BS ISO/IEC 27009:2020 - TC

What is ISO 27009 about?  

ISO 27009 discusses information security, cybersecurity and privacy protection. ISO 27009 specifies the requirements for creating sector-specific standards that extend ISO 27001, and complement or amend ISO 27002 to support a specific sector (domain, application area or market). 

ISO 27009 specifies that additional or refined requirements do not invalidate the requirements in ISO 27001. 

ISO 27009 is applicable to those involved in producing sector-specific standards. 

Who is ISO 27009 for? 

ISO 27009 on requirements for creating sector-specific standards is useful for: 

• Organizations producing standards specific to a sector  
• Private companies who want tailor-made standards for them 

Why should you use ISO 27009?  

While ISO 27001 and ISO 27002 are widely accepted in organizations, including commercial enterprises, government agencies and not-for-profit organizations, there are needs for sector-specific versions of these standards. 

ISO 27009 explains how to: 

• Include requirements in addition to those in ISO 27001 
• Refine or interpret any of the ISO 27001 requirements 
• Include controls in addition to those of ISO 27001:2013, Annex A and ISO 27002 
• Modify any of the controls of ISO 27001:2013, Annex A and ISO 27002 
• Add guidance to or modify the guidance of ISO 27002 

What’s changed since the last update?  

BS ISO/IEC 27009:2020 replaces ISO/IEC 27009:2016, which has been technically revised. 

The main changes in BS ISO/IEC 27009:2020 compared to ISO/IEC 27009:2016 are as follows: 

• The scope has been updated to more clearly reflect the content of this document 
• Former Annex A has been divided into Annexes A and B 
• Annex C has been created