ISO/IEC 27009

ISO/IEC 27009:2020 – Information technology – Information security – Application of ISO/IEC 27001 to specific sectors – Requirements (2nd edition)


This standard aims to guide those who wish to create sector-specific standards based on or related to ISO/IEC 27001, where ‘sector’ is another word for “field, application area or market sector”, hence the confusion.

Scope and objectives

The following is taken from the scope of the 2nd edition [FDIS]:

The purpose of this document is to define the requirements for developing sector-specific standards that will extend ISO/IEC 27001, and supplement or extend ISO/IEC 27002 to meet the specific needs of a specific sector (a domain, an application area, or a market).

In this document, you will learn how to:

– include requirements beyond those specified in ISO/IEC 27001 must be contained,
– to clarify or explain any of the ISO/IEC 27001 requirements,
– include control measures additional to those specified in ISO/IEC 27001:2013, Annex A and ISO/IEC 27002
– change the controls from ISO/IEC 27001:2013, Annex A, and ISO/IEC 27002
– add or update the guidance in ISO/IEC 27002.

As part of this document, it specifies that revisions to or additions to ISO/IEC 27001 will not invalidate existing requirements in ISO/IEC 27001.

Those involved in developing sector-specific standards can benefit from this document.


There are two main sections:

– This guide is intended to assist organizations in working with the generic management system requirements to adapt them to a specific “sector” (using ISO/IEC 27001);
– Recommendations on the addition of new information security controls or how to apply the recommendations in ISO/IEC 27002 to a specific industry. [Note: the scope of this standard goes beyond its title.]

… as well as the following annexes:

– Two templates for drafting sector-specific versions of 27001 and/or 27002;
– Outlining the advantages and disadvantages of different clause-numbering schemes in the annexe detailing sector-specific varieties of 27002.

The standard’s status

In 2016, the first publication of the standard took place.

In 2020, the book’s second edition was published.


Is it worthwhile that SC 27 published an International Standard about developing standards? The issue is surely one of internal concern, so if anything a ‘Standing Document’ for the committee will suffice. What’s the point of publishing it formally as an IS?

I am shocked that 96% of national standards bodies voted in favour of publishing this standard. Was that what they were thinking? Who is expected to use and purchase it? Possibly those mysterious “entities that produce standards for certain sectors”. The SC 27 committee then, wouldn’t it? Anybody may create its version of an ISO27k standard except for copyright. To be honest, I doubt any of them need any instructions.

It illustrates what happens when committees become bogged down in red tape, in my opinion. This standard is not likely to benefit anyone – even SC 27. Complicating the issue are the costs associated with developing the extended version. In what ways do those not insignificant costs offset those benefits?

Sector-specific derivatives of 27001/27002 are problematic due to their very nature. The ISO27k standards have always been deliberately generic and applicable to organizations of all sizes and types, just as their predecessors were. To identify, assess, and manage its particular information risks, each organization must use a standardized, structured, and consistent management system. Both the accreditation process for implementation guidance and accreditation for certification are well established and work well. That must be good enough, right?

Approximately how many pages does it take to state, “Skim over everything relevant that is adequately covered by other standards, focusing only on anything specific to that industry”?

Answer: More than double in length as the first edition, with 55 pages.

I believe that the entire standard could be replaced by a simple diagram or sentence reading, “A sector-specific standard is created through the addition, refinement, interpretation of the requirements in ISO/IEC 27001 and/or ISO/IEC 27002 for the involved sector”.



About Author /

Start typing and press Enter to search