ISO/IEC 27019 – IT Security for Energy Utilities

ISO/IEC 27019 has just been released.  The new standard is titled Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry.  It is the revision and upgrade of the ISO/IEC TR 27019, which is now obsolete.

If you worry about the security of our energy sector (and I do), you’ll be glad that this standard has reached this landmark “standard” status.  The previous edition was a Technical Report, which doesn’t carry the same weight as a standard.  Also of note is the expansion of the scope of the document to include the energy oil sector.

The standard itself provides principles based on the ISO/IEC 27002, Code of practice for information security controls.  This new 2017 Edition of the ISO/IEC 27019 references the 2013 Edition of the Code.  You’ll use it for information security management for process control systems in this sector.  So much of the information requirements of the energy utility industry center on process control functions.  So you can see that security for this data is essential.

The standard is organized in the usual fashion, with the scope, references, and definition clauses to start.  Next you’ll find a section on the structure of the standard.  The next clauses cover information security policies, the organization of information security, and human resource security.  The standard then covers asset management, access control, and cryptography.  Of course, physical and environmental security are important and included in Clause 11.  Clause 12 and 13 address operational and communications security.  Next, system acquisition, development and maintenance requirements are covered.  Clause 15 is on supplier relationships and 14 covers incident management.  The final 2 Clauses are on information security aspects of business continuity management and compliance.

The 44 page standard has a required Annex A on energy utility industry specific reference control objectives and controls.  And a 10-item bibliography is provided at the end of the document.

You’ll use an authorized distributor like Document Center Inc. for your purchase.  You can search for and order standards at our webstore,  Here is a direct link to the order page for the ISO/IEC 27019 for your convenience.

Remember, Document Center Inc. has been selling standards since 1982.  We are here to support your use of compliance documentation.  So contact us by phone (650-591-7600) or email ( to learn more.  Then make us your Standards Experts!