Applying ISO/IEC 27001/2 And The ISA/IEC 62443 Series For .
GLOBALCYBERSECURITYALLIANCEApplying ISO/IEC 27001/2 and theISA/IEC 62443 Series for OperationalTechnology EnvironmentsTHE TIME IS NOWJuly 2021www.isa.org/ISAGCAWWW.ISA.ORG/ISAGCA1
Applying ISO/IEC 27001/2and the ISA/IEC 62443 Seriesfor Operational TechnologyEnvironmentsIntroductionMany organizations (especially very large ones)have established policies and proceduresgoverning the IT security in their officeenvironment; many of these are based onISO/IEC 27001/2 [27001] [27002]. Somehave attempted to address their operationaltechnology (OT) infrastructure under the samemanagement system, and have leveragedmany IT/OT commonalities. Although it wouldbe ideal to always select common controlsand implementations for both IT and OT,organizations have been confronted withchallenges in doing so, such as OT operatorscreen locking creating unsafe conditions,antivirus products incompatible with OTequipment, patching practices disruptingproduction schedules, or network trafficfrom routine backups blocking safety controlmessages. The ISA/IEC 62443 series explicitlyaddresses issues such as these; this helps anorganization to maintain conformance withISO/IEC 27001 through common approacheswherever feasible, while highlighting differencesin IT vs. OT approach where needed.This document offers guidance for organizationsfamiliar with ISO/IEC 27001 and interested inprotecting the OT infrastructure of their operatingfacilities based on the ISA/IEC 62443 series.It describes the relationship between theISA/IEC 62443 series and ISO/IEC 27001/2 andhow both standards may be effectively usedwithin one organization to protect both IT and OT.62443 does not require the use of anunderlying Information Security Management2WWW.ISA.ORG/ISAGCASystem (ISMS), However it requires that, if theorganization has an established ISMS, thesecurity program in the OT environment shouldbe coordinated with it. In this document we areconsidering the use case of an existing ISMSbased on ISO/IEC 27001/2.Other information security standards similarin scope to 27001 might be used effectivelytogether with 62443 under an approachsimilar to that described here. Evaluation ofsuch approaches is outside the scope of thispaper. However, users of such standards areencouraged to explore that possibility.BackgroundScope of ISO/IEC 27001/2The standard ISO/IEC 27001 providesrequirements for establishing, implementing,maintaining, and continually improving an ISMSas well as a list of commonly accepted controlsto be used as a reference for establishingsecurity requirements (ISO/IEC 27000, theglossary and introduction to the 27000series, defines the term control as “measurethat is modifying risk”). In addition, ISO/IEC27002 provides further detailed guidance fororganizations implementing these informationsecurity controls. It is designed for organizationsto use as a reference for selecting controlswithin the process of implementing an ISO/IEC27001 conformant ISMS.IT and OT“IT” is the common term for the entire spectrum oftechnologies for information processing, including
ISO/IEC 27001/2 and theISA/IEC 62443 series address two complementarparts of an overall OT cybersecurity approachsoftware, hardware, communications technologies, andrelated services [Gartner-ITG]. “Operational technology”or “OT” is hardware and software that detects or causesa physical change, through the direct monitoring and/or control of industrial equipment, assets, processesand events [Gartner-ITG]. Increasingly, IT productsand systems are used in OT infrastructures, andrecently, the advent of IoT (Internet of Things) andIndustrial Internet of Things has further blurred theIT/OT distinction. However, the main difference is thatOT environments in general must comply with strictintegrity, availability, and performance constraints dueto the fact that operation outside of the constraintsmay impact health, safety, or the environment.Table of ContentsScope of the ISA/IEC 62443 seriesThe scope of the ISA/IEC 62443 series of standardsis the security of “Industrial Automation and ControlSystems (IACS)” used in OT infrastructures. Thisincludes control systems used in manufacturingand processing plants and facilities, geographicallydispersed operations such as utilities (i.e., electricity,gas, and water), pipelines and petroleum productionand distribution facilities. The ISA/IEC 62443 serieshas also gained acceptance outside of its originalscope, for example in building automation, medicalsystems, and in other industries and applicationssuch as transportation networks, that use automatedor remotely controlled or monitored assets.ISO/IEC 27001/2 addresses the establishment of aninformation security management system for the ITinfrastructure of an organization.5Figure 1 gives an overview of the scope of somecore documents of the ISA/IEC 62443 series. Part62443-2-1 [62443-2-1] is targeted at organizationsthat are responsible for IACS facilities, which includesowners and operators (termed “asset owners” in theseries) and provides requirements for asset ownerIACS security programs.Introduction.2Background.2Scope of ISO/IEC 27001/2.2IT and OT.2Scope of the ISA/IEC 62443 series.3ISO/IEC 27001/2 and the ISA/IEC 62443 series addresstwo complementary parts of an overall OT cybersecurityapproach.4The ISA/IEC 62443 series addresses specific needsrequired for the cybersecurity in OT environments.5ISO/IEC 27001/2 and ISA/IEC 62443 should becombined to protect of the OT infrastructure ofoperating facilities.6Extend and adapt ISMS for the OT infrastructure.6Consider all security controls of ISA/IEC 27001/2 whenapplying 62443-2-1 requirements for OT infrastructure.7The ISA/IEC 62443 series brings added value bysupporting a holistic approach.8Next Steps.9References. 10WWW.ISA.ORG/ISAGCA3
ISA/IEC 6244362443-2-1Establishment ofsecurity programsaddressesAssetownersresponsible forresponsible forDevelopment and maintenance oftechnical solutions with integratedsecurity measuresresponsible forDevelopment of security capabilities inproducts and support with securityguidelines and security updatesensuringImplementation of technical andprocedural security 162443-3-362443-4-2addressesProductsuppliersFigure 1. ISA/IEC 62443 addresses all entities involved in the protection of operating facilitiesNote: The present document refers to the most recent version of part 62443-2-1, which is not finally approved as anInternational Standard and may be subject to changes. It is not expected that these changes will impact therecommendations of this paper.In addition, the ISA/IEC 62443 series providesconformance requirements for all entitiessupporting asset owners in the implementationof technical and procedural security measuresfor the protection of operating facilities fromcyber threats. Part 62443-2-4 [62443-2-4]provides security requirements for integrationand maintenance service providers supportingasset owners in the development andoperation of OT specific technical solutions.Parts 62443-3-3 [62443-3-3] and 62443-4-2[62443-4-2] define requirements for securitycapabilities of systems and components,respectively. Part 62443-4-1 [62443-4-1]includes lifecycle requirements for productsuppliers for the development and support ofproducts with adequate security capabilities.In addition, the ISA/IEC 62443 series includesguidance documents for specific issues likepatch management and risk-based systempartitioning in zones and conduits.ISO/IEC 27001/2 and theISA/IEC 62443 series addresstwo complementary parts ofan overall OT cybersecurityapproachISO/IEC 27001/2 standards have been broadlyused for many years as a base for organizingInformation security ofan organizationISO/IEC 27001/2addressesIT infrastructure(Office environment)OT infrastructure of operatingfacilities (OT environment)Figure 2. Scope of ISO/IEC 27001/2 and ISA/IEC 624434WWW.ISA.ORG/ISAGCAaddressesISA/IEC 62443series
ISO/IEC 27001/2Security Management(ISO/IEC 27001 clauses 4 to 10)Security Controls(ISO/IEC 27001 Annex A and ISO/IEC 27002)5.1 Leadership commitment6.2.2 Teleworking6.2 Information securityobjectives and planning toachieve them8.1.1 Inventory of assets5.3 Organizational roles,responsibilities and authorities7. ented information10.1.1 Policy on the use of cryptographic controls9.1.1 Access control policy11.2.9 Clear desk and clear screen policy12.3.1 Information backupFigure 3. Examples of ISMS requirements and security controlsthe information security of organizations. Theprocesses and overall management structure oforganizations responsible for OT environmentsmay be integrated with an ISMS based on thesestandards as will be described here. The ISA/IEC62443 series addresses specific needs of OTinfrastructures and complements the ISMS.The OT infrastructure of operating facilitiesmay be embedded in the IT infrastructure ofthe responsible organization or autonomouslyorganized. In both situations ISO/IEC 27001/2and the ISA/IEC 62443 series can be used foraddressing complementary parts of an overallcybersecurity approach for OT environments.ISO/IEC 27001/2 addresses theestablishment of an informationsecurity management systemfor the IT infrastructure of anorganizationISO/IEC 27001/2 specifies generic requirementswhich are intended to be applicable to allorganizations, regardless of type, size, or nature.The requirements for establishing, implementing,maintaining, and continually improving an ISMSare described in clauses 4 to 10 ofISO/IEC 27001. Excluding any of therequirements specified in these clauses isnot acceptable when an organization claimsconformity to this standard. In addition,ISO/IEC 27001/2 includes a set of controlsaddressing security topics which it requiresto be given consideration in a comprehensivesecurity strategy. In a risk-based approach,an organization can ultimately select controlsfrom the list provided by ISO/IEC 27001/2 orfrom other control sets, or new controls can bedesigned to meet specific needs as appropriate.The distinction between ISMS requirements andinformation security controls found in ISO/IEC27001/2 is illustrated by a few examples shownin Figure 3.The ISA/IEC 62443 seriesaddresses specific needsrequired for the cybersecurity inOT environmentsThe OT infrastructures of operating facilitiesmust fulfill specific requirements of integrity,performance, and availability to ensure operationalcontinuity. Loss of operational continuity may forexample manifest as an explosion, a blackout,or the use of an incorrect formula or dose of alife-saving medicine. Many operating facilitiesimplement dedicated safety systems to preventoperational conditions that would have health,safety, and environmental consequences. Securityrequirements in ISA/IEC 62443 are designed notto prevent or disrupt safe operation. Further,dedicated safety functions require uniqueprotections and therefore are subject to uniquesecurity requirements in the standard.As examples, the challenges mentioned above,often faced when extending existing IT securityWWW.ISA.ORG/ISAGCA5
Security Control ISO/IEC 27001/2ISA/IEC 62443 referenceOT consideration11.2.9 Clear desk and clear screenOT Operator screen locking cancreate unsafe conditionsISA/IEC 62443-2-1 USER 1.18 may require to exclude OToperator screen lock12.2.1 Controls against malwareAntivirus products are oftenincompatible with OT assetsISA/IEC 62443-2-1 COMP 2.3 requires testing malwareprotection software for compatibility with IACS12.3.1 Information backupNetwork traffic from routinebackups blocking safety controlmessagesISA/IEC 62443-3-3 SR 5.1 RE (1) requires physicallysegmenting critical control system networks fromnon-critical control system networks12.6.1 Management of technicalvulnerabilitiesPatching practices can disruptproduction scheduleISA/IEC 62443-2-3 section 5 part f requires testing andplanning patch application to ensure operationalcontinuityFigure 4. OT considerations regarding some IT security control implementationscontrol implementations to OT, are addressed by62443 as shown in Figure 4.The ISA/IEC 62443 series includes requirementsaddressing various security topics to behandled in a comprehensive security program,in the same way that ISO/IEC 27001/2 includesa list of controls addressing these securityaspects. The ISA/IEC 62443 requirementsaddress specific needs in the OT environmentand complement the list of controls of ISO/IEC27001/2 by adding critical details relevant tothat environment.ISO/IEC 27001/2 and ISA/IEC62443 should be combined toprotect of the OT infrastructureof operating facilitiesThe above discussion shows how ISA/IEC 62443augments ISO/IEC 27001/2 by incorporatingspecifics unique to the OT environment.However, ISA/IEC 62443 does not include allelements needed to secure OT. In particular,ISO/IEC 27001/2 provides ISMS requirementsand controls/guidance that are fully common toIT and OT and are not found in ISA/IEC 62443.Therefore, a method for applying both standardsto OT infrastructure is recommended, and onesuch method is described here.The concept recognizes that 62443-2-1is addressing the security program of6WWW.ISA.ORG/ISAGCAasset owners for their OT infrastructures;consequently, this part of ISA/IEC 62443should be linked to ISO/IEC 27001/2. The otherdocuments of the ISA/IEC 62443 series havethe purpose to provide support to asset ownersand have their roots in the requirements of62443-2-1.Extend and adapt ISMS for the OTinfrastructureAlthough the ISA/IEC 62443 series doesn’tdefine requirements for establishing,implementing, maintaining, and continuallyimproving an ISMS, the first requirement of62443-2-1 requires that IACS security programsmust be coordinated with any established ISMS.It is recommended that organizations establishan ISMS based on ISO/IEC 27001/2, or use analready defined security management systemthat complies with clauses 4 to 10 of ISO/IEC27001 for the OT infrastructure. It should beensured that the structure and implementationis conducive and flexible to inclusion of theOT environment in its scope without causingnegative impacts on the ISMS. For example,this will require clarity about allocation of IT/OTmanagement responsibilities, responsibilitiesfor IT/OT system interfaces, adequate resourceplanning for overlapping and unique technicalskills across IT/OT, and effective use of conceptsand terminology from both standards.
Consider all security controls ofISA/IEC 27001/2 when applying 62443-2-1requirements for OT infrastructureOne practical way to organize the combined setof ISO/IEC 27001/2 security controls and 624432-1 requirements for managing coordination ofcontrol selection and compliance, is to leveragethe structure already present in 62443-2-1.The requirements are structured in SecurityProgram Elements (SPE) which are logicalgroupings of requirements covering a specifictopic. All security topics should be addressed ina comprehensive security program. Examples ofSPEs are configuration management, networkand communication security, componentsecurity, user access control and protectionof data. In addition, some SPEs are subdividedwhere different security aspects includedin the same SPE must be addressed byspecific measures. The proposed approachrecommends adding to each SPE / sub-SPE therelated security controls of ISO/IEC 27001/2, asshown in Figure 5.Although most of the ISO/IEC 27001/2 controlsare related to one or several topics addressedby the SPEs, some are of general nature such ascontact with authorities, terms and conditions ofemployment, and reporting security weaknesses.These are the “General security controls” inFigure 5. They must be considered in the riskbased approach of the asset owner and adaptedto the OT environment in the same way as theISMS is adapted.It should be noted that considering thecombination of the ISO/IEC 27001/2 controlsand 62443-2-1 requirements does not meanthat all of them must be applied. The relevantrequirements should be selected as the result ofa risk analysis by the asset owner according to itsspecific needs and application conditions.The benefits of adding in each SPE and sub-SPEthe related security controls of ISO/IEC 27001/2can be illustrated with the example of the subSPE NET 3 - Secure remote access, which is partof SPE 3 – Network and communication security(Figure 6). When specifying the security program,the asset owner may then consider in a riskbased approach to all relevant aspects, based onthe combination of requirements on this topicfrom both standards.OT assets in operating facilities are oftenmaintained by external service providers fromlocations outside of the operating facilities.Allowing remote access to the OT infrastructuremust be strictly controlled. Consequently,62443-2-1 NET 3 requires that asset owners: ensure that only authorized remoteapplications are allowed, ensure that authorized interactive remoteconnections are documented including thepurpose, circumstances, encryption andauthentication technologies, length of time, andlocation and identity of remote client device, and ensure that the remote access is terminatedafter a period of inactivity.ISO/IEC 27001/2SecurityManagement(ISO/IEC 27001clauses4 to 10)ISO/IEC 27001 Annex A and ISO/IEC 27002Generalsecuritycontrolsadapt to OT lsIT infrastructure(Office environment)include related security controls in each SPE/sub-SPESPE 1SPE 2.Informationsecurity of anorganizationaddressesISMS ofSecurity controls that addresssecurity topics of SPEs/sub SPEsSPE 8Security requirements ISA/IEC 62443-2-1ANDRelated security controls of ISO/IEC 27001/2addressesSecurityProgram ofOT infrastructure ofoperating facilities(OT environment)OT Security Program organized in Security Program Elements (SPE) and sub-SPEsISO/IEC 27001/2 & ISA/IEC 62443-2-1www.isa.org/ISAGCAFigure 5. Combining ISO/IEC 27001/2 controls and 62443-2-1 requirements for OT Security ProgramsWWW.ISA.ORG/ISAGCA7
ISO/IEC 27001/2: requirements to the ISMS of the asset owner6.1.1 Teleworking14.1.2 Securing application services on public networks Generic controls on the protection of information andapplications involved in teleworking from external locations14.1.3 Protecting application services transactions Detailed in ISA/IEC 62443-2-1 with OT considerations13.2.1 Information transfer policies and procedures Additional controls not addressed in ISA/IEC 62443-2-113.2.2 Agreements on information transfer13.2.4 Confidentiality or non-disclosure agreements To be considered by asset owners when specifying securityprogramsISA/IEC 62443-2-1: NET 3 requirements to the security program of the asset ownerNET 3.1 Remote access applications Allow only authorized remote applicationsNET 3.2 Remote access connections Document authorized interactive remote access connections:Purpose / Circumstances / Encryption / Authentication,Length of time / location and identity of remote deviceNET 3.3 Remote access termination Terminate after period of inactivityFigure 6. NET 3 – Secure remote access: Combining ISO/IEC 27001/2 controls and 62443-2-1 requirementsThe above requirements are OT specific,detailing the recommended administrativecontrols of ISO/IEC 27001/2 addressingteleworking from external locations. As anexample, Figure 6 shows a non-exhaustivelist of controls relevant for this topic. ISO/IEC27001/2 requires protection of informationaccessed, processed, or stored at teleworkingsites, securing application services on publicnetworks and protection of applicationservices transactions. 62443-2-1 NET 3.1, NET3.2, and NET 3.3 add specific requirementsthat apply to these controls to incorporateOT considerations. On the other hand, ISO/IEC 27001/2 addresses aspects which arenot addressed by 62443-2-1 but are possiblyrelevant to be considered for security programsISO/IEC 27001/2------------------------------------ISA/IEC 62443-2-1ISA/IEC 62443-2-4ISA/IEC 62443-4-1ISA/IEC 62443-3-3ISA/IEC 62443-4-2are thebasis forAssetownersin OT environments, as shown in Figure 6:information transfer policies and procedures,agreements on information transfer, andconfidentiality or non-disclosure agreements.A comprehensive protection scheme for securingthe remote access to the OT infrastructureof operating facilities will consider all aspectsaddressed by both standards.The ISA/IEC 62443 series bringsadded value by supporting aholistic approachAsset owners rely on the design of adequatetechnical solutions with integrated securitymeasures and on security capabilities ofInformation securityof an organizationto ensure theimplementation ofIT infrastructure(Office cal andprocedural securitymeasuresfor theprotection ofOT infrastructure ofoperating facilities(OT environment)Figure 7. Together with ISO/IEC 27001/2, the ISA/IEC 62443 series provides the basis for a comprehensive protection ofoperating facilities8WWW.ISA.ORG/ISAGCA
products used in these solutions. As shown inFigure 1, the ISA/IEC 62443 series provides asignificant added value by addressing all otherentities that support asset owners in applying adefense-in-depth approach for the protection ofoperating facilities against cyber threats. Figure7 illustrates the relationships between ISO/IEC27001/2 and the ISA/IEC 62443 series, as wellas associated organizational entities, to producea comprehensive cybersecurity program forthe protection of operating facilities againstcyberthreats.ISO/IEC 27001/2 includes five controls (classA.15) specifically about suppliers, and a numberof mentions of suppliers in guidance for othercontrols. The ISA/IEC 62443 series supportsimplementation of these controls by providingspecific parts of the standard with which OTsuppliers in specific roles should comply.This gives the asset owner a basis for placingcybersecurity requirements on OT suppliers andpotentially requiring third party certification torelevant parts of the 62443 standard for theirOT suppliers or for product purchases. Forexample, 62443-4-1 includes requirements onproduct suppliers for reducing and managingvulnerabilities such as threat modelling, applyingsecure design principles, eliminating codingvulnerabilities by following coding guidelines,finding and eliminating vulnerabilities via testingsuch as fuzz testing, penetration testing andbinary analysis, providing security guidelines forusers, and addressing vulnerabilities discovered inthe field with a process for security updates.In addition, the ISA/IEC 62443 series includesrequirements for the technical security capabilitiesof products used in OT infrastructures and definesSecurity levels (SLs) to differentiate the level ofprotection which can be potentially reachedcommensurate to the tolerable cybersecurity risksof asset owners.ISO/IEC 27001/2 and the ISA/IEC 62443 seriescomplement one another for implementing acomprehensive, risk-based, defense-in-depthstrategy for the protection of operating facilitiesincluding the contribution of all entities: The combined requirements and controlsof ISO/IEC 27001/2 and 62443-2-1 are thebasis for asset owners to establish securityprograms and ensure the design andimplementation of technical and proceduralsecurity measures. The requirements of IEC/ISA 62443-2-4 arethe basis for service providers to supportasset owners by designing and maintainingtechnical solutions providing the requiredsecurity capabilities.The requirements of IEC/ISA 62443-4-1 arethe basis for product suppliers to supportasset owners and service providers byemploying secure development processesand providing guidelines and support forintegrating and maintaining the security ofproducts used in OT infrastructures.The requirements of IEC/ISA 62443-3-3and 62443-4-2 are the basis for providingproduct security capabilities necessary forthe implementation of protection schemes byasset owners and service providers.Next stepsTo implement the described approach, amapping of the set of related ISO/IEC 27001/2controls under each SPE or sub-SPE of 624432-1 is required. An organization may use thisapproach that relies on 62443-2-1 SPE’s, orany other approach they find convenient formerging ISO/IEC 27001/2 controls with 624432-1 requirements. A reference mapping couldbe developed for this purpose as a commonlyused resource; ISA’s Global CybersecurityAlliance (ISAGCA) is considering developing sucha reference. Organizations could use such areference mapping as a starting point for thedevelopment of their OT security programs andadjust it to their specific needs as necessary.successful exploitation of a vulnerability.WWW.ISA.ORG/ISAGCA9
References[27001]ISO/IEC 27001 Second Edition 2013-10-01 - Information technology - Securitytechniques - Information security management systems - Requirements[27002]ISO/IEC 27002 Second Edition 2013-10-01 - Information technology - Securitytechniques - Code of practice for information security controls[Gartner-ITG] Gartner: IT Glossary, retrieved -2-1] IEC CDV 62443-2-1 ED2: 2019-08-23 - Security for industrial automation andcontrol systems - Part 2-1: security program requirements for IACS[62443-2-4] ISA/IEC 62443-2-4: 2017 - Security for industrial automation and control systems Part 2-4: Security program requirements for IACS service providers[62443-3-3] ISA/IEC 62443-3-3: 2013 - Industrial communication networks - Network andsystem security – Part 3-3: System security requirements and security levels[62443-4-1] ISA/IEC‑62443‑4‑1:2018 - Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements[62443-4-2] ISA/IEC‑62443‑4‑2:2019 - Security for industrial automation and control systems Part 4-1: Technical security requirements for IACS components10WWW.ISA.ORG/ISAGCA
In both situations ISO/IEC 27001/2 and the ISA/IEC 62443 series can be used for addressing complementary parts of an overall cybersecurity approach for OT environments. ISO/IEC 27001/2 addresses the establishment of an information security management system for the IT infrastructure of an organization ISO/IE
ISO 27001:2013 published All ISO 27001:2005 certificates to have transitioned to ISO 27001:2013 30th September 2016 30th September 2015 No new ISO 27001:2005 certificates to be issued Initial audit to ISO 27001:2005 available Initial audit to ISO 27001:2013 available Transition to ISO 27001:2013 may be mandated by CB
ISO/IEC 27001:2005 ISO/IEC 27002:2005 . ISMS Standards ISO/IEC 27001, 27002 . 23 / VSE-Gruppe 2013 . Standardization under ISO/IEC 27000 Standards Series in Cooperation with Additional Consortia . ISO/IEC 27001: Information Security Management System (ISMS) ISO/IEC 27002: Implementation Guidelines for ISO/IEC 27001 Con
1. Overview of ISO/IEC 27001:2022Information Security Management System 22 2. ISO/IEC 27001:2022 requirements 45 3. ISO/IEC 27001:2022Terms and Definitions 07 4. ISMS Documented information 18 5. ISO 27001 ISMS Internal auditing process 40 6. Steps for ISO 27001 certification 18 7. Risk management 18 8. Risk Assessment& Treatment 25 9.
ISO/IEC 27001:2005 has been superseded by ISO/IEC 27001:2013. The International Accreditation Forum (IAF) has announced that, as of 1 October 2014, no more accredited certificates to ISO 27001:2005 will be issued. From that date, certification bodies may only issue certificates to the new version of the Standard, ISO 27001:2013.
IEC 61215 IEC 61730 PV Modules Manufacturer IEC 62941 IEC 62093 IEC 62109 Solar TrackerIEC 62817 PV Modules PV inverters IEC 62548 or IEC/TS 62738 Applicable Standard IEC 62446-1 IEC 61724-1 IEC 61724-2 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/
ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. First and foremost, the revision has taken account of practical experience of using the standard: there are now over 17,000 registrations worldwide. However, there have been two other major influences on the revision. The first is an ISO requirement that all new and revised
in fact the take-up of ISO/IEC 27001 continues to grow at a significant rate. As regards privacy the new standard ISO/IEC 27701 (extension of ISO/IEC 27001 for privacy) together with ISO/IEC 27001 provides organizations with help and support for dealing with data breaches. 7. Are the controls, as defined in Annex A,
ISO/IEC 27011:2008 . Information security management guidelines for tele-communications organizations based on ISO/IEC 27002. ISO/IEC 27013:2015 . Guidance on the integrated implementation of ISO/IEC 27001 . and ISO/IEC 20000-1. ISO/IEC 27014:2013includes nearly 20 standards. The . Governance of information security. ISO/IEC 27015:2012
