2. Sensitivity: Confidential
Where does it
applies on
„Critical infrastructures are organizational and physical structures
and facilities of such vital importance to a nation’s society and
economy that their failure or degradation would result in sustained
supply shortages, significant disruption of public safety and security,
or other dramatic consequence“ [1]
“Kritieke infrastructuur is een installatie, systeem of een deel
daarvan, van federaal belang, dat van essentieel belang is voor het
behoud van vitale maatschappelijke functies, de gezondheid, de
veiligheid, de beveiliging, de economische welvaart of het
maatschappelijk welzijn, en waarvan de verstoring van de werking
of de vernietiging een aanzienlijke weerslag zou hebben doordat die
functies ontregeld zouden raken.”[2]
An asset, system or part thereof located in Member States which is
essential for the maintenance of vital societal functions, health,
safety, security, economic or social well-being of people, and the
disruption or destruction of which would have a significant impact in
a Member State as a result of the failure to maintain those
functions. [3][1] Source: UP KRITIS Public-Private Partnership for Critical Infrastructure Protection
[2] https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Infrastructure#Belgium
[3] https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Infrastructure#Council_Directive_2008.2F114.2FEC
3. Sensitivity: Confidential
What is the
aim of the
directive?
• It proposes a wide-ranging set of measures to boost
the level of security of network and information
systems (cybersecurity) to secure services vital to the
EU economy and society. It aims to ensure that EU
countries are well-prepared and are ready to handle
and respond to cyberattacks through:
• the designation of competent authorities,
• the set-up of computer-security incident response teams
(CSIRTs), and
• the adoption of national cybersecurity strategies.
• It also establishes EU-level cooperation both at strategic
and technical level.
• Lastly, it introduces the obligation on essential-services
providers and digital service providers to take the
appropriate security measures and to notify the relevant
national authorities about serious incidents.
Source: https://eur-lex.europa.eu/legal-
content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
4. Sensitivity: Confidential
What is KEY?
Improving national cybersecurity capabilities
EU countries must:
• designate one or more national competent authorities and
CSIRTs and identify a single point of contact (in case there is
more than one competent authority);
• identify providers of essential services in critical sectors such
as energy, transport, finance, banking, health, water and
digital infrastructure where a cyberattack could disrupt an
essential service.
EU countries must also put in place a national
cybersecurity strategy for network and information
systems, covering the following issues:
• being prepared and ready to handle and respond to
cyberattacks;
• roles, responsibilities and cooperation of government and
other parties;
• education, awareness-raising and training programmes;
• research and development planning;
• planning to identify risks.Source: https://eur-lex.europa.eu/legal-
content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
5. Sensitivity: Confidential
What is
required ½ ?
The national competent authorities monitor the
application of the directive by:
• assessing the cybersecurity and security policies of
providers of essential services;
• supervising digital service providers;
• participating in the work of the cooperation group
(comprising network and information security (NIS)
competent authorities from each of the EU countries, the
European Commission and the European Union Agency for
Network and Information Security (ENISA));
• informing the public where necessary to prevent an
incident or to deal with an ongoing incident, while
respecting confidentiality;
• issuing binding instructions to remedy cybersecurity
deficiencies.
The CSIRTs are responsible for:
• monitoring and responding to cybersecurity incidents;
• providing risk analysis and incident analysis and
situational awareness;
• participating in the CSIRTs network;
• cooperating with the private sector;
• promoting the use of standardised practices for incident
and risk-handling and information classificationSource: https://eur-lex.europa.eu/legal-
content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
6. Sensitivity: Confidential
What is
required ²/2?
Security and notification requirements
• The directive aims to promote a culture of risk management.
Businesses operating in key sectors must evaluate the risks
they run and adopt measures to ensure cybersecurity. These
companies must notify the competent authorities or CSIRTs of
any relevant incident, such as hacking or theft of data, that
seriously compromises cybersecurity and has a significant
disruptive effect on the continuity of critical services and the
supply of goods.
• To determine incidents to be notified by providers of essential
services*, EU countries should take into account an incident’s
duration and geographical spread, as well as other factors,
such as the number of users relying on that service.
• Key digital service providers (search engines, cloud computing
services and online marketplaces) will also have to comply
with the security and notification requirements.
Source: https://eur-lex.europa.eu/legal-
content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
7. Sensitivity: Confidential
How it will be
done?
Improving EU-level cooperation
• The directive sets up the cooperation group
whose tasks include:
• providing guidance to the CSIRTs network;
• exchange best practice on the identification of
providers of essential services;
• assisting EU countries in building cybersecurity
capabilities;
• sharing information and best practice on
awareness-raising and training, research and
development;
• sharing information and collecting best practice
on risks and incidents;
• discussing modalities of incident notification.
Source: https://eur-lex.europa.eu/legal-
content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
8. Sensitivity: Confidential
How it will be
done?
sets up the CSIRT network comprising representatives
of EU countries’ CSIRTS and the Computer Emergency
Response Team (CERT-EU):
• sharing information on CSIRT services;
• sharing information concerning cybersecurity incidents;
• supporting EU countries in the response to cross-border
incidents;
• discussing and identifying a coordinated response to an
incident reported by an EU country;
• discussing, exploring and identifying further forms of
operational cooperation, including:
• categories of risks and incidents;
• early warnings;
• mutual assistance;
• co-ordination between countries responding to risks and
incidents which affect more than one EU country;
• informing the cooperation group of its activities and
requesting guidance;
• discussing lessons learnt from cybersecurity exercises;
• discussing the capabilities of individual CSIRTs at their
request;
• issuing guidelines on operational cooperation.Source: https://eur-lex.europa.eu/legal-
content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
9. Sensitivity: Confidential
Mutual
understanding
:
KEY TERMS
• Cybersecurity:
• the ability of network and information systems
to resist action that compromises the
availability, authenticity, integrity or
confidentiality of digital data or the services
those systems provide.
• Network and information system:
• an electronic communications network, or any
device or group of interconnected devices which
process digital data, as well as the digital data
stored, processed, retrieved or transmitted.
• Essential services:
• private businesses or public entities with an
important role for the society and economy, as
for example water supply, electricity services,
etc.Source: https://eur-lex.europa.eu/legal-
content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
11. Sensitivity: Confidential
Industry and
beyond 1/3
sector deelsector Soort entiteit
energie electriciteit Electriciteitsbedrijf, dat de functie verricht
van “levering”.
Distributiesysteembeheerders
Transmissiesysteembeheerders
aardolie Exploitant van oliepijpleidingen
Exploitanten van voorzieningen voor de
productie, raffinage en behandeling van olie,
opslag en transport
gas Leveringsbedrijven
Distributiesysteembeheerders
Transmissiesysteembeheerders
Opslagsysteembeheerders
LNG-systeembeheerders
Aardgasbedrijven
Exploitanten van voorzieningen voor de
raffinage en behandeling van aardgas
12. Sensitivity: Confidential
Industry and
beyond 2/3
sector deelsector Soort entiteit
transport luchtvervoer Luchtvaartmaatschappijen
Luchthavenbeheerders
Luchtverkeersleidingsdiensten
spoorvervoer Infrastructuurbeheerders
Spoorwegondernemingen
Vervoer over water Bedrijven voor vervoer over water
(binnenvaart, kust- en zeevervoer) van
passagiers en vracht
Beheerders van havens (alsook entiteiten die
werken en uitrusting in havens beheren)
Exploitanten van verkeersbegeleidingssystemen
Vervoer over de
weg
Wegenautoriteiten
Exploitanten van intelligente vervoerssystemen
13. Sensitivity: Confidential
Industry and
beyond 3/3
sector deelsector Soort entiteit
bankwezen Kredietinstellingen
Infrastructuur
voor de
financiële markt
Exploitanten van handelsplatformen
Centrale tegenpartijen
Gezondheid
szorg
Zorginstellingen
(waaronder
ziekenhuizen en
privéklinieken)
Zorgaanbieders
Levering en
distributie
van
drinkwater
Leveranciers en distributeurs van „voor
menselijke consumptie bestemd water”
Digitale
infrastructuur
internetknooppunten
DNS-dienstverleners
Rigister voor topleveldomeinnamen
14. Sensitivity: Confidential
Where is it
based on
„ Directive (EU) 2016/1148 (NIS Directive) “
Source: UP KRITIS Public-Private Partnership for Critical Infrastructure Protection
15. Sensitivity: Confidential
SoW
Contract
Project
set up
SoA
“landscape”
Risk assessment
Implementing
Executive
decision
Go with the –
reassuring- flow
Statement of Work
In scope, out of scope, high level
planning, and budget covenant.
Rules of Engagement,
communication, project organisation
Statement of Applicability
Infrastructure, IT /network, civil
constructions, production /
operations facilities
Risk based approach
Roll-out, roll-in [ ‘building’ ISMS]
Audit, certification and ‘regular’
ISMS maintenance
Note: to be used as a demo principle, only
Executivemanagementsupport
16. Sensitivity: Confidential
Today
Front-
Runner’s
approach
Critical Infrastructures
• Identify scope 360°, or ‘full panoramic image’
• Collect “landscape” information – multiple layers:
• Infrastructure (construction) drawings,
• It (software, applications, website, touchpoints, hardware, configuration / patch
mgt,…)
• It network (incl ‘cloud’)
• Vendor management, configuration management (tool/application), incl. housing
and hosting service providers;
• Server room(-s)
• Civil / operational constructions drawings, technical operation rooms
• People
• Policies
• Processes
• Geographical location, transport modi, suppliers, environmental;
• Statement of Applicability (cfr ref.: slide 7)
• Risk assessment, previous audit reports
• Identify mitigation
• Execute / realise mitigation / solutioning
• Document
• Audit, and certification
• Management / maintain control on ‘Critical Infrastructure’ protectionNote: to be used as a demo principle, only
Asset
management
register
17. Sensitivity: Confidential
SoA
# area Description of Statement of
Applicability
Related standards,
audit framework
documents
Vulnerability-Management What is the handling of
known weak points like?
Presentation of processes
and derived measures.
SANS Institute
OWASP top 10
ISO 27002
ISO 31000
Risk assessment
Recommendations
Periodically Iterative
Process description,
Patch-Management Concept of measures for
patch management at DL.
ITIL Process definition
(may be tooling’)
Systemhärtung [hardening]
The Contractor undertakes to
harden the systems it
supplies in order to minimise
the impact
Identify collection of
tools, techniques, and
Best Practises to
reduce vulnerability
Company wide;
Fernzugang für
Drittanbieter
Remote access from third
parties to the network of the
Principal
Anforderungen an die
Softwareentwicklungsproz
esse
The software development
processes of the contractor
must be designed in such a …
Einsatz der
kryptographischen
Lösungen
In order to ensure that no
obsolete cryptographic
solutions known to be …
Dokumentation The service provider shall
regularly document the
processes mentioned in this
list (process manual).
ISO 27000 , ISMS Define structure
Define document
process flow, access
management, user
profiles
… … … …Note: to be used as a demo principle, only
19. Sensitivity: Confidential
EU 2016/114 - Directive 2008/114/EC of 8 December 2008 on the identification and
designation of European critical infrastructures and the assessment of the need
to improve their protection
EU 2016/1148 - DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information
systems across the Union
ISO 27001 (2,3,4, and 5) - Information security management
ISO (TR) 27019 - Information technology — Security techniques — Information security controls
for the energy utility industry
NIS
NIST 800-53 Rev. 4 Control
ISO 31000 - Risk management – Guidelines, provides
principles, framework and a process
for managing risk
ITIL - Information Technology
Infrastructure Library
OWASP - Open Web Application
Security Project
ISO 15408 - Information technology –
Security techniques -- Evaluation
criteria for IT security
ISO 21827 - Information technology — Security
techniques — Systems Security
Engineering — Capability Maturity Model;
ISO 22301 - Societal security — Business continuity management systems — Requirements
ISO 27031 - Information technology — Guidelines for ICT readiness for business continuity
ISO 55001 - Asset management — Management systems — Requirements
ISO (tr) 27550 - Information technology — Security techniques — Privacy engineering for
system life cycle processes
UP KRITIS Public -Private Partnership for Critical Infrastructure Protection
KRITIS V
IEC 62443 - “Security for Industrial Process Measurement and Control – Network and
System Security”,
Solution
based on
standards,
frameworks,
and more
ISMS
Non-exhaustive overview of potential applicable standards, frameworks.
To be modified according the scope of the audit exercise.
20. Sensitivity: Confidential
Road ahead
complexity,
and more
EU
2016/
114
EU
2016/
114-8
ISO
27019
ISO
2700x
ISO
31000
ISO
55000
SoA
ITIL
OWAS
P
IEC
62443
ISO
15408
ISO
21827
ISO
22301
ISO
27031
ISMS
Doc,
proc²
audit
audit
start
ISO
25010
CIRT
Operational
certification
Legend:
Doc : document
Proc² : processes, and procedures
other
Internal
KRITIS
V
Asset mgt
register
21. Sensitivity: Confidential
Linking “Asset
Management”
to ISO 2700X,
and vice versa
What:
all information assets to be considered, not only physical assets.
This includes anything of value to the organisation where
information is stored, processed and accessible, but it is the
information that is of real interest, less so the network or device per
se, although clearly they are still assets and need to be protected
22. Sensitivity: Confidential
Defining
assets “data”
Some examples:
• Information (or data)
• Intangibles – such as IP, brand and reputation
• People – Employees, temporary staff, contractors, volunteers etc
And the physical assets associated with their processing and
infrastructure:
• Hardware – Typically IT servers, network equipment,
workstations, mobile devices etc
• Software – Purchased or bespoke software
• Services – The actual service provided to end-users (e.g. database
systems, e-mail etc)
• Locations & Buildings – Sites, buildings, offices etc
Any type of asset can be grouped together logically according to a
number of factors such as:
• Classification – e.g. public, internal, confidential etc
• Information type – e.g. personal, personal sensitive, commercial
etc
• Financial or non-financial value
23. Sensitivity: Confidential
Asset
Management
Foundation
(Tooling)
1
• Register of Vendors
• Cross referencing supplies (hardware, IT components, plc’s,
• Cross referencing with configuration data (key identifiers per
item)
• Cross referenced with maintenance management
• Service level management /contract (y/n), gold, silver, less…
Inventory of all items (grouped, individually, types, locations,
stock/warehouse, unique identifier, vendor.
Risk based approach, again.
What components are strategic in your organisation, or production chain
Cross references are key
What if Vendors is not operational anymore: what items are impacted?
What if a key item is running out of life cycle? Alternative product? Alternative Supplier?
In case of quality issue of item? Where are those items located in our Organisation / Production facility
What components are strategic in your organisation, or production chain
24. Sensitivity: Confidential
Asset
Management
Foundation
(Tooling)
2
• Register of Software, and applications
• Cross referencing supplier
• Cross referencing with configuration data (key identifiers per
Software, tool, application)
• Patch management, configuration item db
• Latest/active version
• Swift recovery
• Cross referenced with maintenance or service level
management
CMDB, ITIL, Business Continuity management, Disaster Recovery, CIRT, Communication,
Compromise management, Termination management,…
25. Sensitivity: Confidential
Asset
Management
Foundation
(multi layered)
• Bottom-up, and top – down approach
• Identifying the different layers, and interdependencies between
each layer;
1. Production facility /-facilities
2. P&ID, plc automation, technical networks
3. Process flow diagram
4. Electrical wiring diagram, cabinets, networks, power
supply, remote controllers;
5. ICT, IT network, architectural drawing, components,
firewall; touchpoints,
6. Geographical site(-s) location,
32. Sensitivity: Confidential
Project
management-
follow-up
progress
# area status Budget
Vulnerability-Management ◻ Specified (n started)
◻ In draft/ready for
review
◻ Review (ENGIE)
◻ Rework edited
◻ Final acceptance
◻ Budget
◻ estimate:€
◻ Actual:€
◻ BAC:€
◻ Variance:€
Patch-Management ◻ Specified (n started)
◻ In draft/ready for
review
◻ Review (ENGIE)
◻ Rework edited
◻ Final acceptance
◻ Budget
◻ estimate:€
◻ Actual:€
◻ BAC:€
◻ Variance:€
Systemhärtung ◻ Specified (n started)
◻ In draft/ready for
review
◻ Review (ENGIE)
◻ Rework edited
◻ Final acceptance
◻ Budget
◻ estimate:€
◻ Actual:€
◻ BAC:€
◻ Variance:€
Fernzugang für Drittanbieter ◻ Specified (n started)
◻ In draft/ready for
review
◻ Review (ENGIE)
◻ Rework edited
◻ Final acceptance
◻ estimate:€
◻ Actual:€
◻ BAC:€
◻ Variance:€
Anforderungen an die
Softwareentwicklungsprozesse
◻ Specified (n started)
◻ In draft/ready for
review
◻ Review (ENGIE)
◻ Rework edited
◻ Final acceptance
◻ estimate:€
◻ Actual:€
◻ BAC:€
◻ Variance:€
Einsatz der kryptographischen
Lösungen
◻ Specified (n started)
◻ In draft/ready for
review
◻ estimate:€
◻ Actual:€
◻ BAC:€
Note: to be used as a demo principle, only
33. Sensitivity: Confidential
Project
management-
follow-up
ownership
# area Ownership Contact information
Vulnerability-
Management ◻ ENGIE
◻ Name
◻ Function/role
◻ email
◻ External – ENGIE –
Partner / Supplier
◻ Company
◻ Name
◻ Function/role
◻ email
◻ Service Provider
◻ Name
◻ Function/role
◻ email
Patch-Management
◻ ENGIE
◻ Name
◻ Function/role
◻ email
◻ External – ENGIE –
Partner / Supplier
◻ Company
◻ Name
◻ Function/role
◻ email
◻ Service Provider
◻ Name
◻ Function/role
◻ email
Systemhärtung
◻ ENGIE
◻ Name
◻ Function/role
◻ email
◻ External – ENGIE –
Partner /
◻ Company
◻ Name
◻ Function/role
◻ email
◻ Service Provider
◻ Name
◻ Function/role
◻ Email
Note: to be used as a demo principle, only
34. Sensitivity: Confidential
Risk Based
approach
LIKELIHOOD
VERY LIKELY Moderate7 SIGNIFICANT4 High2 EXTREME2 EXTREME1
LIKELY LOW2 MODERATE2 SIGNIFICANT2 HIGH1 EXTREME3
POSSIBLE LOW4 MODERATE4 MODERATE1 SIGNIFICANT1 HIGH3
UNLIKELY LOW7 LOW1 MODERATE5 MODERATE3 SIGNIFICANT3
RARE LOW8 LOW6 LOW5 LOW3 MODERATE6
CONSEQUENCES INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPHIC
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
LIKELIHOOD
VERY
LIKELY
Moderate7 SIGNIFICANT4 High2 EXTREME2 EXTREME1
LIKELY LOW2 MODERATE2 SIGNIFICANT2 HIGH1 EXTREME3
POSSIBLE LOW4 MODERATE4 MODERATE1 SIGNIFICANT1 HIGH3
UNLIKELY LOW7 LOW1 MODERATE5 MODERATE3 SIGNIFICANT3
RARE LOW8 LOW6 LOW5 LOW3 MODERATE6
CONSEQUENCES INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPHIC
1
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
Note: to be used as a demo principle, only
35. Sensitivity: Confidential
ISO
27004
Pre-certification
assessment
Compliance
review
ISMS internal
audit
inventory
Information
security
management
system
Execute different
projects (n,n1,n2,nx)
Develop ISMS
implementation
program
ISO
27001
ISO
22301
ISO
62443
SoA
RTP
LAWS,
regulations,
contracts
Directive EU
2016/114
Directive EU
2016/1148
Review & corrective
actions
Certification audit
Operate ISMS as a
process
Manage & main
and yearly audit
ISO 27001
start
management
support
Define ISMS
scope
Inventory
information assets
Assess
information risks
Prepare statement of
applicability
Prepare risk
treatment plan
ISO
27005
ISO
27003
ISO
27002
Business
case
scope
INVENTORY
36. Sensitivity: Confidential
ISMS operational tooling
AUDIT
Mgt review
report-4Mgt review
report-3Mgt review
report-2Mgt review
report-1
LOG-files
LOG-files
LOG-files
LOG-files
BSC
metrics
metrics
metrics
metrics
CSO
INCIDENT
management
Incident
report-3
Incident
report-2
Incident
report-1
Information security
management system
Business
continuity
management
BCP-S4
BCP-S3
BCP-S2
BCP-S1
S policies
S standards
S procedures
S processes
S guidelines
External
Audit report
External
Audit reportExternal
Audit report
internal
audit report
internal
audit reportinternal
audit report
ISO
22301
ISO
27004
ISMS internal audit
40. Sensitivity: Confidential
Focus on
assets, and
management
of these
assets
• Identify
• Determine
• List (inventory)
• Life cycle management
• Manage
MTBF
Recommended Renewal /
Replacement Year
Tag id
Installation year,
month
conditionrating
redundancy
Costofrenewal
Criticality of item
provider
Alternative product
Originalitemcost
Instrument index
Stockitem;#
available;
stocklocation
Version;id;patch
MTTF
MTTR
44. Sensitivity: Confidential
Published standards
• The published ISO27K standards related to "information technology - security techniques" are:
• ISO/IEC 27000 — Information security management systems — Overview and vocabulary
• ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements. The
2013 release of the standard specifies an information security management system in the same formalized,
structured and succinct manner as other ISO standards specify other kinds of management systems.
• ISO/IEC 27002 — Code of practice for information security controls - essentially a detailed catalog of information security controls
that might be managed through the ISMS
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems
• ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on auditing the management system)
• ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on auditing the information security controls)
• ISO/IEC 27009 — Essentially an internal document for the committee developing sector/industry-specific variants or implementation
guidelines for the ISO27K standards
• ISO/IEC 27010 — Information security management for inter-sector and inter-organizational communications
• ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (derived from ITIL)
45. Sensitivity: Confidential
Published standards
• ISO/IEC 27014 — Information security governance.
• ISO/IEC TR 27015 — Information security management guidelines for financial services - Now withdrawn
• ISO/IEC TR 27016 — information security economics
• ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
• ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
• ISO/IEC TR 27019 — Information security for process control in the energy industry
• ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
• ISO/IEC 27032 — Guideline for cybersecurity
• ISO/IEC 27033-1 — Network security - Part 1: Overview and concepts
• ISO/IEC 27033-2 — Network security - Part 2: Guidelines for the design and implementation of network security
• ISO/IEC 27033-3 — Network security - Part 3: Reference networking scenarios - Threats, design techniques and control issues
• ISO/IEC 27033-4 — Network security - Part 4: Securing communications between networks using security gateways
• ISO/IEC 27033-5 — Network security - Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
• ISO/IEC 27033-6 — Network security - Part 6: Securing wireless IP network access
• ISO/IEC 27034-1 — Application security - Part 1: Guideline for application security
• ISO/IEC 27034-2 — Application security - Part 2: Organization normative framework
• ISO/IEC 27034-6 — Application security - Part 6: Case studies
46. Sensitivity: Confidential
Published standards
• ISO/IEC 27035-1 — Information security incident management - Part 1: Principles of incident management
• ISO/IEC 27035-2 — Information security incident management - Part 2: Guidelines to plan and prepare for incident response
• ISO/IEC 27036-1 — Information security for supplier relationships - Part 1: Overview and concepts
• ISO/IEC 27036-2 — Information security for supplier relationships - Part 2: Requirements
• ISO/IEC 27036-3 — Information security for supplier relationships - Part 3: Guidelines for information and communication technology
supply chain security
• ISO/IEC 27036-4 — Information security for supplier relationships - Part 4: Guidelines for security of cloud services
• ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence
• ISO/IEC 27038 — Specification for Digital redaction on Digital Documents
• ISO/IEC 27039 — Intrusion prevention
• ISO/IEC 27040 — Storage security
• ISO/IEC 27041 — Investigation assurance
• ISO/IEC 27042 — Analyzing digital evidence
• ISO/IEC 27043 — Incident investigation
• ISO/IEC 27050-1 — Electronic discovery - Part 1: Overview and concepts
• ISO/IEC 27050-2 — Electronic discovery - Part 2: Guidance for governance and management of electronic discovery
• ISO 27799 — Information security management in health using ISO/IEC 27002 - guides health industry organizations on how to
protect personal health information using ISO/IEC 27002.
47. Sensitivity: Confidential
In preparation
• Further ISO27K standards are in preparation covering aspects such as digital forensics and cybersecurity, while the released ISO27K standards are
routinely reviewed and updated on a ~5 year cycle.