ISO IEC 27102-2019 PDF

Full title and description

ISO/IEC 27102:2019 — Information security, cybersecurity and privacy protection — Guidelines for applying ISO/IEC 27001 and related standards in support of cyber insurance. This International Standard provides guidance for organisations and insurers on how to consider, purchase and use cyber insurance as a risk treatment option and how to leverage an organisation’s ISMS when sharing information with an insurer.

Abstract

This standard gives practical guidelines for: (a) considering cyber insurance as a risk treatment option to share cyber risk; (b) using cyber insurance to help manage the impact of a cyber incident; (c) appropriate sharing of data and information between insured organisations and insurers to support underwriting, monitoring and claims; and (d) leveraging an existing Information Security Management System (ISMS) when sharing relevant information with an insurer. It is applicable to organisations intending to purchase cyber insurance regardless of type, size or sector.

General information

• Status: Published (International Standard).
• Publication date: August 2019.
• Publisher: ISO / IEC (International Organization for Standardization and International Electrotechnical Commission).
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 1 (2019).
• Number of pages: 18 pages (ISO listing).

Key bibliographic and lifecycle metadata reported by the publisher.

Scope

Provides guidelines to organisations and insurers for integrating cyber insurance with information security management practices. The document addresses decision-making about purchasing cyber insurance as a risk treatment, the role of insurance in incident impact management, and the exchange of information necessary for underwriting, monitoring and claims — including how an organisation can leverage its ISMS to support those activities. The guidance is intended to be sector‑agnostic and usable by organisations of any size.

Key topics and requirements

• Evaluating cyber insurance as a risk treatment option within an organisation’s information security risk management process.
• Guidance on what information and evidence insurers commonly require for underwriting, monitoring and claims (and how to organise and share that information securely).
• Using an existing ISMS (for example controls, records and evidence) to support insurer requests while protecting sensitive information and privacy.
• Considerations for confidentiality, privacy and data minimisation when sharing information with insurers.
• Practical recommendations for aligning contractual, evidential and operational arrangements between insured organisations and insurers to reduce ambiguity during claims and incident response.

Typical use and users

Primary users include information security managers, risk managers, CISOs, compliance officers, legal teams, internal audit, and procurement teams evaluating cyber insurance. On the insurer side, underwriting teams, claims handlers and cybersecurity assessors can use the guidance to define data requirements and assessment processes. The standard is also useful to consultants and certifying bodies involved with ISMS implementations who need to advise organisations on integrating insurance considerations with security controls.

Related standards

Closely related to the ISO/IEC 27000 family (notably ISO/IEC 27001 and ISO/IEC 27002) for ISMS requirements and security controls, and to standards addressing risk management and privacy (for example ISO/IEC 27005 and ISO/IEC 27701) where privacy-impact aspects of data sharing are relevant. The document is intended to be used in conjunction with those standards when aligning cyber insurance and ISMS practices.

Keywords

Cyber insurance, cyber‑insurance, ISMS, information security management, underwriting, claims, data sharing, privacy, risk treatment, cyber risk, ISO/IEC 27001.

FAQ

Q: What is this standard?

A: ISO/IEC 27102:2019 is an international guidance standard that explains how organisations and insurers can apply ISMS practices and related ISO/IEC standards in the context of cyber insurance (underwriting, monitoring and claims).

Q: What does it cover?

A: It covers guidelines for evaluating cyber insurance as a risk treatment, how to use insurance to help manage incident impact, and how to share and protect information between insured organisations and insurers while leveraging an organisation’s ISMS.

Q: Who typically uses it?

A: Organisations purchasing or renewing cyber insurance (risk managers, CISOs, procurement/legal), and insurance market participants (underwriters, claims teams, assessors) — plus advisors and ISMS implementers who support those processes.

Q: Is it current or superseded?

A: The standard was published in August 2019 and is published/active; the ISO lifecycle indicates the work item is expected to be reviewed (stage: to be revised) and an AWI (work item) for revision has been recorded. Users should verify the current lifecycle status with the publisher before relying on it for procurement or compliance decisions.

Q: Is it part of a series?

A: Yes — it is positioned alongside the ISO/IEC 27000 family of information security standards and is intended to be used in conjunction with ISO/IEC 27001 and related guidance standards when addressing cyber insurance and ISMS alignment.

Q: What are the key keywords?

A: Cyber insurance, cyber‑insurance, ISMS, underwriting, claims, data sharing, privacy, risk treatment, information security management.