1. Home
  2. Moldova standards
  3. STM
  4. St ISO IEC TS 27008-2019

ISO IEC TS 27008-2019 PDF

St ISO IEC TS 27008-2019

Name in English:
St ISO IEC TS 27008-2019

Name in Russian:
Ст ISO IEC TS 27008-2019

Description in English:

Original standard ISO IEC TS 27008-2019 in PDF full version. Additional info + preview on request

Description in Russian:
Оригинальный стандарт ISO IEC TS 27008-2019 в PDF полная версия. Дополнительная инфо + превью по запросу
Document status:
Active
Format:
Electronic (PDF)
Delivery time (for English version):
1 business day
Delivery time (for Russian version):
365 business days
SKU:
stiso27777
Choose Document Language:
€25

Full title and description

ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls. This Technical Specification provides guidance for reviewing and assessing the implementation and operation of information security controls, including technical assessment of information system controls, in support of an organisation's information security requirements and an ISMS based on ISO/IEC 27001.

Abstract

This Technical Specification offers auditors, assessors and technical reviewers guidance on planning and performing reviews of information security controls, evaluating their appropriateness, effectiveness and efficiency, and carrying out technical compliance checks against organisation-established assessment criteria. It is intended to complement ISMS auditing and technical assessment activities associated with ISO/IEC 27001.

General information

  • Status: Published
  • Publication date: January 2019
  • Publisher: ISO/IEC (joint publication)
  • ICS / categories: 35.030 (Information technology — Security techniques)
  • Edition / version: Edition 1 (TS)
  • Number of pages: 91

Details from the ISO standard record.

Scope

Provides guidance for the review and assessment of information security controls implemented within organisations of any type and size. The scope includes both management and technical aspects of controls, practical guidance for evidence collection and assessment criteria, and guidance aimed at supporting ISMS auditing activities aligned with ISO/IEC 27001. It is not a certification document but a guidance/specification to help auditors and technical reviewers assess controls effectively.

Key topics and requirements

  • Guidance on planning and scoping information security control assessments.
  • Techniques for reviewing and testing technical information system controls.
  • Approaches for gathering and evaluating audit evidence and for sampling.
  • Criteria for assessing control effectiveness, suitability and efficiency in relation to organisational requirements.
  • How to align control assessment activities with an ISMS and with ISO/IEC 27001 requirements.
  • Considerations for reporting findings and making improvement recommendations to management.

Key topics summarised from the Technical Specification guidance.

Typical use and users

Intended users include internal auditors, external auditors, technical assessors, information security managers, compliance teams, and consultants performing reviews or technical compliance checks of security controls. Organisations use it to strengthen audit programmes, to support ISO/IEC 27001 surveillance and certification activities, and to conduct focused technical reviews of control implementation.

Related standards

Part of the ISO/IEC 27000 family; commonly used alongside ISO/IEC 27001 (ISMS requirements) and ISO/IEC 27002 (code of practice for information security controls). It is also relevant to other series documents addressing audit guidance, measurement and certification within the 27000 family.

Keywords

Information security, control assessment, audit guidance, ISMS, ISO/IEC 27001, technical assessment, evidence collection, sampling, security controls.

FAQ

Q: What is this standard?

A: ISO/IEC TS 27008:2019 is a Technical Specification that gives practical guidance for the assessment and review of information security controls and for performing technical compliance checks in the context of an organisation's information security requirements and ISMS activities.

Q: What does it cover?

A: It covers planning and scoping assessments, techniques for reviewing and testing technical controls, evidence collection and sampling, assessment criteria for effectiveness and suitability, and reporting of findings to support continual improvement and ISMS audit programmes.

Q: Who typically uses it?

A: Internal and external auditors, technical assessors, information security teams, compliance officers and consultants who perform control reviews or need authoritative guidance on assessing the implementation and operation of information security controls.

Q: Is it current or superseded?

A: The document was published as ISO/IEC TS 27008 in January 2019 (Edition 1). Users should check the ISO catalogue or their national standards body for any subsequent revisions or replacement documents before relying on it for the most recent guidance.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of information security standards and is typically used alongside ISO/IEC 27001 and ISO/IEC 27002 as complementary guidance for ISMS auditing and control implementation.

Q: What are the key keywords?

A: Information security, audit guidance, controls assessment, ISMS, compliance, technical review, evidence, sampling.