ISO IEC 27019-2024 PDF

Full title and description

ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry. This international standard adapts and applies information security controls to systems used to produce, transmit, store and distribute electric power, gas, oil and heat, and to the associated supporting processes and communications used in the energy utility sector.

Abstract

This second-edition standard provides sector‑specific guidance and control selections based on ISO/IEC 27002:2022 for the energy utility industry. It covers central and distributed process control and automation technologies, digital controllers and field devices (for example PLCs and sensors/actuators), supporting information systems (DMS, OMS, historian/logging, reporting), communication and telemetry networks, advanced metering infrastructure (AMI) and smart‑grid components, energy management systems (including distributed energy resources and EV charging infrastructures), remote maintenance systems and premises that house these systems. The standard explicitly excludes the process control domain of nuclear facilities (see IEC 63096).

General information

• Status: Published
• Publication date: October 2024 (Edition 2, 2024)
• Publisher: ISO and IEC (developed under ISO/IEC JTC 1/SC 27)
• ICS / categories: 35.030 (IT security)
• Edition / version: Edition 2 (2024)
• Number of pages: 39

Scope

The document specifies information security controls tailored to the energy utility industry to manage and protect process control and supporting IT/OT systems across generation, transmission, storage and distribution of electricity, gas, oil and heat. It applies to devices, control systems, communications, software/firmware, metering and measurement equipment, energy management systems and remote maintenance. It does not apply to nuclear process control domains, which are covered by IEC 63096.

Key topics and requirements

• Mapping and adaptation of ISO/IEC 27002:2022 controls for energy‑sector process control and operational technology (OT).
• Controls for central and distributed process control systems, PLCs, controllers, sensors and actuators.
• Security for communication networks, telemetry, telecontrol and remote‑control technologies used in grid and utility operations.
• Protection requirements for AMI components (smart meters) and distributed smart‑grid elements, including EV charging infrastructure and DER management.
• Requirements addressing software/firmware security, logging and historian data protection, and secure remote maintenance.
• Guidance to adapt risk assessment and treatment processes in line with ISO/IEC 27001 to the specific threats and operational constraints of energy utilities.
• Explicit exclusions and cross‑references (for example, nuclear process control is excluded — see IEC 63096).

Typical use and users

Primary users are energy utility organisations (generation, transmission, distribution), OT and ICS engineering teams, cybersecurity and information security managers in utilities, compliance and audit teams, vendors and integrators of SCADA/DMS/OMS and smart‑grid equipment, consultants delivering sector‑specific security assessments, and regulators seeking a harmonised baseline for utility cybersecurity.

Related standards

Closely related standards include ISO/IEC 27002:2022 (controls guidance) and ISO/IEC 27001 (ISMS requirements). For industrial automation and control system cybersecurity consider IEC 62443; nuclear process control is covered by IEC 63096. Regional or sectoral regulations and frameworks such as NERC CIP (where applicable) and utility‑specific profiles may be used alongside ISO/IEC 27019 for compliance and implementation planning.

Keywords

energy utility, information security, cybersecurity, privacy protection, OT security, ICS, SCADA, PLC, AMI, smart grid, ISO/IEC 27002, process control, remote maintenance, energy management systems

FAQ

Q: What is this standard?

A: ISO/IEC 27019:2024 is an international standard providing information security controls and sector‑specific guidance for the energy utility industry (power, gas, oil, heat) to protect process control and supporting systems.

Q: What does it cover?

A: It covers security controls for process control systems and related IT/OT used in production, transmission, storage and distribution of energy, including controllers, field devices, communications, AMI, energy management systems, remote maintenance and supporting software and premises.

Q: Who typically uses it?

A: Energy utilities, OT/ICS engineers, cybersecurity teams in utilities, vendors of control systems and smart‑grid components, auditors, regulators and consultants implementing or assessing utility cybersecurity programs.

Q: Is it current or superseded?

A: Current — ISO/IEC 27019:2024 (Edition 2) was published in October 2024 and replaces ISO/IEC 27019:2017 (the 2017 edition has been withdrawn and superseded by the 2024 edition).

Q: Is it part of a series?

A: Yes. It is part of the ISO/IEC 27000 family (information security management standards) and is explicitly aligned with ISO/IEC 27002:2022 and ISO/IEC 27001 for ISMS risk treatment.

Q: What are the key keywords?

A: Energy utility, OT security, ICS, SCADA, PLC, AMI, smart grid, information security controls, ISO/IEC 27002, process control security.