ISO IEC TR 27008

ISO/IEC TR 27008 – Guidelines for the assessment of information security controls

The world is ever-changing; as are the risks to a business reputation and bottom line. Organisations must be proactive, and a strong defence should be developed around auditing the controls that support information security. This is what ISO 27008 was designed to help with.

See our simple, powerful platform in action

What is ISO 27008?

ISO 27008 is a Technical Document that outlines procedures for conducting an audit of an organisation’s information security controls. ISO 27008 plays a major role in the management activities associated with the implementation and operation of an Information Security Management System (ISMS). 

Even though it is meant to be used in conjunction with ISO 27001 and ISO 27002, it is not exclusive to those standards and is applicable to any scenario requiring an assessment of information security controls. ISO 27008 is essential to organisations of all forms and sizes, including public and private businesses, federal agencies, and not-for-profit organisations that perform information management reviews and operational compliance tests.

ISO 27008 proposes a comprehensive organisational security assessment and review framework for information security controls in order to give organisations confidence that their controls have been implemented and managed correctly and that their information security is “fit for purpose.”

It helps to instil trust in an organisation’s information security management system’s controls.

What is Information Security?

Information security is a subject that’s more important than ever before. News reports of data breaches and cyberattacks now come thick and fast, but what is the bigger picture?

Information security, sometimes shortened to InfoSec, is the practice of protecting information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security concerns the protection of information in any form when it is held or processed by an organisation.

Information security covers a broad territory and includes the concepts of confidentiality, integrity, and availability.

Techniques may include encryption to prevent unauthorised parties from viewing information; authorisation at the level of individual users or programs; operations security (OPSEC) to protect the confidentiality and integrity of operations within an organisation; authentication frameworks to prevent fraudulent transactions, and intrusion detection to detect intruders into computer systems.

What are Information Security Controls?

Information security controls are steps taken to mitigate information security vulnerabilities such as device failures, data theft, system breaches and unintended modifications to digital information or processes.

These security controls are usually applied in response to an information security risk evaluation in order to better secure the availability, confidentiality, and privacy of data and networks.

These controls safeguard the confidentiality, integrity, and availability of information in the field of information security.

Types of Information Security Controls

Security protocols, procedures, schedules, devices, and applications all fall into the category of information security controls.

  1. Preventive security controls, security protocols that are intended to avert cybersecurity accidents
  2. Detective security controls aimed at identifying and alerting cybersecurity staff to a cybersecurity intrusion attempt or potential security breach.
  3. Corrective security controls are used after a cybersecurity event to help mitigate data loss and device or network disruption and to easily recover sensitive business systems and operations.

Additionally, security measures can be categorised according to their purpose, as follows:

Access controls:

These include physical entry monitors such as armed guards at building exits, locks, and perimeter fences.

Procedural controls:

Threat awareness instruction, security framework enforcement training, and incident response processes and procedures.

Technical controls:

These include multi-factor account authentication at the point of entry (login) and logical access controls, antivirus applications, and firewalls.

Compliance controls:

These include privacy rules, frameworks, and requirements, as well as cybersecurity approaches and standards.

See who we’ve already helped

REPL-CS was the only tool we found that hit the sweet spot of providing a comprehensive and proven ISMS, ‘out of the box’, at a reasonable price for a mid-sized organisation. And unlike many other solutions, a complete ISMS and data privacy were integrated well in one package.

Andy Loakes

Risk and Compliance Director, REPL


What is the Purpose of ISO 27008?

ISO 27008 was created to:

  1. Assists in the preparation and implementation of ISMS audits and the method of information risk management;

  2. Provide guidelines for auditing information security controls in accordance with ISO/IEC 27002’s controls guidance;

  3. Enhances ISMS audits by optimising the relationships between ISMS processes and necessary controls;

  4. Assures the audit resources are used effectively and efficiently.

  5. Add value and improves the consistency and benefit of the ISO 27k specifications by bridging the difference between updating the ISMS in principle and, where necessary, checking proof of applied ISMS controls (e.g., evaluating security elements of business operations, IT structures, and IT operating environments in ISO27k user organisations);

What is the Scope of ISO 27008?

ISO 27008 provides guidance to all auditors on information security management systems controls. It guides the information risk management process as well as internal, external, and third-party assessments of an ISMS by demonstrating the association between the ISMS and its accompanying controls.

It includes guidelines on how to test the extent to which necessary “information security management system controls” are applied. Additionally, it assists organisations that are implementing ISO/IEC 27001 or ISO/IEC 27002 in meeting compliance criteria and serving as a technical platform for information technology governance.

How does ISO 27008 Work?

ISO 27008 defines general procedures, not techniques for any particular control or forms of controls.

It defines systematic reviews and then outlines the various approaches and forms of reviews that are applicable to information security controls. Finally, it discusses the practices required for a successful review process.

Relationship with ISO 27001 and ISO 27002

ISO 27008 is closely similar to the ISO 27007 audit specification for information security management systems.

However, unlike ISO 27007, which focuses on reviewing the management system components of an ISMS as defined in ISO 27001, ISO 27008 focuses on auditing specific information security controls, such as those listed in ISO 27002 and detailed in ISO 27001’s Annex A.

ISO 27008 “focuses on evaluations of information security controls, including regulatory compliance, against an organisation-established information security implementation standard.

It is, however, not intended to provide detailed guidelines on compliance testing with respect to the calculation, risk evaluation, or audit of an ISMS, as specified in ISO 27004, ISO 27005, or 27007, respectively.

Who Should Implement ISO 27008?

ISO 27008 is intended for internal and external auditors charged with the responsibility of reviewing information management controls that are part of an ISMS. It would, however, be beneficial to anyone doing an analysis or assessment of an ISMS’s controls, whether as part of a structured audit procedure or otherwise. The document is primarily intended for information security auditors who are responsible for verifying that an organisation’s information security controls are technically compliant with ISO/IEC 27002 and all other control requirements used by the organisation.

ISO 27008 will assist them in the following ways:

  • Recognise and comprehend the scope of possible issues and weaknesses in information security controls.
  • Identify and comprehend the possible consequences of inadequately mitigated computer technology risks and weaknesses for the company.
  • Prioritise risk control practices related to information management.
  • Ascertain that previously found or newly discovered vulnerabilities or defects have been resolved sufficiently.

ISO 27008 is applicable to a broad range of organisations, including public and private businesses, government agencies, and not-for-profit organisations.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27009

  • 8

    ISO 27010

  • 9

    ISO 27014

  • 11

    ISO 27013

  • 12

    ISO 27016

  • 13

    ISO 27017

  • 14

    ISO 27018

  • 15

    ISO 27019

  • 16

    ISO 27038

  • 17

    ISO 27039

  • 18

    ISO 27040

  • 19

    ISO 27050

  • 20

    ISO 27102