Information security, cybersecurity and privacy protection -- Sector-specific application of ISO/IEC 27001 -- Requirements

This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: — include requirements in addition to those in ISO/IEC 27001, — refine or interpret any of the ISO/IEC 27001 requirements, — include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — add guidance to or modify the guidance of ISO/IEC 27002. This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001. This document is applicable to those involved in producing sector-specific standards.

Sécurité de l'information, cybersécurité et protection des données personnelles -- Application de l’ISO/IEC 27001 à un secteur spécifique -- Exigences

Informacijska tehnologija - Varnostne tehnike - Uporaba ISO/IEC 27001 za določen sektor - Zahteve

General Information

Status
Published
Publication Date
20-Apr-2020
Current Stage
6060 - International Standard published
Start Date
21-Apr-2020

RELATIONS

Buy Standard

Standard
ISO/IEC 27009:2020 - Information security, cybersecurity and privacy protection -- Sector-specific application of ISO/IEC 27001 -- Requirements
English language
18 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC DIS 27009:2019
English language
24 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 27009
Second edition
2020-04
Information security, cybersecurity
and privacy protection — Sector-
specific application of ISO/IEC 27001
— Requirements
Sécurité de l'information, cybersécurité et protection des données
personnelles — Application de l’ISO/IEC 27001 à un secteur
spécifique — Exigences
Reference number
ISO/IEC 27009:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 27009:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27009:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Overview of this document ........................................................................................................................................................................ 2

4.1 General ........................................................................................................................................................................................................... 2

4.2 Structure of this document ........................................................................................................................................................... 3

4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls ......... ........................................... 3

5 Addition to, refinement or interpretation of ISO/IEC 27001 requirements ..........................................3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Addition of requirements to ISO/IEC 27001 ................................................................................................................ 4

5.3 Refinement of requirements in ISO/IEC 27001 ......................................................................................................... 4

5.4 Interpretation of requirements in ISO/IEC 27001 .................................................................................................. 4

6 Additional or modified ISO/IEC 27002 guidance ............................................................................................................... 4

6.1 General ........................................................................................................................................................................................................... 4

6.2 Additional guidance ............................................................................................................................................................................ 5

6.3 Modified guidance ................................................................................................................................................................................ 5

Annex A (normative) Template for developing sector-specific standards related to

ISO/IEC 27001 and optionally ISO/IEC 27002 ....................................................................................................................... 6

Annex B (normative) Template for developing sector-specific standards related to

ISO/IEC 27002 ......................................................................................................................................................................................................... 9

Annex C (informative) Explanation of the advantages and disadvantages of numbering

approaches used within Annex B .....................................................................................................................................................16

Bibliography .............................................................................................................................................................................................................................18

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27009:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 27009:2016), which has been

technically revised.
The main changes compared to the previous edition are as follows:

— the scope has been updated to more clearly reflect the content of this document;

— former Annex A has been divided into Annexes A and B;
— Annex C has been created.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27009:2020(E)
Information security, cybersecurity and privacy
protection — Sector-specific application of ISO/IEC 27001
— Requirements
1 Scope

This document specifies the requirements for creating sector-specific standards that extend

ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain,

application area or market).
This document explains how to:
— include requirements in addition to those in ISO/IEC 27001,
— refine or interpret any of the ISO/IEC 27001 requirements,

— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,

— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— add guidance to or modify the guidance of ISO/IEC 27002.

This document specifies that additional or refined requirements do not invalidate the requirements in

ISO/IEC 27001.

This document is applicable to those involved in producing sector-specific standards.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirement of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary

ISO/IEC 27001, Information technology — Security techniques — Information security management

systems — Requirements

ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security

controls
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 5 ----------------------
ISO/IEC 27009:2020(E)
3.1
interpret
interpretation

explanation of an ISO/IEC 27001 requirement in a sector-specific context which does not invalidate any

of the ISO/IEC 27001 requirements

Note 1 to entry: The explanation can pertain to either a requirement or guidance.

3.2
refine
refinement

supplementation or adaptation of an ISO/IEC 27001 requirement in a sector-specific context which does

not remove or invalidate any of the ISO/IEC 27001 requirements
4 Overview of this document
4.1 General

ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually

improving an information security management system. ISO/IEC 27001 states that its requirements

are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an

organization to “determine all controls that are necessary to implement the information security risk

treatment option(s) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above with

those in [ISO/IEC 27001:2013,] Annex A, and verify that no necessary controls have been omitted [see

6.1.3 c)]”.

The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A, are included in

ISO/IEC 27002.

ISO/IEC 27002 provides guidelines for information security management practices including the

selection, implementation and management of controls taking into consideration the organization’s

information security risk environment. The guidelines have a hierarchical structure that consists of

clauses, control objectives, controls, implementation guidance and other information. The guidelines

of ISO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless of type,

size or nature.

While ISO/IEC 27001 and ISO/IEC 27002 are widely accepted in organizations, including commercial

enterprises, government agencies and not-for-profit organizations, there are needs for sector-specific

versions of these standards.
EXAMPLES

The following documents have been developed to address these sector-specific needs are:

— ISO/IEC 27010, Information technology — Security techniques — Information security management for inter-

sector and inter-organizational communications

— ISO/IEC 27011, Information technology — Security techniques — Code of practice for Information security

controls based on ISO/IEC 27002 for telecommunications organizations

— ISO/IEC 27017, Information technology — Security techniques — Code of practice for information security

controls based on ISO/IEC 27002 for cloud services

— ISO/IEC 27018, Information technology — Security techniques — Code of practice for protection of personally

identifiable information (PII) in public clouds acting as PII processors

— ISO/IEC 27019, Information technology — Security techniques — Information security controls for the energy

utility industry
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 27009:2020(E)

Other organizations have also produced standards addressing sector-specific needs.

Sector-specific standards should be consistent with the requirements of the information security

management system. This document specifies requirements on how to create sector-specific standards

that extend ISO/IEC 27001 and complement or amend ISO/IEC 27002 (see Clause 1).

This document assumes that all requirements from ISO/IEC 27001 that are not refined or interpreted,

and all controls in ISO/IEC 27002 that are not modified, apply in the sector-specific context unchanged.

4.2 Structure of this document

Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation

of ISO/IEC 27001 requirements.

Clause 6 provides requirements and guidance on how to provide control clauses, control objectives,

controls, implementation guidance or other information that are additional to or modify ISO/IEC 27002

content.

Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001.

Annex B contains two templates which shall be used for sector-specific standards related to

ISO/IEC 27002.

For sector-specific standards related to both ISO/IEC 27001 (see Clause 5) and ISO/IEC 27002

(see Clause 6), both Annex A and Annex B apply.

Annex C provides explanations about advantages and disadvantages of two different numbering

approaches applied in the two templates in Annex B.

In this document, the following concepts are used to adapt ISO/IEC 27001 requirements for a sector:

— addition ― see 5.2;
— refinement ― see 5.3;
— interpretation ― see 5.4.

In this document, the following concepts are used to adapt ISO/IEC 27002 guidance for a sector:

— addition ― see 6.2;
— modification ― see 6.3.
4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls

Sector-specific standards related to ISO/IEC 27001 may add requirements or guidance to those of

ISO/IEC 27001 or ISO/IEC 27002. The addition may expand the requirements or guidance beyond

information security into their sector-specific topic.

EXAMPLE ISO/IEC 27018 uses such expansions. ISO/IEC 27018:2019, Annex A contains a set of controls

aimed at the protection of personally identifiable information and, therefore, expands the scope of ISO/IEC 27018

to cover PII protection in addition to information security.
5 Addition to, refinement or interpretation of ISO/IEC 27001 requirements
5.1 General

Figure 1 illustrates how sector-specific requirements are constructed in relation to ISO/IEC 27001.

© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 7 ----------------------
ISO/IEC 27009:2020(E)
Figure 1 — Construction of sector-specific requirements
5.2 Addition of requirements to ISO/IEC 27001
Addition of requirements to ISO/IEC 27001 requirements is permitted.

EXAMPLE A sector which has additional requirements for an information security policy can add them to

the requirements for the policy specified in ISO/IEC 27001:2013, 5.2.

No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any of the

requirements defined in ISO/IEC 27001.

Where applicable, sector-specific additions to ISO/IEC 27001 requirements shall follow the

requirements and guidance set out in Annex A.
5.3 Refinement of requirements in ISO/IEC 27001
Refinement of ISO/IEC 27001 requirements is permitted.

NOTE Refinements do not remove or invalidate any of the requirements in ISO/IEC 27001 (see 3.2).

Where applicable, sector-specific refinements of ISO/IEC 27001 requirements shall follow the

requirements and guidance set out in Annex A.

EXAMPLE 1 A sector-specific standard could contain controls additional to ISO/IEC 27001:2013, Annex A. In

this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013, 6.1.3 c) and d)

need to be refined to include the additional controls given in the sector-specific standard.

Specification of a particular approach to meeting requirements in ISO/IEC 27001 is also permitted.

EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within

the scope of the sector-specific management system. This requirement could refine the general requirement in

ISO/IEC 27001:2013, 7.2.
5.4 Interpretation of requirements in ISO/IEC 27001
Interpretation of ISO/IEC 27001 requirements is permitted.

NOTE Interpretations do not invalidate any of the ISO/IEC 27001 requirements but explain them or place

them into sector-specific context (see 3.1).

Where applicable, sector-specific interpretations of ISO/IEC 27001 requirements shall follow the

requirements and guidance set out in Annex A.
6 Additional or modified ISO/IEC 27002 guidance
6.1 General
Figure 2 illustrates how ISO/IEC 27002 guidance can be added to or modified.
4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27009:2020(E)
Figure 2 — Construction of sector-specific guidance
Each control shall only contain one instance of the word “should”.

NOTE In ISO/IEC 27001, Information security risk treatment requires an organization to state controls

that have been determined and justification of inclusions, and justification for exclusions of controls from

ISO/IEC 27001:2013, Annex A. Having only one use of “should” within a control statement eliminates the

possibility of ambiguity over the scope of the control.
6.2 Additional guidance

Addition of clauses, control objectives, controls, implementation guidance and other information to

ISO/IEC 27002 is permitted.

Where applicable, clauses, control objectives, controls, implementation guidance and other information

additional to ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B.

Before specifying additional clauses, control objectives or controls, entities producing sector-specific

standards related to ISO/IEC 27001 should consider whether a more effective approach would be

to modify existing ISO/IEC 27002 content, or achieve the desired result just through the addition of

sector-specific control objectives (instead of adding clauses), controls (instead of control objectives),

implementation guidance and other information (instead of controls) to the existing ISO/IEC 27002

content.
6.3 Modified guidance

Clauses, controls and their control objectives contained in ISO/IEC 27002 shall not be modified.

If there is a sector-specific need to include a control objective that contradicts a control objective

contained in ISO/IEC 27002, a new sector-specific control objective shall be introduced. The new control

objective shall have at least one sector-specific control. If there is a sector-specific need to include a

control that contradicts a control contained in ISO/IEC 27002, a new sector-specific control shall be

introduced.

Modification of implementation guidance and other information from ISO/IEC 27002 is permitted.

Where applicable, modified clauses, control objectives, controls, implementation guidance and other

information from ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B.

© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 9 ----------------------
ISO/IEC 27009:2020(E)
Annex A
(normative)
Template for developing sector-specific standards related to
ISO/IEC 27001 and optionally ISO/IEC 27002
A.1 Drafting instructions
In A.2, the following formatting conventions are used:

— the text in angle brackets should be replaced by suitable sector-specific text.

EXAMPLE For the telecommunications sector, the title of Clause 4 of the template in A.2, “-

specific requirements" is adapted as “Telecommunications-specific requirements".

— the text in braces and italics indicates how to use this part of the template; this text should be

deleted in the final version of the sector-specific standard.
— the text written without special formatting should be copied verbatim.
A.2 Template
Introduction

{Include how the requirements contained within this document relate to the requirements specified within

ISO/IEC 27001 and optionally how the guidance contained within the standard relate to the guidance in

ISO/IEC 27002 if the sector-specific standard is also related to ISO/IEC 27002.}
{Insert the following text.}

This document is NOT a new management system standard independent of ISO/IEC 27001, but rather

specifies -specific requirements that are composed of refinements of and/or additions to

requirements in ISO/IEC 27001.

{If the sector-specific standard is also related to ISO/IEC 27002, insert the following text instead of the above.}

This document is NOT a new management system standard independent of ISO/IEC 27001, but rather:

a) specifies -specific requirements that are composed of refinements of and/or additions to

requirements in ISO/IEC 27001; and

b) specifies -specific guidance that supports additions to and/or modifications of

ISO/IEC 27002 (see Clause 6).
1 Scope

{Include appropriate scope statements including the relationship of the standard to ISO/IEC 27001 and

optionally ISO/IEC 27002 if the sector-specific standard is also related to ISO/IEC 27002.}

2 Normative references

{Insert the relevant normative references, including ISO/IEC 27001 and optionally ISO/IEC 27002.}

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary
6 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27009:2020(E)
3 Terms and definitions
{Insert the following text to ensure that ISO/IEC 27000 is included.}

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 [and the

following] apply.
4 -specific requirements related to ISO/IEC 27001:2013
4.1 General
{Insert the following text.}

All requirements from ISO/IEC 27001:2013, Clauses 4 to 10, that do not appear below shall apply

unchanged.

{Add all sector-specific requirements. When adding a requirement, check first whether it is related to a

requirement already existing in ISO/IEC 27001. If additional requirements relate to existing requirements

from ISO/IEC 27001, add a title to them with a prefix of at least three letters for the sector, followed by the

subclause number and the original title of the subclause from ISO/IEC 27001.
EXAMPLE 4.2 CLD 4.1 Understanding the organization and its context.

If there is no relation to an existing requirement, place the additional requirement as a new subclause at the

end after all other subclauses in Clause 4 of the sector-specific standard.}

{Optionally, a sector-specific standard may have a table which indicates the relationship between the (sub)

clause of the sector-specific standard and those of ISO/IEC 27001. A table is a useful tool which helps readers

understand the placement of the clauses of the sector-specific standard compared to those of ISO/IEC 27001.}

Table 1 — Correspondence of -specific requirements with ISO/IEC 27001
Subclause in Title Subclause in Remarks
ISO/IEC 27001:2013 this document

{Indicate sector-specific requirements that are additional to the ISO/IEC 27001 requirements by insertion of

the following text.}

In addition to ISO/IEC 27001:2013, , the following applies.

{Indicate sector-specific requirements that refine ISO/IEC 27001:2013 requirements by insertion of the

following text.}
ISO/IEC 27001:2013, is refined as follows.

{Indicate sector-specific requirements that interpret ISO/IEC 27001:2013 requirements by insertion of the

following text.}
ISO/IEC 27001:2013, is interpreted as follows.
{If possible, show the added, refined or interpreted text by use of italics.}

{If the sector-specific standard has sector-specific controls, always insert the following text.}

ISO/IEC 27001:2013, 6.1.3 c), is refined as follows.
© ISO/IEC 2020 – All rights reserved 7
---------------------- Page: 11 ----------------------
ISO/IEC 27009:2020(E)

Compare the controls determined in 6.1.3 b) above with those in ISO/IEC 27001:2013, Annex A, and

with Annex A, to verify that no necessary controls have been omitted.
ISO/IEC 27001:2013, 6.1.3 d), is refined as follows.
Produce a Statement of Applicability that contains:
— the necessary controls [see ISO/IEC 27001:2013, 6.1.3 b) and c)];
— a justification for their inclusion;
— whether the necessary controls are implemented or not; and

— a justification for excluding any of the controls in Annex A and ISO/IEC 27001:2013, Annex A.

{The controls in ISO/IEC 27001:2013, Annex A, are not requirements. However, it is possible to mandate

controls. There are two different types of sources of mandated controls. If the set of mandated controls

comes from an external source, then add a requirement mandating the set of controls by referencing the

external source. If they are introduced in this document, specify them explicitly. Such mandated controls

should be placed in the most relevant clause (i.e. Clauses 4 to 10) in this document, for example Clause 8.

Insert the following text to specify the mandated controls as a refinement to ISO/IEC 27001 as an additional

clause.}

In addition to ISO/IEC 27001:2013, Clause , the following applies.

{If the sector-specific standard is also related to ISO/IEC 27002, use the template generated by combining

Clause 4 of this template and Clauses 4 to 6 in B.2 or Clauses 4 to 18 in B.3 appropriately so that the

structure of the sector-specific standard fits for its purpose.}

{If the sector-specific standard has sector-specific controls, add an Annex A in the same way as of

ISO/IEC 27001:2013, Annex A, with the following text.}

Annex A list of the -specific reference control objectives and controls which shall be applied as

additions to ISO/IEC 27001:2013, Annex A, as specified in 4.1.
Annex A
(normative)
< Sector > -specific reference control objectives and controls

{Introduce Table A.1 in the same format as ISO/IEC 27001:2013, Annex A, with the following text.}

The additional or modified control objectives and controls listed in Table A.1 are directly derived from

and aligned with those defined in this document and are to be used in context with ISO/IEC 27001:2013,

6.1.3, as refined by this document.
8 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27009:2020(E)
Annex B
(normative)
Template for developing sector-specific standards related to
ISO/IEC 27002
B.1 Drafting instructions
B.1.1 Common instructions
In B.2 and B.3, the following formatting conventions are used:

— the text in angle brackets should be replaced by suitable sector-specific text;

EXAMPLE For the telecommunications sector, the title of Clause 6 of the template in B.2 or 4.3 of the

template in B.3, “-specific guidance” is adapted as “Telecommunications-specific guidance”.

— the text in braces and italics indicates how to use this part of the template; this text should be

deleted in the final version of the sector-specific standard;
— the text written without special formatting should be copied verbatim.
B.1.2 Instructions for two numbering approaches

There are two templates, B.2 and B.3, which apply different types of numbering approaches for sector-

specific clauses, control objectives, controls, implementation guidance and other information. In

producing sector-specific standards using this annex, one of the templates should be selected, that is

suitable to the reference standard. The numbering approaches are described in B.1.3 and B.1.4.

Annex C provides an explanation of the advantages and disadvantages of the two numbering approaches

given in B.2 and B.3.

B.1.3 Numbering approach to indicate all of sector-specific contents with three-letter

prefix in Clause 6 of the sector-specific standard (B.2)

Numbers and titles with a three-letter prefix for the sector (along with the subclause number of the

sector-specific document) are used as the titles of subclauses in Clause 6 of the sector-specific standard

for additional or modified clauses, control objectives, controls, implementation guidance and

...

SLOVENSKI STANDARD
oSIST ISO/IEC DIS 27009:2019
01-september-2019
Informacijska tehnologija - Varnostne tehnike - Uporaba ISO/IEC 27001 za določen
sektor - Zahteve

Information technology -- Security techniques -- Sector-specific application of ISO/IEC

27001 -- Requirements

Technologies de l'information -- Techniques de sécurité -- Application de lISO/IEC 27001

à un secteur spécifique -- Exigences
Ta slovenski standard je istoveten z: ISO/IEC DIS 27009:2019
ICS:
03.100.70 Sistemi vodenja Management systems
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
oSIST ISO/IEC DIS 27009:2019 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST ISO/IEC DIS 27009:2019
---------------------- Page: 2 ----------------------
oSIST ISO/IEC DIS 27009:2019
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27009
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2019-06-28 2019-09-20
Information technology — Security techniques — Sector-
specific application of ISO/IEC 27001 — Requirements

Technologies de l'information — Techniques de sécurité — Application de l’ISO/IEC 27001 à un secteur

spécifique — Exigences
ICS: 03.100.70; 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27009:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2019
---------------------- Page: 3 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Overview of this document ........................................................................................................................................................................ 2

4.1 General ........................................................................................................................................................................................................... 2

4.2 Structure of this document ........................................................................................................................................................... 3

4.3 Expanding ISO/IEC 27001:2013 requirements or ISO/IEC 27002:2013 controls ...................... 3

5 Addition to, refinement or interpretation of ISO/IEC 27001:2013 requirements ..........................4

5.1 General ........................................................................................................................................................................................................... 4

5.2 Addition of requirements to ISO/IEC 27001:2013 .................................................................................................. 4

5.3 Refinement of requirements in ISO/IEC 27001:2013........................................................................................... 4

5.4 Interpretation of requirements in ISO/IEC 27001:2013 .................................................................................... 4

6 Additional or modified ISO/IEC 27002:2013 guidance ............................................................................................... 5

6.1 General ........................................................................................................................................................................................................... 5

6.2 Additional guidance ............................................................................................................................................................................ 5

6.3 Modified guidance ................................................................................................................................................................................ 5

Annex A (normative) Template for developing sector-specific standards related to ISO/

IEC 27001:2013 and optionally ISO/IEC 27002:2013 ................................................................................................... 6

Annex B (normative) Template for developing sector-specific standards related to ISO/

IEC 27002:2013 ..................................................................................................................................................................................................... 9

Annex C (informative) Explanation of the advantages and disadvantages of numbering

approaches used within Annex B .....................................................................................................................................................16

Bibliography .............................................................................................................................................................................................................................18

© ISO/IEC 2019 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.

This second edition cancels and replaces the first edition (ISO/IEC 27009:2016), which has been

technically revised.
The main changes compared to the previous edition are as follows:
— the scope was updated to more clearly reflect the content of this document;

— the template in the previous Annex A was divided into two annexes – Annex A for a sector-specific

standard related to ISO/IEC 27001:2013 and Annex B for a sector-specific standard related to ISO/

IEC 27002:2013 (for a standard related to both ISO/IEC 27001:2013 and ISO/IEC 27002:2013, Annex

A and Annex B can be jointly used in accordance with instructions provided in Annex A);

— Annex C was newly produced to provide explanation on two numbering approaches presented in

B.2 and B.3 to help readers when they decide to apply one of the two approaches to their sector-

specific standards.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO/IEC 2019 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
[Revision Criteria Notes:

In responding to the CD ballot for ISO/IEC 27009, WG 1 would like to draw National Bodies attention to the

following revision criteria that has been identified and discussed at the previous WG 1 editing meetings

(Berlin October 2017, Wuhan April 2018 and Gjøvik September 2018- see also WG 1 N1326 editors meeting

report). WG 1 would therefore request National Body comments, that are submitted as a result of this ballot,

take account of the criteria in order that the issues raised in this criteria are resolved and finalised.

Revision Criteria
a. There should be two or three different templates;

Two types of templates were discussed in response to the comments in N987 and N930 that clarification is

necessary on how sector-specific standards can be produced in accordance with ISO/IEC 27009, Annex A.

These templates are: one for refinements of ISO/IEC 27001 and the other for additions or modifications to

ISO/IEC 27002. Editors will include the two templates in the WD as a starting point.

Once this is finalized, the situation will be reviewed and it will be decided whether a combined template for

ISO/IEC 27001 & ISO/IEC 27002 will be needed.

-->For a sector-specific standard that relates to both ISO/IEC 27001 and ISO/IEC 27002, it was decided to

apply both Annex A and Annex B instead of having the combined template at the Gjøvik meeting.

b. Explanatory text should be added in the template (and maybe also in the main body) to make things

clearer for the end user of the new standards;

It was agreed that ambiguity in the application of Annex A of ISO/IEC 27009, which was raised in N930,

should be resolved by adding a sentence to explain that ISO/IEC 27009 is in place to enable entities, such as

ISO committees, to produce sector-specific standards based on ISO/IEC 27001 and/or ISO/IEC 27002; it is

not the intent that new management standards are produced.

--> The text was discussed and modified at the Wuhan meeting - see “0 Introduction” of Annex A and Annex B.

c. No specific title for the sector-specific standards;

It was confirmed that it was already agreed to remove the specific title for the sector-specific standards

at the Abu-Dhabi meeting. Editors removed the text related to this point in this document. (--> this was

resolved.)
d. Numbering of the sector-specific controls;

This topic was discussed in the ISO/IEC 27009 revision meeting and also in the meeting for SD 8 (27009 Use

Cases). The final agreements made in these meetings are:

Both options (the one applied by ISO/IEC 27010, ISO/IEC 27011 and ISO/IEC 27017, and the one applied by

ISO/IEC 27019) will be included in the text.

It was agreed that editors will include these two numbering approaches with descriptive text (background)

for information so that the two approaches can be compared. An Editor’s note asking for comments will also

be included.

The ITTF secretariat kindly attended the meeting and advised us that ITTF can accept letter prefixes to

ISO/IEC 27002 numbers, conceptually they then become unnumbered headings which are permissible.

--> at the Wuhan meeting, it was discussed and agreed to have both approaches in Annex B and add a new

Annex C for guidance to the approaches – see Annex B and Annex C.
e. The scope might need to be updated to clarify the purpose of the document

It was pointed out that due care should be taken for scope change since it needs a ballot that will affect the

schedule of the ISO/IEC 27009 revision, and agreed to add following editors’ note from experts:

© ISO/IEC 2019 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

Editor’s note: if there is any problems with the current scope and title, please provide explanation and

example if you have any such cases.

--> The scope was modified based on the comments to the editors’ note and agreed at the Wuhan meeting

–, the JTC 1 endorsed the scope change (see SC 27 WG 1 N1468). It was also decided that 27009 is for those

who produce sector-specific standards that extend ISO/IEC 27001:2013 and complement or amend ISO/

IEC 27002, which mean that the sector-specific standards solely based on ISO/IEC 27002 without any link to

ISO/IEC 27001 are out of the scope of 27009.)

As the general structure and content of ISO/IEC 27009:2016 were agreed to by all National Bodies, it was also

agreed that the above points constitute the targets of the revision at the meeting in Berlin, October 2017.]

vi © ISO/IEC 2019 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST ISO/IEC DIS 27009:2019
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27009:2019(E)
Information technology — Security techniques — Sector-
specific application of ISO/IEC 27001 — Requirements
1 Scope

This document specifies the requirements for creating sector-specific standards that extend ISO/

IEC 27001:2013, and complement or amend ISO/IEC 27002:2013 to support a specific sector (domain,

application area or market).
This document explains how to;
— include requirements in addition to those in ISO/IEC 27001:2013,
— refine or interpret any of the ISO/IEC 27001:2013 requirements,

— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002:2013,

— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002:2013,

— add guidance to or modify the guidance of ISO/IEC 27002:2013.

This document specifies that additional or refined requirements do not invalidate the requirements in

ISO/IEC 27001:2013.

This document is applicable to those involved in producing sector-specific standards.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirement of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management

systems — Requirements

ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information

security controls
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at http: //www .iso .org/obp
© ISO/IEC 2019 – All rights reserved 1
---------------------- Page: 9 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
3.1
interpret
interpretation

explanation of an ISO/IEC 27001:2013 requirement in a sector-specific context which does not

invalidate any of the ISO/IEC 27001:2013 requirements

Note 1 to entry: to entry The explanation can pertain to either a requirement or guidance.

3.2
refine
refinement

supplementation or adaptation of an ISO/IEC 27001:2013 requirement in a sector-specific context

which does not remove or invalidate any of the ISO/IEC 27001:2013 requirements
4 Overview of this document
4.1 General

ISO/IEC 27001:2013 is an International Standard that defines the requirements for establishing,

implementing, maintaining and continually improving an information security management system.

ISO/IEC 27001:2013 states that its requirements are generic and are intended to be applicable to all

organizations, regardless of type, size or nature.

NOTE Management system standards within ISO are built in accordance with ISO/IEC Directives, Part 1,

[1]
Consolidated ISO Supplement, 2018.

ISO/IEC 27001:2013 includes normative Annex A which provides control objectives and controls. ISO/

IEC 27001:2013 requires an organization to “determine all controls that are necessary to implement

the information security risk treatment option(s) chosen (see 6.1.3 b))”, and “compare the controls

determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been

omitted (see 6.1.3 c))”. The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A

are included in ISO/IEC 27002:2013.”

ISO/IEC 27002:2013 is an International Standard that provides guidelines for information security

management practices including the selection, implementation and management of controls taking

into consideration the organization’s information security risk environment. The guidelines have a

hierarchical structure that consists of clauses, control objectives, controls, implementation guidance

and other information. The guidelines of ISO/IEC 27002:2013 are generic and are intended to be

applicable to all organizations, regardless of type, size or nature.

While ISO/IEC 27001:2013 and ISO/IEC 27002:2013 are widely accepted in organizations, including

commercial enterprises, government agencies and not-for-profit organizations, there are needs for

sector-specific versions of these standards. Examples of standards which have been developed to

address these sector-specific needs are:
[2]

— ISO/IEC 27010 , Information security management for inter-sector and inter-organizational

communications;
[3]

— ISO/IEC 27011 , Code of practice for information security controls based on ISO/IEC 27002:2013

for telecommunications organizations;
[4]

— ISO/IEC 27017 , Code of practice for information security controls based on ISO/IEC 27002:2013

for cloud services;
[5]

— ISO/IEC 27018 , Code of practice for protection of personally identifiable information (PII) in

public clouds acting as PII processors; and
[6]

— ISO/IEC 27019:2017 , Information security controls for the energy utility industry.

Organizations outside of ISO/IEC have also produced standards addressing sector-specific needs.

2 © ISO/IEC 2019 – All rights reserved
---------------------- Page: 10 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)

Sector-specific standards should be consistent with the requirements of the information security

management system. This document specifies requirements on how to create sector-specific standards

that extend ISO/IEC 27001:2013 and complement or amend ISO/IEC 27002:2013 (see Clause 1).

This document assumes that all requirements from ISO/IEC 27001:2013 that are not refined or

interpreted, and all controls in ISO/IEC 27002:2013 that are not modified, apply in the sector-specific

context unchanged.
4.2 Structure of this document

Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation

of ISO/IEC 27001:2013 requirements.

Clause 6 provides requirements and guidance on how to provide control clauses, control objectives,

controls, implementation guidance or other information that are additional to or modify ISO/

IEC 27002:2013 content.

Annex A contains a template which should be used for sector-specific standards related to ISO/

IEC 27001:2013.

Annex B contains two templates which should be used for sector-specific standards related to ISO/

IEC 27002:2013.

For sector-specific standards related to both ISO/IEC 27001:2013 (see Clause 5) and ISO/IEC 27002:2013

(see Clause 6), both Annex A and Annex B apply.

Annex C provides explanations about advantages and disadvantages of two different numbering

approaches applied in the two templates in Annex B.

Within this document, the following concepts are used to adapt ISO/IEC 27001:2013 requirements for

a sector:
— Addition – see 5.2;
— Refinement – see 5.3;
— Interpretation – see 5.4.

Within this document, the following concepts are used to adapt ISO/IEC 27002:2013 guidance for a sector:

— Addition – see 6.2;
— Modification – see 6.3.

NOTE Any sector-specific guidance that is developed following the requirements and guidance in this

[1]

document cannot be contained within a Technical Report. The ISO/IEC Directives define a Technical Report

as a document that does not contain requirements, and any sector-specific standard developed based on this

document contains requirements (see Clause 4 of the template in A.2, Clause 5 of the template in B.2, and 4.2 of

the template in B.3).
4.3 Expanding ISO/IEC 27001:2013 requirements or ISO/IEC 27002:2013 controls

Sector-specific standards related to ISO/IEC 27001:2013 may add requirements or guidance to those

of ISO/IEC 27001:2013 or ISO/IEC 27002:2013. The addition may expand the requirements or guidance

beyond information security into their sector-specific topic.

EXAMPLE ISO/IEC 27018, Code of practice for protection of personally identifiable information (PII) in public

[5]

clouds acting as PII processors uses such expansions. ISO/IEC 27018:2014 , Annex A contains a set of controls

aimed at the protection of personally identifiable information and, therefore, expands the scope of ISO/

[5]
IEC 27018 to cover PII protection in addition to information security.
© ISO/IEC 2019 – All rights reserved 3
---------------------- Page: 11 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
5 Addition to, refinement or interpretation of ISO/IEC 27001:2013 requirements
5.1 General

Figure 1 illustrates how sector-specific requirements are constructed in relationship to ISO/

IEC 27001:2013.
Figure 1 — Construction of sector-specific requirements
5.2 Addition of requirements to ISO/IEC 27001:2013
Addition of requirements to ISO/IEC 27001:2013 requirements is permitted.

EXAMPLE A sector which has additional requirements for an information security policy can add them to

the requirements for the policy specified in ISO/IEC 27001:2013, 5.2.

No requirement that is added to those in ISO/IEC 27001:2013 shall remove or invalidate any of

the requirements defined in ISO/IEC 27001:2013. Sector-specific additions to ISO/IEC 27001:2013

requirements shall, where applicable, follow the requirements and guidance set out in Annex A of this

document.
5.3 Refinement of requirements in ISO/IEC 27001:2013
Refinement of ISO/IEC 27001:2013 requirements is permitted.

NOTE Refinements do not remove or invalidate any of the requirements in ISO/IEC 27001:2013 (see 3.2).

Sector-specific refinements of ISO/IEC 27001:2013 requirements shall, where applicable, follow the

requirements and guidance set out in Annex A of this document.

EXAMPLE 1 A sector-specific standard could contain controls additional to ISO/IEC 27001:2013, Annex A. In

this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013, 6.1.3 c) and d)

need to be refined to include the additional controls given in the sector-specific standard.

Specification of a particular approach to meeting requirements in ISO/IEC 27001:2013 is also permitted.

EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within

the scope of the sectors-specific management system. This requirement could refine the general requirement in

ISO/IEC 27001:2013, 7.2.
5.4 Interpretation of requirements in ISO/IEC 27001:2013
Interpretation of ISO/IEC 27001:2013 requirements is permitted.

NOTE Interpretations do not invalidate any of the ISO/IEC 27001:2013 requirements but explain them or

place them into sector-specific context (see 3.1).

Sector-specific interpretations of ISO/IEC 27001:2013 requirements shall, where applicable, follow the

requirements and guidance set out in Annex A of this document.
4 © ISO/IEC 2019 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
6 Additional or modified ISO/IEC 27002:2013 guidance
6.1 General

Figure 2 illustrates how ISO/IEC 27002:2013 guidance can be added to or modified.

Figure 2 — Construction of sector-specific guidance
Each control shall only contain one instance of the word “should”.

NOTE In ISO/IEC 27001:2013, Information security risk treatment requires an organization to state

controls that have been determined and justification of inclusions, and justification for exclusions of controls

from Annex A. Having only one use of “should” within a control statement eliminates the possibility of ambiguity

over the scope of the control.
6.2 Additional guidance

Addition of clauses, control objectives, controls, implementation guidance and other information to

ISO/IEC 27002:2013 is permitted.

Clauses, control objectives, controls, implementation guidance and other information additional to ISO/

IEC 27002:2013 shall, where applicable, follow the requirements and guidance set out in Annex B of this

document.

Before specifying additional clauses, control objectives or controls, entities producing sector-specific

standards related to ISO/IEC 27001:2013 should consider whether a more effective approach would

be to modify existing ISO/IEC 27002:2013 content, or achieve the desired result just through the

addition of sector-specific control objectives (instead of adding clauses), controls (instead of control

objectives), implementation guidance and other information (instead of controls) to the existing ISO/

IEC 27002:2013 content.
6.3 Modified guidance

Clauses, controls and their control objectives contained in ISO/IEC 27002:2013 shall not be modified.

If there is a sector-specific need to contradict a control objective contained in ISO/IEC 27002:2013, a

new sector-specific control objective with at least one sector-specific control shall be introduced. If

there is a sector-specific need to contradict a control contained in ISO/IEC 27002:2013, a new sector-

specific control shall be introduced.

Modification of implementation guidance and other information from ISO/IEC 27002:2013 is permitted.

Modified clauses, control objectives, controls, implementation guidance and other information from

ISO/IEC 27002:2013 shall, where applicable, follow the requirements and guidance set out in Annex B of

this document.
© ISO/IEC 2019 – All rights reserved 5
---------------------- Page: 13 ----------------------
oSIST ISO/IEC DIS 27009:2019
ISO/IEC DIS 27009:2019(E)
Annex A
(normative)
Template for developing sector-specific standards related to ISO/
IEC 27001:2013 and optionally ISO/IEC 27002:2013
A.1 Drafting instructions
Within A.2 the following formatting convention is used:
— Text in angle brackets should be replaced by suitable sector-specific text.

EXAMPLE For the sector telecommunications, the title of Clause 4 of the template in A.2, “-specific

requirements …”, should read “Telecommunications-specific requirements …”.

— Text in braces and italics indicates how to use this part of the template; this text should be deleted

in the final version of the sector-specific standard.
— Text written without special formatting should be copied verbatim.
A.2 Template
0 Introduction

{Include how the requirements contained within this standard relate to the requirements specified within

ISO/IEC 27001:2013 and optionally how the guidance contained within this
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.