Hey GRC Lab readers! 👋
Imagine a security framework that works for any organization—big or small, tech or healthcare, startup or enterprise. That’s ISO/IEC 27001, the gold standard for building an Information Security Management System (ISMS).
While the ISO 27001 standard provides a solid backbone for an ISMS, its high-level nature means it cannot address every technical or operational nuance of a specialized industry. This is not a failure of the standard, but a deliberate design choice that allows for its broad applicability. The true power of the ISO 27k series lies in its ability to be extended. To better suit their industry and address unique, high-impact risks, organizations can decide to select additional controls that are not part of Annex A. While this might sound like quite a challenge, rest assured you are not on your own on this.
The following ISO standards function as extensions to the controls of Annex A, and address a variety of different industries and use cases.
ISO/IEC 27011
ISO/IEC 27017
ISO/IEC 27018
ISO/IEC 27019
Overview of sector specific standards
Here is a brief overview about each of these standards, explaining who they are tailored to and what types of controls are suggested by them.
ISO/IEC 27011: Building a Resilient Telecom Backbone
Description: Telecommunications organizations operate in a unique and critical domain, managing vast volumes of sensitive user data and networks that constitute national infrastructure. While a general ISMS is helpful, it is insufficient to address the specific threats faced by this industry, such as interconnection fraud, SIM card cloning, transmission snooping, and the manipulation of signaling protocols like SS7, SIP, or Diameter. ISO 27011 is a sector-specific standard that adapts and extends the controls from ISO 27002 to match the complex risks and technological requirements of the telecommunications industry. It provides tailored security controls that support the need for network stability, continuous service availability, and the confidentiality and integrity of communications across complex and distributed infrastructures.
Added Controls and Guidance:
Apply access control policies specific to network elements and subscriber data.
Secure the signaling systems (e.g., SS7, SIP, or Diameter) from external manipulation.
Protect physical telecom infrastructure, including towers and switches.
Implement audit logging and regular event correlation for telecom services.
Restrict administrative privileges and enforce role-based access to critical systems.
Ensure resilience of telecom services against denial-of-service and other disruptions.
Control changes to telecom hardware and firmware, especially in live environments.
Address security responsibilities prior to, during, and after employment for critical roles.
ISO/IEC 27017: Navigating the Cloud Shared Responsibility Model
Description: The cloud’s “shared responsibility model” is often a source of significant ambiguity, leaving high-impact weaknesses exposed. Generic ISMS frameworks are outpaced by the dynamic, multi-tenant nature of cloud environments and their fragmentation. ISO 27017 was created to clarify this ambiguity, providing cloud-specific security controls and implementation guidance for both cloud service providers (CSPs) and customers, forcing clarity through naming, assignment, and secure accountability. The standard shifts the security focus from a static, periodic model to one that is dynamic and automation-driven, addressing risks in virtual asset management, automated auditability, and lifecycle provisioning.
Added Controls and Guidance:
A control for the allocation of responsibilities between the cloud service provider (CSP) and the customer.
A control for the removal or return of assets when a contract is terminated.
A control for the protection and separation of a customer’s virtual environment.
A control for virtual machine configuration.
A control for administrative operations and procedures associated with the cloud environment.
Guidance on cloud customer monitoring of activity.
Guidance on virtual and cloud network environment alignment.
ISO/IEC 27018: A Privacy-First Approach for PII in the Cloud
Description: Generic ISO 27001 controls, while strong on information security, are often insufficient for protecting Personally Identifiable Information (PII) in public cloud environments. They fail to address the critical nuances of privacy principles, such as explicit consent management, data minimization, and the legally distinct roles of data controllers and processors. ISO 27018 was developed to close this gap by adding specific, auditable controls for public cloud providers acting as PII processors. The standard transforms data protection from an abstract intention into "daily, granular accountability."
Added Controls and Guidance:
Consent Management: Dynamic, always trackable, explicit, and logged.
Processor-Controller Split: Mandatory, with an audit trail that can be cited.
Data Deletion/Erasure: Technical, monitored, and regular.
Cross-Vendor Proof: API/event-based and audit-ready.
Role Assurance: Contractually enforced and mapped.
Transparency: Mandatory notification to affected partners and clients.
ISO/IEC 27019: Defending the Grid from the Inside Out
Description: The energy utility industry relies on a distinct class of systems known as Operational Technology (OT), including industrial control systems (ICS) like SCADA and Programmable Logic Controllers (PLCs). These systems are uniquely vulnerable due to their physical exposure and distributed nature. A security failure in this domain can lead to a physical event, such as a grid blackout. Traditional IT security frameworks ignore this "civilian blind spot." ISO 27019 provides a specialized playbook for securing OT environments, offering a security standard that makes sector-specific risk visible and actionable.
Added Controls and Guidance:
Implications for External Audits and Certificates
Now the question is what about the certification process? Is it possible to get a real certificate for each of the standards we discussed?
The short answer is, no you can’t. Since codes of practice cannot be certified on their own the certification is always granted to the management system standard, which is ISO 27001. However, your certificate will reflect the successful integration of the other standards in the scope statement.
In summary, you will get an ISO 27001 certificate with a statement referring to the additional standards that have been considered when auditing the ISMS.
My personal opinion: Most companies implement ISO 27001 because their customers require them to. It’s a means to stay in business with them. The truth is, most customers do not know about or require any of the standards we discussed in this edition. So, the effort it would take to add another set of requirements should be well considered. Nevertheless if your objective is to make your organisation more secure, tailoring your controls to the unique circumstances should be a no brainer.