1 Scope
This document provides information security controls for the energy utility industry, based on
ISO/IEC 27002:2022, for controlling and monitoring the production or generation, transmission, storage and
distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This
includes in particular the following:
— central and distributed process control, monitoring and automation technology as well as information
systems used for their operation, such as programming and parameterization devices;
— digital controllers and automation components such as control and field devices or programmable logic
controllers (PLCs), including digital sensor and actuator elements;
— all further supporting information systems used in the process control domain, e.g. for supplementary
data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and
documentation purposes;
— communication technology used in the process control domain, e.g. networks, telemetry, telecontrol
applications and remote-control technology;
— Advanced metering infrastructure (AMI) components, e.g. smart meters;
— measurement devices, e.g. for emission values;
— digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor
mechanisms;
— energy management systems, e.g. for distributed energy resources (DER), electric charging
infrastructures, and for private households, residential buildings or industrial customer installations;
— distributed components of smart grid environments, e.g. in energy grids, in private households,
residential buildings or industrial customer installations;
— all software, firmware and applications installed on above-mentioned systems, e.g. distribution
management system (DMS) applications or outage management systems (OMS);
— any premises housing the abovementioned equipment and systems;
— remote maintenance systems for abovementioned systems.
This document does not apply to the process control domain of nuclear facilities. This domain is covered by
IEC 63096.
© ISO/IEC 2024 – All rights reserved
ISO/IEC 27019:2024(en)
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security
controls
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27002 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1.1
blackout
widespread electrical power outage
3.1.2
black start
start-up of an electric power system from a total or partial blackout through internal or external energy
resources
3.1.3
computer security incident response team
CSIRT
team of security experts to support the handling of information security incidents
3.1.4
critical asset
asset which can have a direct impact on production or generation, transmission, storage and distribution of
electric power, gas, oil and heat
3.1.5
critical infrastructure
set of organizations and facilities that are essential for the functioning of society and the economy as a whole
Note 1 to entry: A failure or malfunction of such organizations and facilities can result in sustained supply shortfalls,
make a significant impact on public security and have other wide-ranging impacts.
3.1.6
debugging
action of analysing malfunctions in computer systems
3.1.7
distribution system
distribution grid for the transport of electrical energy using a high, medium or low voltage grid, or a local or
regional distribution network for the transport of gas, oil or heat

© ISO/IEC 2024 – All rights reserved
ISO/IEC 27019:2024(en)
3.1.8
energy management system
equipment or infrastructure used to monitor, measure and control the energy consumption in private
households, residential buildings or industrial customer installations
Note 1 to entry: The term “energy management system” is also commonly used to refer to a set of applications used
by operators of a transmission power grid to monitor, control and optimize the performance of the generation and/or
transmission system.
3.1.9
energy supply
process of generation, production or storage of energy for delivery to customers and the operation of an
energy supply network
3.1.10
energy utility
legal body or a person that supplies energy in the form of electricity, gas, oil or heat to other parties, to an
energy distribution network or to a storage complex
3.1.11
human–machine interface
HMI
user interface for operating and monitoring a process control system (3.1.13) or a plant
3.1.12
maintenance
measures used in the field of energy supply (3.1.9) that are normally related to inspection, fault clearance
and improvement
3.1.13
process control system
system that serves to control and monitor the generation, production, transmission, storage and distribution
of electric power, gas, oil and heat, including the control of associated supporting processes
Note 1 to entry: Process control systems are often referred to more generally as industrial control systems. In
this document, the terms process control system and industrial control system are restricted to technologies and
components used in the energy utility industry.
3.1.14
safety
freedom from risk which is not tolerable
[SOURCE: ISO/IEC Guide 51:2014, 3.14]
3.1.15
safety system
system and component that are required to ensure safety (3.1.14)
3.1.16
supervisory control and data acquisition
SCADA
process control system (3.1.13) generally used to control dispersed assets using centralized data acquisition
and supervisory controls
3.1.17
smart grid
electric power system that utilizes information exchange and control technologies, distributed computing
and associated sensors and actuators
Note 1 to entry: Smart grid technologies are used for purposes such as:
— integrating the behaviour and actions of the network users and other stakeholders;

© ISO/IEC 2024 – All rights reserved
ISO/IEC 27019:2024(en)
— efficiently delivering sustainable, economic and secure electricity supplies.
3.1.18
transmission system
transmission grid for the transport of electrical energy using a high voltage or ultra-high voltage grid or a
gas transmission network for the transport of natural gas using a high-pressure pipeline network
3.2 Abbreviated terms
CSIRT computer security incident response team
HMI human–machine interface
ICT information and communication technology
SCADA supervisory control and data acquisition
4 Structure of this document
This document has the same structure as ISO/IEC 27002:2022 with:
— controls from ISO/IEC 27002 that are unchanged;
— controls with additional guidance and other information specific to the energy utility industry;
— new controls not contained in ISO/IEC 27002:2022, which are prefixed with "ENR".
Table A.1 shows the specific security controls related to energy, which can be considered when implementing
ISO/IEC 27001:2022 in addition to the security controls in ISO/IEC 27001:2022.
Table B.1 shows the correspondence between the controls specified in Clauses 5 to 8 and those in
1)
ISO/IEC 27019:2017. Table B.2 shows the correspondence between the controls specified in previous
edition (ISO/IEC 27019:2017) with those in this document.
5 Organizational controls
5.1 Policies for information security
There is no additional information specific to the energy utility industry for ISO/IEC 27002:2022, 5.1.
5.2 Information secur
...