What is this standard about?
It defines how to apply BS ISO/IEC 27001:2013 in a sector (field, application area or market area) that has common security requirements, but where those requirements are unique to that sector. It explains how to include sector-specific requirements additional to those found in BS ISO/IEC 27001, how to refine BS ISO/IEC 27001 requirements, and how to include controls or control sets additional to those found in BS ISO/IEC 27002.
Who is this standard for?
It is intended for use by standards’ writers developing sector-specific information security management system (ISMS) standards. It may also interest organizations that want to certify an ISMS with sector-specific requirements, particularly where those requirements are complex or involve multiple sectors or fields of application.
Why should you use this standard?
BS ISO/IEC 27009:2016 ensures that additional or refined sector-specific requirements are not in conflict with the requirements of BS ISO/IEC 27001. It mandates a standard structure and contents template for sector-specific ISMS standards.It provides guidance for developers of sector-specific ISMS standards. If its requirements are met, it will be possible for certification bodies using BS ISO/IEC 27006:2015 to certify ISMSs built using the sector-specific standards against BS ISO/IEC 27001.