BS ISO IEC 27009:2020 download free.Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements.
1 Scope
BS ISO IEC 27009 specifies the requirements for creating sector-specific standards that extend ISOJIEC 27001. and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market).
BS ISO IEC 27009 explains how to:
— include requirements in addition to those in ISOJIEC 2700L
— refine or interpret any of the ISO/IEC 27001 requirements.
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013. Annex A and ISO/IEC 27002.
— add guidance to or modify the guidance of ISOJlEC27UZ.
BS ISO IEC 27009 specifies that additional or refined requirements do not invalidate the requirements in
ISO/IEC 27001.
BS ISO IEC 27009 is applicable to those involved in producing sector-specific standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirement of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/I EC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001. Information technology — Security techniques — Information security management systems — Requirements
ISQJIEC 27001. information technology — Security techniques — Code of practice for information security controls
Other organizations have also produced standards addressing sector-specific needs.
Sector-specific standards should be consistent with the requirements of the information security management system. BS ISO IEC 27009specifies requirements on how to create sector-specific standards that extend ISO/IEC 27001 and complement or amend TSO/IEC 27002 (see Clause 1).
BS ISO IEC 27009 assumes that all requirements from ISO/IEC 270flJ. that are not refined or interpreted, and all controls in ISOJIEC 27002 that are not modified, apply in the sector-specific context unchanged.
4.2 Structure of this document
Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation of ISO/IEC 27001 requirements.
Clause 6 provides requirements and guidance on how to provide control clauses, control objectives. controls, implementation guidance or other information that are additional to or modify ISO/IEC 27002 content.
Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001.
An.n.ex_B contains two templates which shall be used for sector-specific standards related to
ISO/IEC 270.02.
For sector-specific standards related to both ISO/IEC 27001 (see Clause 5) and ISOJIEC 27(102 (see Clause 6), both Annex A and Annex B apply.
Annex C provides explanations about advantages and disadvantages of two different numbering approaches applied in the two templates in Annex B.
In this document, the following concepts are used to adapt lSO/IEC 27001 requirements for a sector:
— addition — see
— refinement — see j3
— interpretation — see SA.
In BS ISO IEC 27009, the following concepts are used to adapt ISO/IEC 27002 guidance for a sector:
Addition of requirements to ISQJIEC11flOI requirements is permitted.
EXAMPLE A sector which has additional requirements for an information security policy can add them to the requirements for the policy specified in ISO/IEC 27001:20 13. 5.2.
No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any of the requirements defined in ISOJIEC 27001.
Where applicable, sector-specific additions to [SJIEC_l.Zi1t11 requirements shall lollow the requirements and guidance set out in Annex A.
5.3 Refinement of requirements in ISO/IEC 27001
Refinement of ISO/IEC 27001 requirements is permitted.
NOTE Reli,wrnents do not remove or invalidate any of the requirements in ISO/IEC 27001 (see 32).
Where applicable, sector-specific refinements of ISO/IEC 27001 requirements shall follow the requirements and guidance set out in Annex A.
EXAMPLE I A sector-specific standard could contain controls additional to ISO/IEC 27001:2013. Annex A. In this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013. 6.1.3 c) and d) need to be refined to Include the additional controls given in the sector-specific standard.
Specification of a particular approach to meeting requirements in ISO/IEC 27001 is also permitted.
EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within the scope of the sector-specific management system. This requirement could reline the general requirement in
ISO/IEC 27001:2013. 7.2.
5.4 Interpretation of requirements in ISO/IEC 27001
Interpretation of ISOJIEC 27001 requirements is permitted.
NOTE Interpretations do not invalidate any of the ISO/IEC 27001 requirements but explain them or place them into sector-specific context (see ii).
Where applicable, sector-specific interpretations of lSO/IEC 27001 requirements shall follow the
Each control shall only contain one instance of the word should’.
NOTE In ISO/IEC 27001, Information security risk treatment requires an organization to state controls that have been determined and justification of inclusions, and justification for exclusions of controls from ISO/IEC 27001:2013. Annex A. Having only one use of should within a control statement eliminates the possibility of ambiguity over the scope of the control.
6.2 Additional guidance
Addition of clauses, control objectives, controls, implementation guidance and other information to LiIE271O2 is permitted.
Where applicable, clauses, control objectives, controls, implementation guidance and other information additional to ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B,
Before specifying additional clauses, control objectives or controls, entities producing sector- specific standards related to ISO/IEC 27001 should consider whether a more effective approach would be to modify existing ISO/IEC 27002 content, or achieve the desired result just through the addition of sector-specific control objectives (instead of adding clauses), controls (instead of control objectives), implementation guidance and other information (instead of controls) to the existing ISO/IEC 27002 content.
6.3 Modified guidance
Clauses, controls and their control objectives contained in ISO/IEC 27002 shall not be modified.
If there is a sector-specific need to include a control objective that contradicts a control objective contained in ISO/IEC 27002. a new sector-specific control objective shall be introduced. The new control objective shall have at least one sector-specific control. If there Is a sector-specific need to include a control that contradicts a control contained in ISO/IEC 27002, a new sector-specific control shall be introduced.
Modification of implementation guidance and other information from ISO/IEC 27002 is permitted.
Where applicable, modified clauses, control objectives, controls, implementation guidance and other information from ISO/IEC 27002 shall follow the requirements and guidance set out in Annex 8.