NF EN ISO/IEC 27019

NF EN ISO/IEC 27019

March 2020
Standard Current

Information technology - Security techniques - Information security controls for the energy utility industry

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:- central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;- digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;- all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;- communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;- Advanced Metering Infrastructure (AMI) components, e.g. smart meters;- measurement devices, e.g. for emission values;- digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;- energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;- distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;- all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);- any premises housing the above-mentioned equipment and systems;- remote maintenance systems for above-mentioned systems.ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

See more
View the extract
Main informations

Collections

National standards and national normative documents

Publication date

March 2020

Number of pages

47 p.

Reference

NF EN ISO/IEC 27019

ICS Codes

03.100.70   Management systems
27.015   Energy efficiency. Energy conservation in general
35.030   IT Security

Classification index

Z74-219

Print number

1

International kinship

ISO/IEC 27019:2017

European kinship

EN ISO/IEC 27019:2020
Sumary
Information technology - Security techniques - Information security controls for the energy utility industry

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:

- central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;

- digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;

- all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;

- communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;

- Advanced Metering Infrastructure (AMI) components, e.g. smart meters;

- measurement devices, e.g. for emission values;

- digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;

- energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;

- distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;

- all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);

- any premises housing the above-mentioned equipment and systems;

- remote maintenance systems for above-mentioned systems.

ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.

ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

Replaced standards (1)
NF ISO/IEC 27019
November 2019
Standard Cancelled
Information technology - Security techniques - Information security controls for the energy utility industry

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: - central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices; - digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements; - all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes; - communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology; - Advanced Metering Infrastructure (AMI) components, e.g. smart meters; - measurement devices, e.g. for emission values; - digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms; - energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations; - distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations; - all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System); - any premises housing the above-mentioned equipment and systems; - remote maintenance systems for above-mentioned systems. ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645. ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

Table of contents
  • 1 Domaine d'application
  • 2 Références normatives
  • 3 Termes et définitions
  • 4 Structure du document
  • 5 Politiques de sécurité de l'information
  • 6 Organisation de la sécurité de l'information
  • 7 La sécurité des ressources humaines
  • 8 Gestion des actifs
  • 9 Contrôle d'accès
  • 10 Cryptographie
  • 11 Sécurité physique et environnementale
  • 12 Sécurité liée à l'exploitation
  • 13 Sécurité des communications
  • 14 Acquisition, développement et maintenance des systèmes d'information
  • 15 Relations avec les fournisseurs
  • 16 Gestion des incidents liés à la sécurité de l'information
  • 17 Aspects de la sécurité de l'information dans la gestion de la continuité de l'activité
  • 18 Conformité
  • Annexe A Objectifs de sécurité et mesures de sécurité de référence spécifiques à l'industrie des opérateurs de l'énergie
  • Bibliographie
ZOOM ON ... the Requirements department
To comply with a standard, you need to quickly understand its issues in order to determine its impact on your activity.

The Requirements department helps you quickly locate within the normative text:
- mandatory clauses to satisfy,
- non-essential but useful clauses to know, such as permissions and recommendations.

The identification of these types of clauses is based on the document “ISO / IEC Directives, Part 2 - Principles and rules of structure and drafting of ISO documents ”as well as on a constantly enriched list of verbal forms.

With Requirements, quickly access the main part of the normative text!

With Requirements, quickly access the main part of the normative text!
Need to identify, monitor and decipher standards?

COBAZ is the simple and effective solution to meet the normative needs related to your activity, in France and abroad.

Available by subscription, CObaz is THE modular solution to compose according to your needs today and tomorrow. Quickly discover CObaz!

Request your free, no-obligation live demo

I discover COBAZ