ISO 27009 and ISO 27013

In 2013 ISO announced that the status of “new” ISO 27009 is under development. ISO/IEC WD 27009 The Use and Application of ISO/IEC 27001 for Sector/Service-Specific Third-Party Accredited Certifications.

Based on a news in April 2009, ISO 27009 was originally reserved for standard of Information technology — Security techniques — Guidelines on the integrated implementation of ISO/IEC 27001 or ISMS and ISO/IEC 20000-1 or IT service management system, however, for unknown reason it was replaced by ISO 27013.


ISO 27013 provides guidance on implementing an integrated information security (ISO/IEC 27001:2005 or ISMS) and IT service management system (ISO/IEC 20000-1:2011, IT service management specification, derived from ITIL).

Comments on ISO 27013

ISO 27013 merges Information Security and IT Service Management into one single standard. Why should Information Security and IT Service Management be merged?. Information Security is organization-wide related matters and IT Service Management is IT-unit related matters, why should both of them be merged?.

It will be interesting to see how ISO will combine Information Security with IT Service Management, because IT service management is only IT related matters, while Information Security can be an organization wide business, it will be a pretty interesting question what will ISO 27013 look like.

The optimal security is a trade off among the three Cs, i.e Cost, Control and Convenience, in this case security represents a control and IT service management represents a convenience. It will be interesting to see how a contradiction will not happen between Information Security and IT service management in the ISO 27013 as control and convenience are two aspects that will always be in conflict.

Comments on ISO 27009

ISO 27009 provides guidance on The Use and Application of ISO/IEC 27001 for Sector/Service-Specific Third-Party Accredited Certifications.

According to an informal sources (is likely to change during development of the standard), this standard will “define how the management system standard ISO/IEC 27001 can be used to provide sector specific and/or service-specific certifications extended to include sector-specific or service-specific requirements that are related to the management of information security, but are not included within the scope of ISO/IEC 27001.

This standard will be useful to organizations with a need to include sector specific and/or of service-specific security requirements within an existing information security management system meeting the requirements of ISO/IEC 27001.

It will also be useful to accreditation bodies, certification bodies and those organizations that have an interest in the use of ISO/IEC 27001 for certification of sector specific and/or of service-specific security requirements, in particular those end-user organizations that need their management system certified.

For a complete information security family of standards, please see ISO 27000 Series.

Related Posts

About ISO 27009
About ISO 27013
ISO 27000 or ISMS is all about how to do risk management
The Scope of Information Technology Security Job
How Is ISO 27000 Today?
IT Risk Management vs IT Security
The difference between ISO 17799 and ISO 27001 or ISO 27000
IT GRC vs Information Security
What is information security
How to attack multi-regulation compliance