Home → News & Resources → Experts Talk

Overview of the Extensions to ISO/IEC 27001 and ISO/IEC 27002


Many organizations over the years have leveraged ISO/IEC 27001:2013 and ISO/IEC 27002:2013 for the establishment of their Information Security Management System (ISMS). These standards are intentionally generic so that they may be used by the broadest selection of organizations and industry sectors. However, as organizations, regulators, customers, business partners, and industry sectors demand that certifications account for their unique threats, risks, and requirements, other standards that extend the baseline requirements of ISO/IEC 27001 and ISO/IEC 27002 have emerged.

There are now several ISO extensions that organizations can use to extend their ISMS. Each of these extensions allows for an additional certification if the organization can demonstrate conformity.

The extensions discussed in this article are:

Technology-Specific Extensions

  • ISO/IEC 27017:2015 for Cloud Services

Privacy-Specific Extensions

  • ISO/IEC 27018:2019 for Cloud Services acting as PII processors
  • ISO/IEC 27701:2019 for a Privacy Information Management System (PIMS)

Industry-Sector Extensions

  • ISO/IEC 27019:2017 for the Energy Utility Industry
  • ISO 27799:2016 for the Healthcare Industry

ISO/IEC 27017:2015
Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

Many organizations that have chosen to implement an ISMS are cloud service providers, cloud service customers, or both. Those organizations may also consider ISO/IEC 27017:2015, an extension of ISO/IEC 27002 that explicitly contemplates the unique threats and risks of cloud service offerings (i.e., Software-as-a-Service, Infrastructure-as-a-Service, etc.).

ISO/IEC 27017 provides requirements and implementation guidance for both cloud service providers and cloud service customers through cloud-specific implementation guidance for relevant ISO/IEC 27002 requirements and additional requirements and implementation guidance specifically for the provision and use of cloud services. 

The additional requirements include:

  • Shared roles and responsibilities within a cloud computing environment;
  • Removal of cloud service customer assets;
  • Segregation in virtual computing environments;
  • Virtual machine hardening;
  • Administrator operational security;
  • Monitoring of cloud services; and
  • Alignment of security management for virtual and physical networks.

A cloud service organization obtaining ISO/IEC 27001 certification of its ISMS could also obtain certification in conformity with ISO/IEC 27017 at the same time. In so doing, the organization demonstrates consideration of cloud-specific threats, risks, and requirements throughout its ISMS lifecycle.

ISO/IEC 27018:2019
Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for a public cloud service provider.

In particular, ISO/IEC 27018 includes guidelines based on ISO/IEC 27002, by considering the common privacy obligations for the protection of PII that would be typically applied within the context of the information security risk environment of cloud service providers acting as PII processors. A PII processor is an organization providing processing of PII on behalf of and at the instruction of another organization. 

These other organizations, PII controllers, who are generally the customers of the cloud service PII processors, define the purpose and method of PII processing. While ISO/IEC 27018 provides guidelines also potentially relevant to organizations acting as PII controllers, PII controllers are typically subject to additional PII protection legislation, regulations, and obligations not applicable to PII processors and not covered in the ISO/IEC 27018 standard.

ISO/IEC 27018 introduces additional considerations for the requirements of ISO/IEC 27002 and adds further requirements focused on:

  • Consent and choice;
  • Purpose legitimacy and specification;
  • Data minimization;
  • Use, retention, and disclosure limitation;
  • Openness, transparency, and notice;
  • Accountability;
  • Information Security; and
  • Privacy Compliance.

ISO/IEC 27701:2019
Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

ISO/IEC 27701:2019 is an extension of both ISO/IEC 27001 and ISO/IEC 27002. This makes it unique amongst the other standards mentioned in this article. While the other mentioned extensions provide additional requirements and guidance for consideration within an ISMS, ISO/IEC 27701 requires the extension of the ISMS to a second related management system, the Privacy Information Management System (PIMS).

ISO/IEC 27701 specifies PIMS requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which are PII controllers and/or PII processors that collect and/or process PII within an ISMS.

Nowadays, options for privacy certification are inconsistent across countries, jurisdictions and industry sectors. One of the most significant challenges is the inherent difficulty in demonstrating adherence to applicable privacy obligations and regulations.

Privacy legislation generally provides the regulatory framework that establishes principles, requirements, and expectations. However, this requires legal interpretation and prudent application in an appropriate context. Unlike an ISO standard, privacy legislation is typically not ready-to-use guidance and is not intended to be readily auditable.

These inherent legal interpretation and application challenges appear to be shared by the authorities. Despite the initial adoption of the EU’s General Data Protection Regulation (GDPR) in April 2016, at the time of writing this article in 2021, the European Data Protection Board (EDPB) had yet to approve any Article 42/43 certification schemes for demonstrating compliance (EDPB, 2020).

ISO/IEC 27701 seeks to address the above-mentioned challenges with an internationally recognized certification that can incorporate various privacy obligations, which could include the GDPR, California Consumer Privacy Act (CCPA), and other legislative requirements, as appropriate.

ISO/IEC 27701 requires the implementation of a PIMS which can be a significant undertaking and typically requires specialized privacy knowledge and skills, especially if the organization identifies as a PII controller.

An organization seeking to obtain ISO/IEC 27701 certification also must achieve and maintain ISO/IEC 27001 certification. The two certifications do not need to be obtained at the same time, however the scope of the PIMS (i.e., the applicable process, technology, services, and/or organizational units) must be included in the scope of the overarching ISMS.

ISO/IEC 27019:2017
Information technology — Security techniques — Information security controls for the energy utility industry

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes.

It includes the following:

  • Central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices.
  • Digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements. All further supporting information systems used in the process control domain, for e.g., for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes.
  • Communication technology used in the process control domain, for e.g., networks, telemetry, telecontrol applications and remote control technology.
  • Advanced Metering Infrastructure (AMI) components and other measurement devices.
  • Measurement devices, for e.g., for emission values.
  • Digital protection and safety systems, for e.g., safety PLCs, emergency governor mechanisms, protection relays.
  • Energy management systems, for e.g., of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations.

Although ISO/IEC 27019 does not explicitly extend ISO/IEC 27001, it does require that the risk assessment and treatment processes of the ISMS incorporate the energy utility industry sector specific guidance provided in ISO/IEC 27019.

An organization in the energy utility industry could certify to ISO/IEC 27019 along with ISO/IEC 27001 as a demonstration of their information security practices as well as their energy utility industry sector specific information security practices.

Note: ISO/IEC 27019 does not apply to the process control domain of nuclear facilities (which is covered by IEC 62645:2019)

ISO 27799:2016
Health informatics — Information security management in health using ISO/IEC 27002

Health informatics, sometimes referred to a Health Information Systems, is the concept of using information technology in the healthcare industry to improve patient outcomes. It includes areas such as health records management, medical device management, data analytics, and information communications technology.

ISO 27799:2016 provides implementation guidance for the requirements described in ISO/IEC 27002 and supplements them where necessary to be effectively used for managing health information security. By implementing ISO 27799, healthcare organizations and custodians of health information can demonstrate a minimum level of security appropriate to their organization’s circumstances and to maintain confidentiality, integrity, and availability of personal health information in their care. Like the other standards mentioned in this article, ISO 27799 also includes details specific to the unique threats and risks applicable to health information security for consideration in the ISMS risk assessment and treatment process.

Adoption and certification of conformity to ISO/IEC 27001 and ISO 27799 demonstrates an organization’s commitment to healthcare information security.

This includes considerations for:

  • Access control and privileged access requirements specific to Protected/Person Health Information (PHI);
  • Processing, recording, and archiving PHI;
  • Electronic health information services; and
  • Publicly available health information.

Going Forward

At the time of writing this article in 2021, it is expected that updates to ISO/IEC 27001:2013 and ISO/IEC 27002:2013 will be ratified and adopted in the near future. As a result of these updates, the extensions mentioned in this article will require updating to maintain their alignment. It is likely that these updates will also introduce valuable improvements to ISO/IEC 27001, ISO/IEC 27002, and each of the extensions.

Moreover, as the need for information security and privacy guidance continues to grow, other extensions tailored to a specific technology, regulation, industry sector, or other consideration are likely to emerge.


About Author

Eric Rae is a partner in the Technology Risk Consulting group at KPMG LLP (Canada) and an MSECB Auditor for ISO/IEC 27001 and ISO/IEC 27701. His expertise focuses on Digital and Technology Assurance, Risk Consulting, Cybersecurity, Privacy, Blockchain, and emerging AI technologies. Eric has led numerous complex engagements covering a broad range of infrastructure, enterprise and security architecture, risk management, and attestation areas. On behalf of MSECB, he has audited many SMEs and large enterprises in the regions of North America.

Eric specializes in a broad range of KPMG services, including: IT governance; IT Control Assurance and Attestation (primarily CSAE 3000/1, SOC 1, SOC 2, SOC 3); Information Security Management Systems and Certification – ISMS (ISO/IEC 27001/2, ITSG-33, NIST, NERC, etc.); Privacy Information Management Systems and Certification – PIMS (ISO/IEC 27701); CSA Star Level 2 Attestation; Cloud Architecture Implementation and Assessment; Identity and Access Management; Supply Chain Security (SOC for Supply Chain); Compliance Management; Cyber Security Design, Maturity Assessments and Penetration Testing; IT Audit Support; IT Business and Continuity and Disaster Recovery; Security Operations; Vulnerability Management; Payment Card Industry Qualified Data Security Standard advisory support; Policies and Procedures; Lottery Draw Machine Attestations; Blockchain Design, Development, and Support for Financial Audit and DeFi Considerations; IT Infrastructure Engagements (such as SIEM, IDS, and IAM); and Ethical AI Risk Management and Attestation.