ISO 27009, Industry-Specific Implementation Guidelines for ISO 27k Standards

What Is ISO/IEC 27009?

Sector-Specific Application of ISO/IEC 27001 — Requirements

The purpose of this standard is to guide those who would develop standards based on or related to ISO/IEC 27001, where the sector is shorthand for the field, application area or market sector.

Normative References

Some or all of the text of the following documents are referred to in the text in a way that makes them a requirement of this document.

The edition cited is the only one that applies for dated references. The most recent edition referenced in this document applies to this year’s references.

  • ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
  • ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements
  • ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls

Want a 77% head start on ISO 27001 certification?

Scope and Purpose of ISO 27009

This document specifies the requirements for producing sector-specific standards that complement or amend ISO/IEC 27002 to support a specific sector (application area, market or domain).

ISO/IEC 27009 also specifies requirements for creating sector-specific standards that extend the ISO/IEC 27001 framework.

In short, ISO/IEC 27009 is an internal document for the committee developing sector/industry-specific variant or implementation guidelines for the International Organization for Standardization 27K standards.


ISO 27001 and ISO 27009

ISO/IEC 27009 outlines how to:

  • Add requirements in addition to those in ISO/IEC 27001.
  • Refine or interpret any of the ISO/IEC 27001 requirements.
  • Include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002.
  • Modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002.
  • Add guidance to or modify the guidance of ISO/IEC 27002.

You can find out what the ISO/IEC 27001 framework entails here and precisely what ISO/IEC 27002 is.

ISO 27009 Second Edition

The current iteration is ISO/IEC 27009:2020, replacing the withdrawn ISO/IEC 27009:2016 that the ISO revised.

The current edition replaces the first edition as it was technically revised.

There is no organisation, no matter how big or small, or whatever specific sector it works in that is not vulnerable to cyberattacks.

Information is valuable both to your organisation and to interested parties, which include your customers, suppliers, governmental and regulatory authorities.

Remember that you own and/or have great value to the information you hold.

Data you hold needs to be kept out of the hands of government organisations, competitors and third parties.

Implementing information security controls and securing information is a complex task. There’s no end to learning and new ways to do things in InfoSec.

Status of the Standard

  • This standard first appeared in 2016 and was the first iteration.
  • The ISO/IEC 27009 standard was then expanded and published in 2020, the second iteration.

Clauses of the Standard

The second edition updates and replaces the first edition (which has been technically revised).

The main differences between the previous edition and this one are as follows:

  • Clause 5 provides requirements and guidance on how to define additional or refined requirements, refine or interpretation of the requirements of the ISO/IEC 27001 standard.
  • Clause 6 provides requirements and guidance on how to provide control objectives, controls, implementation guidance, or other information that is additional to or modifies the content of the ISO/IEC 27002 standard.
  • Annex A contains a template to be used for specific industry standards related to the above ISO standards.
  • Annex B is a template used for developing sector-specific standards in relation to ISO/IEC 27002.
  • Annex C is the explanation of the advantages and disadvantages of numbering approaches used in Annex B.

Our Pre-configured Information Security Management System Will Help You Achieve ISO 27001 Compliance

Our ISMS will reduce the potential impacts of these information security risks.

Because it’s the internationally recognised best-practice standard, achieving ISO 27001 will help win your organisation new customers and retain existing business.

The people you want to work with will feel confident that you’ll look after their valuable assets and information security.

It will also help you show them that you’re serious about their physical and environmental security.

  • Achieve ISO 27001 first time
  • Maintain Your ISO 27001 certification
  • Reduce the likelihood of infosec breaches
  • React to them more quickly if and when they do happen
  • Quickly and easily demonstrate the controls you have in place
  • Help with sector-specific standards

Want a 77% head start on ISO 27001 certification?

Frequently Asked Questions

Why Choose for ISO 27001?

It can be challenging and daunting to achieve ISO 27001 certification, but with, it couldn’t be simpler. As well as preconfigured frameworks, tools, security controls and other content to help you quickly and easily achieve ISO 27001,’s features include:
  • Simple, secure, all-in-one online ISMS environment that makes management easier, faster and more efficient
  • Preloaded Adopt / Adapt / Add ISO 27001 policies and controls that start you off with 77% of your ISMS documentation already completed
  • An optional Virtual Coach to give you confidence and share 24/7, context-specific ISO 27001 help
  • Optional tools to keep your colleagues aware of and engaged with your ISMS
  • Integrated supply chain management creating end-to-end information security assurance, strengthening your supplier relationships too
And ISO 27001's not the only international standard we can help you with. Our platform can help you achieve certification in or compliance with a wide range of other standards and regulations too.

What is an Information Security Management System?

An Information Security Management System (ISMS) outlines and demonstrates an organisation’s approach to infosec. It defines how an organisation identifies and overcomes risks and opportunities that relate to its valuable information and associated assets. That begins with sensitive data and personal data, but covers much else too.

Why is ISO 27001 Important?

Implementing ISO 27001 shows all interested parties that your organisation takes infosec seriously and does as much as possible to:
  • Carry out practical, comprehensive risk assessments
  • Reduce identified risks to an acceptable level
  • Manage those risks effectively
ISO 27001's benefits include:
  • Reducing your organisation’s information security and data protection risks
  • Helping it attract new customers and retain existing clients, saving time and resources
  • Improving the reputation of and strengthening trust in your organisation
ISO 27001 will also help your organisation comply with other regulations and standards, such as privacy regulation GDPR, infosec standards Cyber Essentials and PCI DSS, and ISO 22301 which focusses on business continuity management. Overall it provides greater information security assurance. That's why so many organisations are investing in and working with certification bodies to achieve ISO 27001-certified information security management systems.

What is ISO 27001?

ISO 27001:2013 is the internationally recognised specification for an Information Security Management System (ISMS), and it is one of the most popular standards for information security. The most recent version of the standard is ISO / IEC 27001:2013 and implements improvements made in 2017 as well.

What’s the difference between ISO 27001 compliance and certification?

To achieve ISO 27001 compliance, you just need to meet the requirements of ISO 27001. You show that you're doing so by carrying out your own audits. To achieve ISO 27001 certification, you need to find an external certification body. They'll confirm that your ISMS is ISO 27001 compliant and recommend certification. ISO 27001 certification is generally seen as being more impressive than compliance because it involves that external certification process.

How long will your ISO 27001 certification last?

Your ISO 27001 certification will last for three years after your successful certification audits. During that time you'll carry out regular performance evaluation of your ISMS. You'll make sure that your senior management review it regularly. And it'll undergo external audits as well. That'll ensure your organisation's ongoing data security as it grows and cyberthreats evolve and change. Continual improvement of your ISMS is key to maintaining your certification.

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27009

  • 8

    ISO 27010

  • 9

    ISO 27014

  • 11

    ISO 27013

  • 12

    ISO 27016

  • 13

    ISO 27017

  • 14

    ISO 27018

  • 15

    ISO 27019

  • 16

    ISO 27038

  • 17

    ISO 27039

  • 18

    ISO 27040

  • 19

    ISO 27050

  • 20

    ISO 27102

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.