ISO/TS 27008:2019 Published

ISO/TS 27008:2019, Edition 1, “Information technology – Security techniques – Guidelines for the assessment of information security controls”, is available and replaces ISO/TR 27008:2011.

The new technical specification supports the Information Security Risk Management process referenced in ISO 27001.

Information security controls should be

  • fit-for-purpose (appropriate and suitable mitigation of information risks),
  • effective (properly specified, designed, implemented, used, managed and maintained),
  • efficient (delivering net value to the organization).

ISO/TS 27008 explains how to assess an organization’s information security controls against those and other objectives in order either to confirm that they are indeed fit-for-purpose, effective, and efficient (providing assurance), and to identify the possible need for changes (improvement opportunities).

The ultimate aim is that the information security controls, as a whole, adequately mitigate information risks that the organization finds unacceptable and unavoidable, in a reasonably cost-effective and business-aligned manner.

ISO/TS 27001 offers the flexibility needed to customize the necessary reviews based on business missions and goals, organizational policies and requirements, known emerging threats and vulnerabilities, operational considerations, information system and platform dependencies, and the risk appetite of the organization.

Please refer to ISO 27007 for guidelines on information security management systems auditing and ISO 27006 for requirements for bodies providing audit and certification of information security management systems.

The 91-page ISO/TS 27008:2019 standard can be ordered at this ISO web page for $198.