ISO 27009, Industry-Specific Implementation Guidelines

What Is ISO/IEC 27009:2020?

Book a demo

close,up,on,hands,of,a,black,african,american,man

How Does ISO 27009 Work Alongside ISO 27001?

The ISO 27009:2020 standard is a guide to those who would develop standards based on or related to ISO 27001.

Normative References

Some or all of the text of the following documents are referred to in the text in a way that makes them a requirement of this document.

The edition cited is the only one that applies for dated references. The most recent edition referenced in this document applies to this year’s references.

  • ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
  • ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements
  • ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls
Want a 77% head start on ISO 27001 certification?
Book your demo

Scope and Purpose of ISO 27009

This document specifies the requirements for producing sector-specific standards that complement or amend ISO/IEC 27002 to support a specific sector (application area, market or domain).

ISO/IEC 27009 also specifies requirements for creating sector-specific standards that extend the ISO/IEC 27001 framework.

In short, ISO/IEC 27009 is an internal document for the committee developing sector/industry-specific variant or implementation guidelines for the International Organization for Standardization 27K standards.

ISO 27001 and ISO 27009

ISO/IEC 27009 outlines how to:

  • Add requirements in addition to those in ISO/IEC 27001.
  • Refine or interpret any of the ISO/IEC 27001 requirements.
  • Include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002.
  • Modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002.
  • Add guidance to or modify the guidance of ISO/IEC 27002.

You can find out what the ISO/IEC 27001 framework entails here and precisely what ISO/IEC 27002 is.

ISO 27009 Second Edition

The current iteration is ISO/IEC 27009:2020, replacing the withdrawn ISO/IEC 27009:2016 that the ISO revised.

The current edition replaces the first edition as it was technically revised.

There is no organisation, no matter how big or small, or whatever specific sector it works in that is not vulnerable to cyberattacks.

Information is valuable both to your organisation and to interested parties, which include your customers, suppliers, governmental and regulatory authorities.

Remember that you own and/or have great value to the information you hold.

Data you hold needs to be kept out of the hands of government organisations, competitors and third parties.

Implementing information security controls and securing information is a complex task. There’s no end to learning and new ways to do things in InfoSec.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

Status of the Standard

  • This standard first appeared in 2016 and was the first iteration.
  • The ISO/IEC 27009 standard was then expanded and published in 2020, the second iteration.

Clauses of the Standard

The second edition updates and replaces the first edition (which has been technically revised).

The main differences between the previous edition and this one are as follows:

  • Clause 5 provides requirements and guidance on how to define additional or refined requirements, refine or interpretation of the requirements of the ISO/IEC 27001 standard.
  • Clause 6 provides requirements and guidance on how to provide control objectives, controls, implementation guidance, or other information that is additional to or modifies the content of the ISO/IEC 27002 standard.
  • Annex A contains a template to be used for specific industry standards related to the above ISO standards.
  • Annex B is a template used for developing sector-specific standards in relation to ISO/IEC 27002.
  • Annex C is the explanation of the advantages and disadvantages of numbering approaches used in Annex B.

Our Pre-configured Information Security Management System Will Help You Achieve ISO 27001 Compliance

Our ISMS will reduce the potential impacts of these information security risks.

Because it’s the internationally recognised best-practice standard, achieving ISO 27001 will help win your organisation new customers and retain existing business.

The people you want to work with will feel confident that you’ll look after their valuable assets and information security.

It will also help you show them that you’re serious about their physical and environmental security.

  • Achieve ISO 27001 first time
  • Maintain Your ISO 27001 certification
  • Reduce the likelihood of infosec breaches
  • React to them more quickly if and when they do happen
  • Quickly and easily demonstrate the controls you have in place
  • Help with sector-specific standards

Download your brochure

Transform your existing ISMS

Download your free guide
to streamlining your Infosec

Get your free guide

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Frequently Asked Questions

 

Why Choose ISMS.online for ISO 27001?

Selecting ISMS.online for your ISO 27001 implementation offers numerous advantages for organisations seeking certification and maintaining a robust Information Security Management System (ISMS). Here are the key reasons why you should choose ISMS.online:

  • All-in-one online ISMS environment – We provide a simple and secure online platform that streamlines the management of your ISMS, making it easier, faster, and more efficient.

  • Preloaded ISO 27001 policies and controls – Our platform features pre-configured information security frameworks, tools, and content, starting you off with 81% of your ISMS documentation already completed. This significantly reduces the time and effort required to achieve compliance.

  • Virtual Coach – Our optional Virtual Coach package offers context-specific ISO 27001 guidance, hints, and tips for success, eliminating the need for costly consultancy fees. This enables you to work at your own pace and achieve your certification goals.

  • Integrated supply chain management – ISMS.online includes tools for managing your supply chain, ensuring end-to-end information security assurance and strengthening supplier relationships.

  • Support for multiple standards – Our platform supports over 50 of the most sought-after standards, such as ISO 27001, ISO 27701, GDPR, NIST, and SOC 2. This makes ISMS.online a comprehensive solution for organisations aiming to achieve and maintain compliance with multiple standards.

What is an Information Security Management System?

An Information Security Management System (ISMS) is a comprehensive set of policies and procedures that ensures, manages, controls, and continuously improves information security within an organisation.

At ISMS.online, we provide a robust ISMS framework for information security professionals like you, aiming to safeguard your company’s sensitive data.

Our systematic approach to managing sensitive company information includes people, processes, and IT systems, applying a risk management process to minimise risk and ensure business continuity by proactively limiting the impact of security breaches.

Why is ISO 27001 Important?

ISO 27001 plays a crucial role in organisations by helping them identify and manage risks effectively, consistently, and measurably. At ISMS.online, we understand the significance of ISO 27001 certification for businesses of all sizes.

Here are a few reasons why ISO 27001 is essential for your organisation:

  • Risk Reduction: ISO 27001 minimises your organisation’s information security and data protection risks, ensuring the safety of sensitive information.

  • Customer Trust: As a certified organisation, you demonstrate a commitment to security, giving you a competitive advantage in the eyes of customers and potential stakeholders. At ISMS.online, we recognise the importance of building customer trust and confidence in your services.

  • Streamlined Processes: Implementing ISO 27001 allows companies to document their main processes, reducing ambiguity and increasing productivity. Our platform at ISMS.online simplifies the management of your ISMS, making it more efficient for your staff.

What is ISO 27001?

ISO 27001 is the premier international standard for information security, published by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC).

It belongs to the ISO/IEC 27000 series and offers a framework for organisations of any size or industry to safeguard their information through an Information Security Management System (ISMS).

The latest version, ISO 27001:2022, includes updates to address the evolving landscape of technology and information security.

What’s the difference between ISO 27001 compliance and certification?

The primary distinction between ISO 27001 compliance and certification lies in the level of external validation and recognition:

ISO 27001 Compliance

  • Refers to an organisation adhering to the requirements of the ISO 27001 standard, which focuses on Information Security Management Systems (ISMS).

  • In simple terms, compliance might mean that your organisation is following the ISO 27001 standard (or parts of it) without undergoing any formal certification process.

ISO 27001 Certification

  • The process where a third-party, independent organisation called a certification body audits your organisation’s ISMS.

  • Determines if your processes, as well as your products and services, meet the ISO criteria.

How long will your ISO 27001 certification last?

Your ISO 27001:2022 certification is valid for three years following successful certification audits.

During this period, as information security professionals, you are expected to:

  • Conduct regular performance evaluations of your ISMS.

  • Ensure that senior management reviews your ISMS consistently.

At the end of the three-year cycle, a recertification audit is conducted, and upon successful completion, the certification is renewed for another three years.

At ISMS.online, we understand the importance of maintaining your ISO 27001 certification. Our platform offers a comprehensive solution to help you and your organisation achieve and maintain compliance with multiple standards, including ISO 27001.

The proven path to ISO 27001 success

Built with everything you need to succeed with ease, and ready to use straight out of the box – no training required!
Policies

Perfect Policies & Controls

Easily collaborate, create and show you are on top of your documentation at all times

Find out more
Risk-Management

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Find out more
Reporting

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Find out more
Audits

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Find out more
Linking

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Find out more
Assets

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Find out more
Seamless-Integration

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Find out more
Standards-Regulations

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Find out more
Compliance

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Find out more
Supply-Chain

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Find out more
Interested-Parties

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Find out more
Privacy

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

Find out more
 

Explore other standards within the ISO 27k family

  • 1The ISO 27000 family
  • 2ISO 27002
  • 3ISO 27003
  • 4ISO 27004
  • 5ISO 27005
  • 6ISO 27008
  • 7ISO 27009
  • 8ISO 27010
  • 9ISO 27014
  • 11ISO 27013
  • 12ISO 27016
  • 13ISO 27017
  • 14ISO 27018
  • 15ISO 27019
  • 16ISO 27038
  • 17ISO 27039
  • 18ISO 27040
  • 19ISO 27050
  • 20ISO 27102

See the ISMS.online platform in action

Explore ISMS.online's platform with a self-guided tour - Start Now