Information technology — Security
application of ISO/IEC 27001 —
Requirements
Technologies de l’information — Techniques de sécurité —
Application de l’ISO/IEC 27001 à un secteur spécifique — Exigences
INTERNATIONAL
STANDARD
ISO/IEC
27009
Reference number
ISO/IEC 27009:2016(E)
First edition
2016-06-15
©
ISO/IEC 2016
ii © ISO/IEC 2016 – All rights reserved
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
the requester.
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
www.iso.org
ISO/IEC 27009:2016(E)
ISO/IEC 27009:2016(E)
Foreword ........................................................................................................................................................................................................................................iv
1 Scope ................................................................................................................................................................................................................................. 1
2 Normative references ...................................................................................................................................................................................... 1
..................................................................................................................................................................................... 1
4 Overview of this International Standard ..................................................................................................................................... 1
4.1 General ........................................................................................................................................................................................................... 1
4.2 Structure of this International Standard .......................................................................................................................... 2
4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls .................................................... 3
..................................................................... 3
5.1 General ........................................................................................................................................................................................................... 3
5.2 Additional requirements ................................................................................................................................................................ 3
....................................................................................................................................................................... 4
5.4 Interpreted requirements ............................................................................................................................................................. 4
...............................................................................................................4
6.1 General ........................................................................................................................................................................................................... 4
6.2 Additional guidance ............................................................................................................................................................................ 4
................................................................................................................................................................................ 5
Annex A (normative)
IEC 27001:2013 or ISO/IEC 27002:2013 ..................................................................................................................................... 6
Bibliography
................................................................................................................................................................................................................................ 9
© ISO/IEC 2016 – All rights reserved iii
Contents Page
ISO/IEC 27009:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
members of ISO or IEC participate in the development of International Standards through technical
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
constitute an endorsement.
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL:
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security
techniques.
iv © ISO/IEC 2016 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27009:2016(E)
Information technology — Security techniques — Sector-
1 Scope
control sets in addition to ISO/IEC 27001:2013, Annex A.
requirements in ISO/IEC 27001.
relate to ISO/IEC 27001.
2 Normative references
ISO/IEC 27000:2016, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information
security controls
ISO/IEC 27000 and the
3.1
interpretation
3.2
of the ISO/IEC 27001 requirements
4 Overview of this International Standard
4.1 General
© ISO/IEC 2016 – All rights reserved 1
