An ISO technical specification, ISO/IEC TS 27008:2019 – Information Technology – Security Techniques – Guidelines For The Assessment Of Information Security Controls, has been released.
Users should note that this document is not an international standard but a technical specification, meaning that it addresses work still under technical development or in areas where there might be a future possibility of an international standard. Technical specifications are published for immediate use.
Covering a range of ISO deliverables in its history, the previous edition of this document was a technical report, ISO/IEC TR 27008:2013. Technical reports can include data obtained from a survey or informative report, or they can be information of the perceived “state of the art,” according to ISO.
ISO/IEC TS 27008:2019, while being a technical report, is largely hinged on the existence of an international standard. ISO/IEC 27001:2013 – Information Technology – Security Techniques – Information Security Management Systems – Requirements, the seminal document of the ISO/IEC 27000 family of international standards that address information technology security, details the guidelines for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of an organization.
In fact, the technical report and this international standard, along with several other pertinent standards, can be acquired together as the ISO/IEC 27000 Information Technology Security Techniques Collection.
While implementing and managing an ISMS, comprehending controls is crucial. Information security controls are the primary means of treating acceptable information risks. Without the proper controls, the ability to bring these risks within the organization’s risk tolerance level can grow faulty, and it can become a challenge to mitigate or address them adequately.
ISO/IEC TS 27008:2019 provides guidance on reviewing and assessing the implementation and operation of information security controls in compliance with an organizations established information security needs.
Specifically, the technical specification, in addition to providing background information and an overview of information security control assessments, offers review methods and information on the control assessment process.
ISO/IEC TS 27008:2019 – Information Technology – Security Techniques – Guidelines For The Assessment Of Information Security Controls is available on the ANSI Webstore.