ISO/IEC PRF TS 27100

TECHNICAL ISO/IEC TS
SPECIFICATION 27100
First edition
Information technology —
Cybersecurity — Overview and
concepts
PROOF/ÉPREUVE
Reference number
ISO/IEC TS 27100:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC TS 27100:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Concepts ........................................................................................................................................................................................................................ 2

4.1 Cyberspace.................................................................................................................................................................................................. 2

4.2 Cybersecurity ........................................................................................................................................................................................... 3

5 Relationship between cybersecurity and relevant concepts .................................................................................. 3

5.1 Relationship between information security and cybersecurity ................................................................... 3

5.2 Relationship between ISMS and cybersecurity ........................................................................................................... 4

5.2.1 Cyberspace as a field of risk sources for an ISMS ................................................................................ 4

5.2.2 ISMS in support of cybersecurity ...................................................................................................................... 4

5.3 Cybersecurity framework .............................................................................................................................................................. 5

5.4 Cybersecurity and safety ................................................................................................................................................................ 5

5.5 Cyber insurance ......... ............................................................................................................................................................................. 5

6 Risk management approach in the context of cybersecurity ................................................................................. 6

6.1 General ........................................................................................................................................................................................................... 6

6.2 Threat identification .......................................................................................................................................................................... 6

6.3 Risk identification ................................................................................................................................................................................ 7

7 Cyber threats ............................................................................................................................................................................................................ 7

7.1 General ........................................................................................................................................................................................................... 7

7.2 General business organization .................................................................................................................................................. 7

7.3 Industrial organization and industrial automation and control systems ............................................ 8

7.4 Products, services, and supplier relationships ......... ................................................................................................... 8

7.5 Telecommunications services/internet service providers ............................................................................... 9

7.6 Public authorities .................................................................................................................................................................................. 9

7.7 Critical infrastructure ....................................................................................................................................................................10

7.8 Individual person ...............................................................................................................................................................................10

8 Incident management in cybersecurity.....................................................................................................................................10

8.1 General ........................................................................................................................................................................................................10

8.2 Incident management within an organization .........................................................................................................11

8.3 Cross-organizational coordination .....................................................................................................................................11

8.4 Technical support by product and service supplier .............................................................................................11

Annex A (informative) A layered model representing cyberspace ....................................................................................13

Bibliography .............................................................................................................................................................................................................................17

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

Any trade name used in this document is information given for the convenience of users and does not

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Any feedback or questions on this document should be directed to the user’s national standards body. A

Cybersecurity concerns managing information security risks when information is in digital form in

computers, storage and networks. Many of the information security controls, methods, and techniques

ISO/IEC 27001 provides requirements for information security management systems. The focus of

ISO/IEC 27001 is on security of information, and associated risks, within environments predominantly

under the control of a particular organization. Cybersecurity focuses on the risks in cyberspace, an

interconnected digital environment that can extend across organizational boundaries, and in which

entities share information, interact digitally and have responsibility to respond to cybersecurity

— describes cybersecurity and relevant concepts, including how it is related to and different from

— does not limit other standards in defining new cybersecurity-related terms for use.

This document is applicable to all types and sizes of organization (e.g. commercial enterprises,

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

malicious attempts to exploit vulnerabilities in information systems or physical systems in cyberspace

Note 1 to entry: Expression of an offensive operation in or through the cyberspace leading to unauthorized use of

services, creating illicit services, orchestrating denial of service, altering or deleting data or resources.

safeguarding of people, society, organizations and nations from cyber risks (3.7)

occurrence indicating a possible breach of cybersecurity (3.2) or failure of controls

[SOURCE: ISO/IEC 27035-1:2016, 3.3, modified — In the term and the definition, “information security”

one or multiple related and identified cybersecurity events (3.3) that can harm people, society,

[SOURCE: ISO/IEC 27035-1:2016, 3.4, modified — In the term and the definition, “information security”

has been replaced with “cybersecurity”. In the definition, new wording has been added after "harm".]

interconnected digital environment of networks, services, systems, people, processes, organizations,

Note 1 to entry: Interconnected digital environment that traverses public infrastructure e.g. the internet, rather

than parts of the organisation’s internal network or air-gapped digital environments that may not traverse public

[SOURCE: ISO/IEC 27102:2019, 3.6, modified — In the definition, the part after "processes" has

potential cause of an unwanted cybersecurity incident (3.4), which can result in harm to a system,

[SOURCE: ISO/IEC 27000:2018, 3.74, modified — The term “threat” has been replaced with “cyber

threat”. In the definition, “incident” has been replaced with “cybersecurity incident”, and new wording

Note 1 to entry: Cyber risk can be expressed as effect of uncertainty on objectives of entities in cyberspace (3.5).

Note 2 to entry: Cyber risk is associated with the potential that threats will exploit vulnerabilities in cyberspace

[SOURCE: ISO/IEC 27000:2018, 3.61, modified — Notes 1 to 6 to entry have been replaced.]

Cyberspace is a complex environment based on digital technologies that provides a global place for

digital interaction among people including formal and informal interactions with public or private

entities such as businesses, governments, non-profit organizations and other groups. Cyberspace

is public but as individual components of cyberspace are owned by a variety of entities, it can be

considered both public and private space. People and entities interact in cyberspace for many different

purposes. This interaction is manifested as sharing, exchange, processing or receipt of information.

Any interaction taken in cyberspace by an individual or an entity potentially has a near-instantaneous

While interactive actions in cyberspace create knowledge and power, the following features of

d) a threat agent can be anywhere in cyberspace from the opposite side of the globe to a close

An action in cyberspace and its impacts can be asymmetric. The originating action can have

consequences disproportionate in difficulty and cost of counteraction. In order to take advantage of

cyberspace, it is important to prevent adverse consequences, that is, to ensure cybersecurity.

The objective of adequate cybersecurity is to maintain an acceptable level of stability, continuity and

safety of entities operating in cyberspace. While it is not possible to always achieve these objectives,

Cybersecurity with these characteristics is implemented by individual organizations. In cyberspace,

organizations need to consider not only themselves, but also other parties who share cyberspace. While

an organization needs to manage its vulnerabilities to ensure that the organization does not adversely

affect other actors, it needs to work with others to reduce cyber risks. In addition, cybersecurity needs

to reduce social and human losses in real space caused by cybersecurity incidents in cyberspace.

Therefore, immediate detection and appropriate response of information security incidents are

Information security and cybersecurity have different perspectives and concerns while they are closely

Information security is defined in ISO/IEC 27000 as “preservation of confidentiality, integrity and

availability of information”. It primarily deals with information. The definition is general, does not

specify its application and subject entity. Once an entity with its context is determined as subject of

b) integrity and availability of information that is critical to business operation;

c) availability of information and communication technology (ICT) infrastructure on which business

Breach of information security in cyberspace can cause a cybersecurity incident. This means that

the information security risks are viewed as cyber risks in the context of cybersecurity. However,

cybersecurity and information security differ in their objectives. Cybersecurity is primarily concerned

about protecting entities including people, society, organizations and nations from cyber risks (see

4.2), while information security addresses to maintaining confidentiality, integrity and availability of

Cyberspace can contain information systems controlling physical devices and systems. Compromising

information security of these connected information systems via the cyberspace can have implications

In order to reduce social, human and economic impacts caused by cybersecurity incidents, entities who

connect to cyberspace have a responsibility for collectively managing cyber risks including sharing

information about cyber risks, implementing protective controls, monitoring and detecting potential

incidents, and cooperating in response and recovery from incidents. Activities of information security

are performed by an entity that handles the information to reduce its own risks. However, cybersecurity

is performed by an entity to address not only its own risks, but also risks of the other entities that are

directly or indirectly involved. Those entities can reside anywhere in cyberspace.

An information security management system (ISMS) is applicable within an organization with

interfaces and interactions with external entities. Specifically, the scope of the ISMS and the scope of

risk identification are within an organization [see ISO/IEC 27001:2013, 4.3 and 6.1.2 c)]. Information

security objectives (see ISO/IEC 27001:2013, 6.2) aim at protection of information that has value to the

organization or of the information of other entities that are in custody of the organization.

Cybersecurity transcends the boundaries and control of an organization because of the

interconnectedness of cyberspace. Organizations frequently interface and interact with external entities

by using cyberspace. As such, the use of cyberspace represents risks to the organization that need to

be managed as a part of an organization’s ISMS. If the organization has an ISMS, cyberspace shapes

part of context of the ISMS as referred to in ISO/IEC 27001:2013, 4.1. Threat vectors that originate in

cyberspace can expose the organization to information security risks. The organization identifies risks

from threats in cyberspace, along with other risks, during the process of risk identification as required

An ISMS provides a mechanism for organizations to use a risk-based, prioritized, flexible and

communications-enabling approach to manage information security risks based on its business needs.

An organization can operate its ISMS as a means of managing cyber risks. This is facilitated by a consistent

and iterative approach to identifying, assessing and managing risk and evaluating implementation of

the ISMS. An ISMS as described in ISO/IEC 27001 is applicable regardless of an organization’s size and

should also reflect a clear understanding of the organization’s particular business drivers and security

considerations. An ISMS facilitates communication about the implementation of these desired outcomes

and associated information security activities across the organization, from the top management level

by the management system requirements, to the implementation and operations levels by the controls.

The application of ISMS does not only provide a clear and understandable set of controls as an outcome

but also provide a clear scope of the cybersecurity activities in the organization and where boundaries

An example of using an ISMS in support of cybersecurity is the use of ISO/IEC 27001 with ISO/IEC 27019

to establish, implement, maintain and continually improve an ISMS for the energy utility supplier. The

ISMS supports the stability of the energy supply and, hence, contributes to the cybersecurity of a nation.

Cyber threats are continually evolving, making protecting users and organizations a constant

challenge. To address this challenge, business groups, government agencies and other organizations

produce documents and tools called cybersecurity frameworks to help organize and communicate

cybersecurity activities of organizations. Other organizations and people then use or reference

Cybersecurity frameworks based on ISO/IEC TS 27110 provide a way to organize and communicate

cybersecurity activities through 5 concepts: Identify, Protect, Detect, Respond, and Recover. Structured

within these concepts, a cybersecurity framework can further consist of standards, guidelines and

practices to promote cyber risk management. Cybersecurity frameworks provide prioritized, flexible,

repeatable and cost-effective approaches to help cybersecurity framework users manage cyber risks.

Cybersecurity frameworks can be used in conjunction with ISMSs to organize cybersecurity activities

across multiple layers of an organization, communicate those activities outside of the organization,

and ensure continuous improvement of those activities over time. While not required by an ISMS,

cybersecurity frameworks can provide additional value to internal and external stakeholders when

Events initiated in cyberspace can have consequences in the physical world to include impact to safety,

human life and health. This is the case for systems that provide physical infrastructure or health

functions, such as building systems, manufacturing systems, medical devices and other similar systems

that are collectively known as the internet of things (IoT) and the industrial internet of things (IIoT).

These systems connect through cyberspace and are as such subject to cyber risks. Organizations need

to understand and manage cyber risks related to safety as well as safety risks related to cybersecurity.

Organizations can choose to share or transfer their cyber risks. Cyber insurance is one way for an

organization to share their risk. Cyber insurance is a risk treatment option that can compensate the

insured against potentially significant financial losses associated with a cybersecurity incident. Cyber

insurance is provided by an insurer who underwrites risks by signing and accepting liability, thus

Cyber insurance is designed to compensate for losses from a variety of cybersecurity incidents,

for example, data breaches, business interruption and physical (infrastructure) or logical

The insured can be required to demonstrate their compliance with any conditions imposed by the cyber

To manage cyber risks, a clear understanding of the organization’s business drivers and security

considerations specific to its use of technology is required. Because each organization’s risks,

priorities and systems are unique, the tools and methods used to achieve the expected outcomes

vary. ISO/IEC 27005 provides information about managing information security risks and can also be

The risk management process should allow for the organization to do the following.

a) Develop an organizational understanding of how to manage cyber risks to systems, people, assets,

data and capabilities for safeguarding the organization. This organizational understanding can

also contribute to the safeguarding of people, society, organizations and nations. These activities

are foundational. Understanding the business context, the resources that support critical functions,

and the related cyber risks enables an organization to focus and prioritize its efforts, consistent

with its risk management strategy and business needs. Examples of outcomes include: asset

management; business environment; governance; risk assessment; and risk management strategy.

b) Develop and implement appropriate safeguards to ensure delivery of critical services. This

supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of

outcomes include: identity management and access control; awareness and training; data security;

information protection processes and procedures; maintenance; and protective controls.

c) Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

This enables timely discovery of cybersecurity events. Examples of outcomes include: anomalies

d) Develop and implement appropriate activities to take action regarding a detected cybersecurity

incident. This supports the ability to contain the impact of a potential cybersecurity incident.

Examples of outcomes include: response planning; communications; analysis; mitigation; and

e) Develop and implement appropriate activities to maintain plans for resilience and to restore any

capabilities or services that were impaired due to a cybersecurity incident. This supports timely

recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of