About ISO 27009

ISO/IEC 27009 — Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements (DRAFT). Based on a news in April 2009, ISO 27009 was originally reserved for standard of Information technology — Security techniques — Guidelines on the integrated implementation of ISO/IEC 27001 or ISMS and ISO/IEC 20000-1 or IT service management system, however, for unknown reason it was replaced by ISO 27013.


In 2013 ISO announced the new title of ISO 27009 is ISO/IEC 27009 — Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements. The status of “new” ISO 27009 is under development.

Scope and purpose

According to an informal sources (is likely to change during development of the standard), this standard will “define how the management system standard ISO/IEC 27001 can be used to provide sector specific and/or service-specific certifications extended to include sector-specific or service-specific requirements that are related to the management of information security, but are not included within the scope of ISO/IEC 27001.

This standard will be useful to organizations with a need to include sector specific and/or of service-specific security requirements within an existing information security management system meeting the requirements of ISO/IEC 27001.

It will also be useful to accreditation bodies, certification bodies and those organizations that have an interest in the use of ISO/IEC 27001 for certification of sector specific and/or of service-specific security requirements, in particular those end-user organizations that need their management system certified.

Advice, Opinion and Comment on ISO 27009

The status of ISO 27009 is under development.

For a complete information security family of standards, please see ISO 27000 Series.

Leave a Reply