ISO/IEC 27009-2020 pdf free.Information security, cybersecurityand privacy protection — Sector — specific application of ISO/IEC 27001 —
supplementation or adaptation of an ISO/IEC 27001 requirement in a sector-specific context which doesnot remove or invalidate any of the ISO/IEC 27001 requirements.ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continuallyimproving an information security management system. ISO/IEC 27001 states that its requirementsare generic and are intended to be applicable to all organizations, regardless of type, size or nature.ISO/IEC 27001:2013,Annex A, provides control objectives and controls. ISO/IEC 27001 requires anorganization to “determine all controls that are necessary to implement the information security risktreatment option($) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above withthose in [ISO/IEC 27001:2013,] Annex A, and verify that no necessary controls have been omitted [see6.1.3 c)]”.
The guidance of control objectives and controls of ISO/IEC 27001:2013，Annex A, are included inISO/IEC 27002.
ISO/IEC 27002 provides guidelines for information security management practices including theselection, implementation and management of controls taking into consideration the organization’sinformation security risk environment. The guidelines have a hierarchical structure that consists ofclauses,control objectives,controls, implementation guidance and other information. The guidelinesof lSO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless of type,size or nature.
While ISO/IEC 27001 and ISO/IEC 27002 are widely accepted in organizations,including commercialenterprises, government agencies and not-for-profit organizations, there are needs for sector-specificversions of these standards.
other organizations have also produced standards addressing sector-specific needs.
Sector-specific standards should be consistent with the requirements of the information securitymanagement system.This document specifies requirements on how to create sector-specific standardsthat extend ISO/IEC 27001 and complement or amend ISO/IEC 27002(see Clause 1).
This document assumes that all requirements from ISO/IEC 27001 that are not refined or interpreted,and all controls in ISO/IEC 27002 that are not modified, apply in the sector-specific context unchanged.
Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretationof ISO/IEC 27001 requirements.
Clause 6 provides requirements and guidance on how to provide control clauses, control objectives,controls,implementation guidance or other information that are additional to or modify ISO/IEC 27002content.
Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001.Annex B contains two templates which shall be used for sector-specific standards related toISO/IEC 27002.ISO/IEC 27009 pdf download.