EURUSD
Your shopping cart is empty.
CEN

EN ISO/IEC 27019:2020

(Main)

Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)

Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:
-      central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
-      digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;
-      all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;
-      communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
-      Advanced Metering Infrastructure (AMI) components, e.g. smart meters;
-      measurement devices, e.g. for emission values;
-      digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;
-      energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;
-      distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;
-      all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);
-      any premises housing the above-mentioned equipment and systems;
-      remote maintenance systems for above-mentioned systems.
ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.
ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)

Dieses Dokument gibt auf Basis von ISO/IEC 27002:2013 Hinweise für Systeme der Prozesssteuerung der Energieversorgung, die zur Steuerung, Regelung und Überwachung von Gewinnung oder Erzeugung, Übertragung, Speicherung und Verteilung von Strom, Gas, Öl und Wärme und für die Steuerung von unterstützenden Prozessen dienen. Dies umfasst insbesondere:
- zentrale und dezentrale Prozesssteuerungs-, Leit-, Automatisierungs- und Überwachungstechnik sowie die für ihren Betrieb genutzten Informationssysteme, wie z. B. Programmier- und Parametriergeräte;
- digitale Steuerungen und Automatisierungskomponenten wie Leit- und Feldgeräte oder Speicherpro-grammierbare Steuerungen (SPSen), inklusive digitaler Sensor- und Aktorelemente;
- alle weiteren in der Prozesstechnik genutzten unterstützenden Informationssysteme, z. B. für die Aufgabe der ergänzenden Datenvisualisierung und zur Steuerung, Überwachung, Datenarchivierung, Langzeitprotokollierung, Berichtswesen und zur Dokumentation;
- in der Prozesstechnik eingesetzte Kommunikationstechnik, z. B. Netzwerk-, Telemetrie-, Fernwirk- und Fernsteuertechnik;
- Advanced-Metering-Infrastruktur-(AMI)-Komponenten, z. B. intelligente Zähler;
- Mess- und Zählvorrichtungen, z. B. zur Emissionswerterfassung;
- digitale Schutz- und Safety-Systeme, z. B. Schutzgeräte, Sicherheits-Steuerungen und Notfallsteuerungsmechanismen;
- Energiemanagementsysteme, z. B. für dezentrale Energieerzeugungssysteme, elektrische Ladeinfra-strukturen, in Privathaushalten, Wohngebäuden oder industriellen Kundeninstallationen;
- verteilte Komponenten von Smart-Grid-Umgebungen, z. B. in Energienetzen, Privathaushalten, Wohn-gebäuden oder industriellen Kundeninstallationen;
- alle Arten von Software, Firmware und Anwendungen, die auf den vorgenannten Systemen eingesetzt werden, z. B. Netzführungs-Anwendungen oder Ausfallmanagementsysteme;
- jegliche Lokalität mit den oben erwähnten Anlagen oder Systemen;
- Fernwartungssysteme für die oben aufgeführten Systeme.
Nicht im Geltungsbereich dieses Dokuments liegt der Bereich der Prozesssteuerung von Kernenergie-anlagen. Dieser Bereich wird von IEC 62645 abgedeckt.
Darüber hinaus enthält dieses Dokument eine Anforderung, um die in ISO/IEC 27001:2013 beschriebenen Risikobeurteilungs- und -behandlungsprozesse an die in diesem Dokument enthaltenen energiesektor-spezifischen Empfehlungen anzupassen.

Technologies de l'information - Techniques de sécurité - Mesures de sécurité de l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version corrigée 2019-08)

Le présent document contient des recommandations basées sur l'ISO/IEC 27002:2013 appliquées aux systèmes de contrôle des processus utilisés par l'industrie des opérateurs de l'énergie pour contrôler et surveiller la production, le transport, le stockage et la distribution de l'électricité, du gaz, du pétrole et de la chaleur, ainsi que pour le contrôle des processus support associés. Cela inclut en particulier:
—          les technologies de contrôle et de surveillance des processus centralisées et distribuées, des automates et des systèmes d'information utilisés pour leur fonctionnement, tels que les dispositifs de programmation et de paramétrage;
—          les contrôleurs numériques et les composants d'automates tels que les équipements de contrôle et de terrain ou les automates programmables (PLC), y compris les capteurs et actionneurs numériques;
—          tous les autres systèmes d'information support utilisés dans le domaine du contrôle des processus, par exemple pour les tâches de visualisation de données supplémentaires et à des fins de contrôle, de surveillance, d'archivage de données et de logs (historian logging), de génération de rapports et de documentation;
—          les technologies de communication utilisées dans le domaine du contrôle des processus, par exemple les réseaux, la télémétrie, les applications de télé-conduite et les technologies de contrôle à distance;
—          les composants des infrastructures de comptage communicants, tels que les compteurs intelligents;
—          les équipements de mesure, destinés par exemple à mesurer les valeurs d'émission;
—          les systèmes de protection et de sûreté numériques, tels que les relais de protection, les automates programmables de sûreté ou les régulateurs d'urgence;
—          les systèmes de management de l'énergie, par exemple, pour la production d'énergie décentralisée (DER, Distributed Energy Resources), les infrastructures de recharge électrique, chez les particuliers, dans les bâtiments d'habitation ou dans les installations de clients industriels;
—          les composants distribués des environnements de réseaux intelligents, par exemple dans les réseaux d'énergie, chez les particuliers, dans les bâtiments d'habitation ou dans les installations de clients industriels;
—          tous les logiciels, firmwares et applications installés sur les systèmes mentionnés ci-dessus, par exemple, des systèmes de gestion de la distribution (DMS, Distribution Management System) ou des systèmes de gestion des pannes (OMS, Outage Management System);
—          tous les locaux hébergeant les équipements et les systèmes mentionnés ci-dessus;
—          les systèmes de maintenance à distance pour les systèmes mentionnés ci-dessus.
Le présent document ne s'applique pas au domaine du contrôle de processus des installations nucléaires. Ce domaine est couvert par l'IEC 62645.
Le présent document contient également une exigence relative à l'adaptation de l'appréciation des risques et des processus de traitement décrits dans l'ISO/IEC 27001:2013 aux recommandations spécifiques à l'industrie des opérateurs de l'énergie fournies dans le présent document.

Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za energetske operaterje (ISO/IEC 27019:2017, popravljena različica 2019-08)

General Information

Status
Withdrawn
Publication Date
17-Mar-2020
Withdrawal Date
16-Dec-2025
ICS
03.100.70 - Management systems
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
18-Mar-2020
Due Date
31-Oct-2021
Completion Date
18-Mar-2020
Ref Project
SIST EN ISO/IEC 27019:2020 - Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)

Relations

Replaced By
EN ISO/IEC 27019:2025 - Information security, cybersecurity and privacy protection - Information security controls for the energy utility industry (ISO/IEC 27019:2024)
Effective Date
11-Jun-2025
EN ISO/IEC 27019:2020EN ISO/IEC 27019:2020
PreviousNext
Standard
EN ISO/IEC 27019:2020
English language
46 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
EN ISO/IEC 27019:2020EN ISO/IEC 27019:2020
PreviousNext
Standard
EN ISO/IEC 27019:2020
English language
46 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-maj-2020
Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za
energetske operaterje (ISO/IEC 27019:2017, popravljena različica 2019-08)
Information technology - Security techniques - Information security controls for the
energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)
Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die
Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)
Technologies de l'information - Techniques de sécurité - Mesures de sécurité de
l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version
corrigée 2019-08)
Ta slovenski standard je istoveten z: EN ISO/IEC 27019:2020
ICS:
03.100.70 Sistemi vodenja Management systems
27.010 Prenos energije in toplote na Energy and heat transfer
splošno engineering in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO/IEC 27019
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 03.100.70
English version
Information technology - Security techniques - Information
security controls for the energy utility industry (ISO/IEC
27019:2017, Corrected version 2019-08)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Mesures de sécurité de l'information pour l'industrie Informationssicherheitsmaßnahmen für die
des opérateurs de l'énergie (ISO/IEC 27019:2017, Energieversorgung (ISO/IEC 27019:2017, korrigierte
Version corrigée 2019-08) Fassung 2019-08)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27019:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 27019:2017 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2020, and conflicting national standards
shall be withdrawn at the latest by September 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27019:2017 has been approved by CEN as EN ISO/IEC 27019:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27019
First edition
2017-10
Corrected version
2019-08
Information technology — Security
techniques — Information security
controls for the energy utility industry
Technologies de l'information — Techniques de sécurité — Mesures
de sécurité de l'information pour l'industrie des opérateurs de
l'énergie
Reference number
ISO/IEC 27019:2017(E)
©
ISO/IEC 2017
ISO/IEC 27019:2017(E)
© ISO/IEC 2017
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
Contents Page
Foreword .vii
0 .
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Structure of the document. 4
4.1 General . 4
4.2 Refinement of ISO/IEC 27001:2013 requirements . 4
4.3 Energy utility industry specific guidance related to ISO/IEC 27002:2013 . 4
5 Information security policies . 4
6 Organization of information security . 4
6.1 Internal organization . 4
6.1.1 Information security roles and responsibilities . 4
6.1.2 Segregation of duties . 5
6.1.3 Contact with authorities . 5
6.1.4 Contact with special interest groups . 5
6.1.5 Information security in project management . 5
6.1.6 ENR – Identification of risks related to external parties . 5
6.1.7 ENR – Addressing security when dealing with customers . 6
6.2 Mobile devices and teleworking . 6
6.2.1 Mobile device policy . 6
6.2.2 Teleworking. 7
7 Human resource security . 7
7.1 Prior to employment . 7
7.1.1 Screening . 7
7.1.2 Terms and conditions of employment . 8
7.2 During employment . 8
7.2.1 Management responsibilities . 8
7.2.2 Information security awareness, education and training . 8
7.2.3 Disciplinary process . . 8
7.3 Termination and change of employment . 8
8 Asset management . 8
8.1 Responsibility for assets . 8
8.1.1 Inventory of assets . 8
8.1.2 Ownership of assets . 9
8.1.3 Acceptable use of assets . 9
8.1.4 Return of assets . 9
8.2 Information classification . 9
8.2.1 Classification of information . 9
8.2.2 Labelling of information .10
8.2.3 Handling of assets .10
8.3 Media handling .10
9 Access control .10
9.1 Business requirements of access control .10
9.1.1 Access control policy .10
9.1.2 Access to networks and network services .10
9.2 User access management .11
9.2.1 User registration and de-registration .11
9.2.2 User access provisioning.11
9.2.3 Management of privileged access rights .11
© ISO/IEC 2017 – All rights reserved iii

ISO/IEC 27019:2017(E)
9.2.4 Management of secret authentication information of users .11
9.2.5 Review of user access rights .11
9.2.6 Removal or adjustment of access rights .11
9.3 User responsibilities .11
9.3.1 Use of secret authentication information .11
9.4 System and application access control .12
9.4.1 Information access restriction .12
9.4.2 Secure log-on procedures .12
9.4.3 Password management system .12
9.4.4 Use of privileged utility programs .12
9.4.5 Access control to program source code .12
10 Cryptography .12
10.1 Cryptography controls . .12
10.1.1 Policy on the use of cryptographic controls .12
10.1.2 Key management .12
11 Physical and environmental security .13
11.1 Secure areas .13
11.1.1 Physical security perimeter .13
11.1.2 Physical entry controls .13
11.1.3 Securing offices, rooms and facilities .13
11.1.4 Protecting against external and environmental threats .13
11.1.5 Working in secure areas .13
11.1.6 Delivery and loading areas .13
11.1.7 ENR – Securing control centres .13
11.1.8 ENR – Securing equipment rooms .14
11.1.9 ENR – Securing peripheral sites .15
11.2 Equipment .16
11.2.1 Equipment siting and protection .16
11.2.2 Supporting utilities .16
11.2.3 Cabling security .16
11.2.4 Equipment maintenance .16
11.2.5 Removal of assets .16
11.2.6 Security of equipment and assets off-premises .17
11.2.7 Secure disposal or re-use of equipment .17
11.2.8 Unattended user equipment .17
11.2.9 Clear desk and clear screen policy .17
11.3 ENR – Security in premises of external parties .17
11.3.1 ENR – Equipment sited on the premises of other energy utility organizations .17
11.3.2 ENR – Equipment sited on customer’s premises .18
11.3.3 ENR – Interconnected control and communication systems . .18
12 Operations security .18
12.1 Operational procedures and responsibilities .18
12.1.1 Documented operating procedures .18
12.1.2 Change management .19
12.1.3 Capacity management .19
12.1.4 Separation of development, testing and operational environments .19
12.2 Protection from malware .19
12.2.1 Controls against malware .19
12.3 Back-up .20
12.4 Logging and monitoring .20
12.4.1 Event logging .20
12.4.2 Protection of log information .20
12.4.3 Administrator and operator logs .20
12.4.4 Clock synchronization .20
12.5 Control of operational software .20
12.5.1 Installation of software on operational systems .20
12.6 Technical vulnerability management .21
iv © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
12.6.1 Management of technical vulnerabilities.21
12.6.2 Restrictions on software installation .21
12.7 Information systems audit considerations .21
12.8 ENR – Legacy systems .21
12.8.1 ENR – Treatment of legacy systems .21
12.9 ENR – Safety functions .22
12.9.1 ENR – Integrity and availability of safety functions .22
13 Communications security .22
13.1 Network security management .22
13.1.1 Network controls .22
13.1.2 Security of network services .22
13.1.3 Segregation in networks .22
13.1.4 ENR – Securing process control data communication .23
13.1.5 ENR – Logical connection of external process control systems .23
13.2 Information transfer .24
14 System acquisition, development and maintenance .24
14.1 Security requirements of information systems .24
14.1.1 Information security requirements analysis and specification .24
14.1.2 Securing application services on public networks .24
14.1.3 Protecting application services transactions .24
14.2 Security in development and support processes .24
14.2.1 Secure development policy .24
14.2.2 System change control procedures .24
14.2.3 Technical review of applications after operating platform changes .24
14.2.4 Restrictions on changes to software packages .24
14.2.5 Secure system engineering principles.24
14.2.6 Secure development environment .24
14.2.7 Outsourced development .24
14.2.8 System security testing .25
14.2.9 System acceptance testing .25
14.2.10 ENR – Least functionality .25
14.3 Test data .25
15 Supplier relationships .25
15.1 Information security in supplier relationships .25
15.1.1 Information security policy for supplier relationships .25
15.1.2 Addressing security within supplier agreements .25
15.1.3 Information and communication technology supply chain .25
15.2 Supplier service delivery management .26
16 Information security incident management .26
16.1 Management of information security incidents and improvements .26
16.1.1 Responsibilities and procedures .26
16.1.2 Reporting information security events .26
16.1.3 Reporting information security weaknesses .26
16.1.4 Assessment of and decision on information security events .26
16.1.5 Response to information security incidents .26
16.1.6 Learning from information security incidents .26
16.1.7 Collection of evidence . .26
17 Information security aspects of business continuity management .26
17.1 Information security continuity .26
17.2 Redundancies .26
17.2.1 Availability of information processing facilities .26
17.2.2 ENR – Emergency communication .27
18 Compliance .28
18.1 Compliance with legal and contractual requirements .28
18.1.1 Identification of applicable legislation and contractual requirements .28
© ISO/IEC 2017 – All rights reserved v

ISO/IEC 27019:2017(E)
18.1.2 Intellectual property rights .28
18.1.3 Protection of records .28
18.1.4 Privacy and protection of personally identifiable information .28
18.1.5 Regulation of cryptographic controls .28
18.2 Information security reviews .28
18.2.1 Independent review of information security .28
18.2.2 Compliance with security policies and standards .28
18.2.3 Technical compliance review .29
Annex A (normative) Energy utility industry specific reference control objectives and controls .30
Bibliography .33
vi © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This first edition cancels and replaces the first edition of ISO/IEC TR 27019:2013, which has been
technically revised.
The main changes compared to the previous edition are as follows:
— the scope has changed to include the energy oil sector;
— this document has been changed from a Technical Report to an International Standard;
— the previous edition was aligned with ISO/IEC 27002:2005. The new structure has been aligned
with ISO/IEC 27002:2013;
— the title has been changed.
— where appropriate the technical content has been revised and updated to reflect current
technological developments in the energy sector.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This corrected version of ISO 27019:2017 corrects "should" into "shall" in Table A.1, 11.1.7
© ISO/IEC 2017 – All rights reserved vii

ISO/IEC 27019:2017(E)
0 Introduction
0.1 Background and context
This document provides guiding principles based on ISO/IEC 27002:2013 “Code of practice for
information security controls” for information security management applied to process control
systems as used in the energy utility industry. The aim of this document is to extend the contents of
ISO/IEC 27002:2013 to the domain of process control systems and automation technology, thus allowing
the energy utility industry to implement a standardized and specific information security management
system (ISMS) that is in accordance with ISO/IEC 27001:2013 and extends from the business to the
process control level.
In addition to the security objectives and measures that are set forth in ISO/IEC 27002:2013, the
process control systems used by energy utilities and energy suppliers are subject to further special
requirements. In comparison with conventional ICT environments (e.g. office IT, energy trading
systems), there are fundamental and significant differences with respect to the development, operation,
repair, maintenance and operating environment of process control systems. Furthermore, the process
technology referred to in this document can represent integral components of critical infrastructures.
This means they are therefore essential for the secure and reliable operation of such infrastructures.
These distinctions and characteristics need to be taken into due consideration by the management
processes for process control systems and justify separate consideration within the ISO/IEC 27000
family of standards.
From the viewpoint of design and function, process control systems used by the energy utility sector
are in fact information processing systems. They collect process data and monitor the status of the
physical processes using sensors. The systems then process this data and generate control outputs that
regulate actions using actuators. The control and regulation is automatic but manual intervention by
operating personnel is also possible. Information and information processing systems are therefore
an essential part of operational processes within energy utilities. This means that it is important that
appropriate protection measures be applied in the same manner as for other organizational units.
Software and hardware (e.g. programmable logic) components based on standard ICT technology
are increasingly utilized in process control environments and are also covered in this document.
Furthermore, process control systems in the energy utility sector are increasingly interconnected to
form complex systems. Risks arising from this trend need to be considered in a risk assessment.
The information and information processing systems in process control environments are also exposed
to an increasing number of threats and vulnerabilities. It is therefore essential that, in the process
control domain of the energy utility industry, adequate information security is achieved through the
implementation and continuous improvement of an ISMS in accordance with ISO/IEC 27001:2013.
Effective information security in the process control domain of the energy utility sector can be achieved
by establishing, implementing, monitoring, reviewing and, if necessary, improving the applicable
measures set forth in this document, in order to attain the specific security and business objectives of
the organization. It is important to give particular consideration here to the special role of the energy
utilities in society and to the economic necessity of a secure and reliable energy supply. Ultimately,
the overall success of the cybersecurity of energy industries is based on collaborative efforts by all
stakeholders (vendors, suppliers, customers, etc.).
0.2 Security considerations for process control systems used by the energy utilities
The requirement for a general and overall information security framework for the process control
domain of the energy utility industry is based on several basic requirements:
a) Customers expect a secure and reliable energy supply.
b) Legal and regulatory requirements demand safe, reliable and secure operation of energy supply
systems.
viii © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
c) Energy providers require information security in order to safeguard their business interests, meet
customers’ needs and comply with the legal regulations.
0.3 Information security requirements
It is essential that energy utility organizations identify their security requirements. There are three
main sources of security requirements:
a) The results of an organization’s risk assessment, taking into account the organization’s general
business strategies and objectives. Through a risk assessment, risk sources and events are
identified; potential consequences and likelihood of the occurrence of the risks are assessed.
b) The requirements which result from legislation and bye-laws, regulations and contracts which
have to be fulfilled by an organization, and sociocultural requirements. Particular examples include
safeguarding a reliable, effective and secure energy supply as well as the reliable fulfilment of the
requirements of a deregulated energy market, in particular the reliable and secure transfer of data
with external parties.
c) The specific principles, objectives and business requirements placed on information processing,
which were developed by the organization for supporting its business operations.
NOTE It is important that the energy utility organization ensure that security requirements of process
control systems are analysed a
...


SLOVENSKI STANDARD
01-maj-2020
Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za
energetske operaterje (ISO/IEC 27019:2017, popravljena verzija 2019-08)
Information technology - Security techniques - Information security controls for the
energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)
Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die
Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)
Technologies de l'information - Techniques de sécurité - Mesures de sécurité de
l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version
corrigée 2019-08)
Ta slovenski standard je istoveten z: EN ISO/IEC 27019:2020
ICS:
03.100.70 Sistemi vodenja Management systems
27.010 Prenos energije in toplote na Energy and heat transfer
splošno engineering in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO/IEC 27019
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 03.100.70
English version
Information technology - Security techniques - Information
security controls for the energy utility industry (ISO/IEC
27019:2017, Corrected version 2019-08)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Mesures de sécurité de l'information pour l'industrie Informationssicherheitsmaßnahmen für die
des opérateurs de l'énergie (ISO/IEC 27019:2017, Energieversorgung (ISO/IEC 27019:2017, korrigierte
Version corrigée 2019-08) Fassung 2019-08)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27019:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 27019:2017 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2020, and conflicting national standards
shall be withdrawn at the latest by September 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27019:2017 has been approved by CEN as EN ISO/IEC 27019:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27019
First edition
2017-10
Corrected version
2019-08
Information technology — Security
techniques — Information security
controls for the energy utility industry
Technologies de l'information — Techniques de sécurité — Mesures
de sécurité de l'information pour l'industrie des opérateurs de
l'énergie
Reference number
ISO/IEC 27019:2017(E)
©
ISO/IEC 2017
ISO/IEC 27019:2017(E)
© ISO/IEC 2017
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
Contents Page
Foreword .vii
0 .
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Structure of the document. 4
4.1 General . 4
4.2 Refinement of ISO/IEC 27001:2013 requirements . 4
4.3 Energy utility industry specific guidance related to ISO/IEC 27002:2013 . 4
5 Information security policies . 4
6 Organization of information security . 4
6.1 Internal organization . 4
6.1.1 Information security roles and responsibilities . 4
6.1.2 Segregation of duties . 5
6.1.3 Contact with authorities . 5
6.1.4 Contact with special interest groups . 5
6.1.5 Information security in project management . 5
6.1.6 ENR – Identification of risks related to external parties . 5
6.1.7 ENR – Addressing security when dealing with customers . 6
6.2 Mobile devices and teleworking . 6
6.2.1 Mobile device policy . 6
6.2.2 Teleworking. 7
7 Human resource security . 7
7.1 Prior to employment . 7
7.1.1 Screening . 7
7.1.2 Terms and conditions of employment . 8
7.2 During employment . 8
7.2.1 Management responsibilities . 8
7.2.2 Information security awareness, education and training . 8
7.2.3 Disciplinary process . . 8
7.3 Termination and change of employment . 8
8 Asset management . 8
8.1 Responsibility for assets . 8
8.1.1 Inventory of assets . 8
8.1.2 Ownership of assets . 9
8.1.3 Acceptable use of assets . 9
8.1.4 Return of assets . 9
8.2 Information classification . 9
8.2.1 Classification of information . 9
8.2.2 Labelling of information .10
8.2.3 Handling of assets .10
8.3 Media handling .10
9 Access control .10
9.1 Business requirements of access control .10
9.1.1 Access control policy .10
9.1.2 Access to networks and network services .10
9.2 User access management .11
9.2.1 User registration and de-registration .11
9.2.2 User access provisioning.11
9.2.3 Management of privileged access rights .11
© ISO/IEC 2017 – All rights reserved iii

ISO/IEC 27019:2017(E)
9.2.4 Management of secret authentication information of users .11
9.2.5 Review of user access rights .11
9.2.6 Removal or adjustment of access rights .11
9.3 User responsibilities .11
9.3.1 Use of secret authentication information .11
9.4 System and application access control .12
9.4.1 Information access restriction .12
9.4.2 Secure log-on procedures .12
9.4.3 Password management system .12
9.4.4 Use of privileged utility programs .12
9.4.5 Access control to program source code .12
10 Cryptography .12
10.1 Cryptography controls . .12
10.1.1 Policy on the use of cryptographic controls .12
10.1.2 Key management .12
11 Physical and environmental security .13
11.1 Secure areas .13
11.1.1 Physical security perimeter .13
11.1.2 Physical entry controls .13
11.1.3 Securing offices, rooms and facilities .13
11.1.4 Protecting against external and environmental threats .13
11.1.5 Working in secure areas .13
11.1.6 Delivery and loading areas .13
11.1.7 ENR – Securing control centres .13
11.1.8 ENR – Securing equipment rooms .14
11.1.9 ENR – Securing peripheral sites .15
11.2 Equipment .16
11.2.1 Equipment siting and protection .16
11.2.2 Supporting utilities .16
11.2.3 Cabling security .16
11.2.4 Equipment maintenance .16
11.2.5 Removal of assets .16
11.2.6 Security of equipment and assets off-premises .17
11.2.7 Secure disposal or re-use of equipment .17
11.2.8 Unattended user equipment .17
11.2.9 Clear desk and clear screen policy .17
11.3 ENR – Security in premises of external parties .17
11.3.1 ENR – Equipment sited on the premises of other energy utility organizations .17
11.3.2 ENR – Equipment sited on customer’s premises .18
11.3.3 ENR – Interconnected control and communication systems . .18
12 Operations security .18
12.1 Operational procedures and responsibilities .18
12.1.1 Documented operating procedures .18
12.1.2 Change management .19
12.1.3 Capacity management .19
12.1.4 Separation of development, testing and operational environments .19
12.2 Protection from malware .19
12.2.1 Controls against malware .19
12.3 Back-up .20
12.4 Logging and monitoring .20
12.4.1 Event logging .20
12.4.2 Protection of log information .20
12.4.3 Administrator and operator logs .20
12.4.4 Clock synchronization .20
12.5 Control of operational software .20
12.5.1 Installation of software on operational systems .20
12.6 Technical vulnerability management .21
iv © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
12.6.1 Management of technical vulnerabilities.21
12.6.2 Restrictions on software installation .21
12.7 Information systems audit considerations .21
12.8 ENR – Legacy systems .21
12.8.1 ENR – Treatment of legacy systems .21
12.9 ENR – Safety functions .22
12.9.1 ENR – Integrity and availability of safety functions .22
13 Communications security .22
13.1 Network security management .22
13.1.1 Network controls .22
13.1.2 Security of network services .22
13.1.3 Segregation in networks .22
13.1.4 ENR – Securing process control data communication .23
13.1.5 ENR – Logical connection of external process control systems .23
13.2 Information transfer .24
14 System acquisition, development and maintenance .24
14.1 Security requirements of information systems .24
14.1.1 Information security requirements analysis and specification .24
14.1.2 Securing application services on public networks .24
14.1.3 Protecting application services transactions .24
14.2 Security in development and support processes .24
14.2.1 Secure development policy .24
14.2.2 System change control procedures .24
14.2.3 Technical review of applications after operating platform changes .24
14.2.4 Restrictions on changes to software packages .24
14.2.5 Secure system engineering principles.24
14.2.6 Secure development environment .24
14.2.7 Outsourced development .24
14.2.8 System security testing .25
14.2.9 System acceptance testing .25
14.2.10 ENR – Least functionality .25
14.3 Test data .25
15 Supplier relationships .25
15.1 Information security in supplier relationships .25
15.1.1 Information security policy for supplier relationships .25
15.1.2 Addressing security within supplier agreements .25
15.1.3 Information and communication technology supply chain .25
15.2 Supplier service delivery management .26
16 Information security incident management .26
16.1 Management of information security incidents and improvements .26
16.1.1 Responsibilities and procedures .26
16.1.2 Reporting information security events .26
16.1.3 Reporting information security weaknesses .26
16.1.4 Assessment of and decision on information security events .26
16.1.5 Response to information security incidents .26
16.1.6 Learning from information security incidents .26
16.1.7 Collection of evidence . .26
17 Information security aspects of business continuity management .26
17.1 Information security continuity .26
17.2 Redundancies .26
17.2.1 Availability of information processing facilities .26
17.2.2 ENR – Emergency communication .27
18 Compliance .28
18.1 Compliance with legal and contractual requirements .28
18.1.1 Identification of applicable legislation and contractual requirements .28
© ISO/IEC 2017 – All rights reserved v

ISO/IEC 27019:2017(E)
18.1.2 Intellectual property rights .28
18.1.3 Protection of records .28
18.1.4 Privacy and protection of personally identifiable information .28
18.1.5 Regulation of cryptographic controls .28
18.2 Information security reviews .28
18.2.1 Independent review of information security .28
18.2.2 Compliance with security policies and standards .28
18.2.3 Technical compliance review .29
Annex A (normative) Energy utility industry specific reference control objectives and controls .30
Bibliography .33
vi © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This first edition cancels and replaces the first edition of ISO/IEC TR 27019:2013, which has been
technically revised.
The main changes compared to the previous edition are as follows:
— the scope has changed to include the energy oil sector;
— this document has been changed from a Technical Report to an International Standard;
— the previous edition was aligned with ISO/IEC 27002:2005. The new structure has been aligned
with ISO/IEC 27002:2013;
— the title has been changed.
— where appropriate the technical content has been revised and updated to reflect current
technological developments in the energy sector.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This corrected version of ISO 27019:2017 corrects "should" into "shall" in Table A.1, 11.1.7
© ISO/IEC 2017 – All rights reserved vii

ISO/IEC 27019:2017(E)
0 Introduction
0.1 Background and context
This document provides guiding principles based on ISO/IEC 27002:2013 “Code of practice for
information security controls” for information security management applied to process control
systems as used in the energy utility industry. The aim of this document is to extend the contents of
ISO/IEC 27002:2013 to the domain of process control systems and automation technology, thus allowing
the energy utility industry to implement a standardized and specific information security management
system (ISMS) that is in accordance with ISO/IEC 27001:2013 and extends from the business to the
process control level.
In addition to the security objectives and measures that are set forth in ISO/IEC 27002:2013, the
process control systems used by energy utilities and energy suppliers are subject to further special
requirements. In comparison with conventional ICT environments (e.g. office IT, energy trading
systems), there are fundamental and significant differences with respect to the development, operation,
repair, maintenance and operating environment of process control systems. Furthermore, the process
technology referred to in this document can represent integral components of critical infrastructures.
This means they are therefore essential for the secure and reliable operation of such infrastructures.
These distinctions and characteristics need to be taken into due consideration by the management
processes for process control systems and justify separate consideration within the ISO/IEC 27000
family of standards.
From the viewpoint of design and function, process control systems used by the energy utility sector
are in fact information processing systems. They collect process data and monitor the status of the
physical processes using sensors. The systems then process this data and generate control outputs that
regulate actions using actuators. The control and regulation is automatic but manual intervention by
operating personnel is also possible. Information and information processing systems are therefore
an essential part of operational processes within energy utilities. This means that it is important that
appropriate protection measures be applied in the same manner as for other organizational units.
Software and hardware (e.g. programmable logic) components based on standard ICT technology
are increasingly utilized in process control environments and are also covered in this document.
Furthermore, process control systems in the energy utility sector are increasingly interconnected to
form complex systems. Risks arising from this trend need to be considered in a risk assessment.
The information and information processing systems in process control environments are also exposed
to an increasing number of threats and vulnerabilities. It is therefore essential that, in the process
control domain of the energy utility industry, adequate information security is achieved through the
implementation and continuous improvement of an ISMS in accordance with ISO/IEC 27001:2013.
Effective information security in the process control domain of the energy utility sector can be achieved
by establishing, implementing, monitoring, reviewing and, if necessary, improving the applicable
measures set forth in this document, in order to attain the specific security and business objectives of
the organization. It is important to give particular consideration here to the special role of the energy
utilities in society and to the economic necessity of a secure and reliable energy supply. Ultimately,
the overall success of the cybersecurity of energy industries is based on collaborative efforts by all
stakeholders (vendors, suppliers, customers, etc.).
0.2 Security considerations for process control systems used by the energy utilities
The requirement for a general and overall information security framework for the process control
domain of the energy utility industry is based on several basic requirements:
a) Customers expect a secure and reliable energy supply.
b) Legal and regulatory requirements demand safe, reliable and secure operation of energy supply
systems.
viii © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
c) Energy providers require information security in order to safeguard their business interests, meet
customers’ needs and comply with the legal regulations.
0.3 Information security requirements
It is essential that energy utility organizations identify their security requirements. There are three
main sources of security requirements:
a) The results of an organization’s risk assessment, taking into account the organization’s general
business strategies and objectives. Through a risk assessment, risk sources and events are
identified; potential consequences and likelihood of the occurrence of the risks are assessed.
b) The requirements which result from legislation and bye-laws, regulations and contracts which
have to be fulfilled by an organization, and sociocultural requirements. Particular examples include
safeguarding a reliable, effective and secure energy supply as well as the reliable fulfilment of the
requirements of a deregulated energy market, in particular the reliable and secure transfer of data
with external parties.
c) The specific principles, objectives and business requirements placed on information processing,
which were developed by the organization for supporting its business operations.
NOTE It is important that the energy utility organization ensure that security requirements of process
control systems are analysed and
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN ISO/IEC 27001:2023/A1:2024(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
SIST EN ISO/IEC 27001:2023/A1:2025
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
SIST EN ISO/IEC 27005:2024

This document provides guidance to assist organizations to:
—    fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
—    perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    79 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27001:2023(Main)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements (ISO/IEC 27001:2022)
SIST EN ISO/IEC 27001:2023

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document.

  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    26 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27007:2022(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (ISO/IEC 27007:2020)
SIST EN ISO/IEC 27007:2022

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27017:2021(Main)
Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC 27017:2015)
SIST EN ISO/IEC 27017:2021

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- additional implementation guidance for relevant controls specified in ISO/IEC 27002;
- additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27011:2020(Main)
Information technology - Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations (ISO/IEC 27011:2016)
SIST EN ISO/IEC 27011:2020

The scope of this Recommendation | ISO/IEC 27011:2016 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.
The adoption of this Recommendation | ISO/IEC 27011:2016 will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

  • Standard
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27000:2020(Main)
Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
SIST EN ISO/IEC 27000:2020

EN ISO/IEC 27000 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    36 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day
CEN
prEN ISO/IEC 27010(Main)
Information technology - Security techniques - Information security management for inter-sector and inter-organizational communications (ISO/IEC 27010:2015)
oSIST prEN ISO/IEC 27010:2020
  • Draft
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18074:2025(Main)
Industrial decarbonization - Requirements and guidelines for sectoral transition plans
SIST EN 18074:2025

This document specifies the requirements and recommendations relative to the construction of a sectoral transition plan for industry decarbonization.
This document does not specify the requirements for the construction of a roadmap of single industrial company’s transition plan (a plant or a group), however, a sectoral transition plan can be used as a reference in an entity transition plan.
This document is intended to be used by organizations, including national and public bodies, trade associations, federations, companies and NGOs that wish to establish or monitor sectoral decarbonization plans.
This document is climate-programme neutral. If a climate programme is applicable, requirements of this programme are additional to the requirement of this document.
In this document, either natural or technological sequestrations occur inside the geographical and sectoral boundaries considered in the sectoral transition plan. Otherwise, they are excluded.
In this document, considering its energy consumption and its cost, the direct air capture and storage technology (DACS) is not considered relevant and is excluded from the sectoral transition plan.
Carbon offsets are excluded from this document.
NOTE   Carbon offsets are intended as be understood as “Emissions reduction or removal resulting from an action outside the geographical and sectoral boundary used to counterbalance the sector’s residual emissions”.

  • Standard
    43 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 9125:2025(Main)
Aerospace series - Quality management systems - Non-deliverable software requirements
SIST EN 9125:2025

This document specifies the requirements for the effective control of non-deliverable software. This document can be used during the design, development, test, production, release, use, maintenance, and retirement of non-deliverable software. This can include non-deliverable software procured from external suppliers and utilized in the design, production, evaluation, test, acceptance, or calibration of a deliverable product.
This document focuses solely on the unique requirements of the operational processes that pertain to non-deliverable software as identified below:
This document applies to non-deliverable software (including firmware) that affects a deliverable product or service. Following are several applications and supporting examples of non-deliverable software that is within the scope of this document:
—   design and development: modelling, simulation, virtual reality, virtual machine, computer-aided design (CAD), three-dimensional (3D) modelling and analysis tools, software compiler, and code generators;
—   manufacturing: additive manufacturing, computer numerical controlled (CNC) programs, robotics, factory automation, tools that load deliverable software, software used in special process (e.g. heat treat, shot peen, sonic wall inspection), and automated manufacturing software (i.e. pick and place);
—   verification, validation and maintenance: coordinate measuring machine (CMM) programs, hardware or software qualification, code coverage, test scripts, analysis tools, acceptance test, production acceptance, calibration (inspection, test or calibration), simulator, emulator, and software used in post-delivery service provisions.
The following types of software are not within scope of this document:
—   deliverable software (refer to EN 9115);
—   manufacturing and measuring equipment embedded software (e.g. operating system, drivers);
—   enterprise or office software (e.g. MS Office, word processing or spreadsheet applications, Teams, network software, email, employee management system).
Operational processes not covered in this document are addressed by the respective organization’s quality management system (QMS), based on the EN 9100-series (i.e. EN 9100, EN 9110, EN 9120) and/or ISO 9001 standards.

  • Standard
    14 pages
    English language
    sale 10% off
    e-Library read for
    1 day