Overview of cybersecurity standards: ISO 27001, IEC 62443, EN 18031 and more. Learn which standards are relevant for your organization.
Difference between norms and standards
The term “Standard” refers to technical specifications developed by recognized organizations whose application is generally voluntary. Standards often describe specific methods, procedures, or characteristics for products and services.
By contrast, “norms” are more formal and are published by official standardization bodies. Norms often gain broad acceptance and are increasingly considered within regulatory frameworks (see e.g. the New Legislative Framework in the EU). While standards frequently cover industry-specific requirements, norms tend to be broader and carry greater weight in legislation.
Role of norms in corporate governance
Norms are an essential part of governance, risk, and compliance management (GRC). They help organizations comply with legal requirements, identify and manage potential risks, and generally establish transparent and efficient corporate structures.
Standards such as ISO 31000 (risk management) or ISO/IEC 27001 (information security management) provide proven frameworks that support organizations in systematically handling operational risks.
Standardization organizations
At the international level, the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the International Telecommunication Union (ITU) play leading roles in developing globally applicable norms.
In Europe, the European Committee for Standardization (CEN) together with the European Committee for Electrotechnical Standardization (CENELEC) and the European Telecommunications Standards Institute (ETSI) carry out key tasks in European standardization work.
In Germany, the German Institute for Standardization (DIN) and the German Commission for Electrical, Electronic & Information Technologies in DIN and VDE (DKE) are particularly important in creating and maintaining national norms.
Harmonization of norms in the EU
The harmonization of norms within the European Union takes place through the publication of so-called harmonized standards in the Amtsblatt der Europäischen Union (OJEU) (https://eur-lex.europa.eu/oj/direct-access.html?locale=de). These standards help companies develop products and services that are recognized across all EU member states and comply with applicable regulations.
Publication of a standard in the OJEU signals that it is recognized by the EU institutions. Products that conform to these standards are therefore considered compliant with the relevant EU rules.
Especially in the European context, the question often arises which standards actually have regulatory relevance and which serve more as best practice. If you want to clarify this classification for your products or organization, a short orientation discussion can be helpful.
Selecting relevant norms in the field of cybersecurity
In cybersecurity, standards such as ISO/IEC 27001 are of great importance. This standard provides a framework for information security management and helps organizations protect themselves against security threats.
Important, industry-independent standards for operators include:
- ISO/IEC 27001: “Information security, cyber security and privacy protection — Information security management systems — Requirements”
This standard defines requirements for an information security management system (ISMS). It offers a systematic approach to managing sensitive corporate information and is applicable across industries. - ISO/IEC 27701: “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines”
As an extension to ISO 27001, this standard focuses on privacy. It provides guidance for implementing, maintaining, and continuously improving a privacy information management system (PIMS). - ISO 22301: “Security and resilience — Business continuity management systems — Requirements”
This standard specifies requirements for a business continuity management system (BCMS). It helps organizations prepare for, respond to, and recover from disruptive incidents.
Important standards for product manufacturers include:
- ISO/IEC 15408: “Information technology, security techniques and privacy protection — Evaluation criteria for IT security”
This family of standards, also known as the Common Criteria, provides a framework for the specification, implementation, and evaluation of security functions in IT products. It is often used for certifying security products. - ISO/IEC 30111: “Information technology — IT security techniques — Vulnerability handling processes”
This standard gives guidance to organizations on handling vulnerabilities in their products and services. It describes processes for internal management of security flaws. - ISO/IEC 29147: “Information technology — Security techniques — Vulnerability disclosure”
This standard contains guidelines for disclosing vulnerabilities. It helps organizations establish effective processes for receiving and processing vulnerability reports. - EN 18031: “Common security requirements for radio equipment”
This standard addresses information security and the protection of personal data for internet-connected radio equipment (radio equipment).
There are also additional industry-specific standards.
Industry general
- IEC 62443: “IT security for industrial automation systems”
This series of standards deals with IT security for industrial automation and control systems (IACS). It provides guidance for manufacturers, integrators, and operators of industrial plants.
Automotive and agricultural machinery
- ISO/SAE 21434: “Road vehicles — Cybersecurity engineering”
This standard focuses on cybersecurity in the automotive industry. It defines requirements for cybersecurity risk management in vehicle development and across the entire product lifecycle. - ISO 24089: “Road vehicles — Development and operation of software updates”
This standard covers processes and requirements for software updates in vehicles. It is particularly relevant given the increasing digitization and connectivity of vehicles. - ISO 24882: “Agricultural and forestry machinery and tractors — Cybersecurity engineering”
This standard, which is also under development, aims to specify cybersecurity requirements for agricultural machinery to minimize security risks across the entire lifecycle.
Rail industry
- CLC/TS 50701: “Rail applications — Cybersecurity”
This technical specification addresses cybersecurity in the rail sector. It provides guidance for implementing cybersecurity measures in rail systems. - IEC 63452: “Rail applications — Cybersecurity”
This standard under development describes a unified method for managing cybersecurity in rail systems by adapting the requirements of IEC 62443 to the specific applications and operational environments of railways and integrating them with the RAMS lifecycles of the IEC 62278 series.
Mechanical engineering
- EN 50742: “Protection against tampering”
This standard under development describes how machines can be secured against intentional and unintentional tampering in accordance with the Machinery Regulation.
Medical technology
- IEC 80001-5-1: “Application of risk management for IT-networks incorporating medical devices — Safety, effectiveness and data and system security when implementing and using connected medical devices or connected health software — Part 5-1: Product lifecycle activities”
This standard provides guidance for the cybersecurity of networked medical devices. It supports healthcare organizations in risk assessment and mitigation. - IEC TR 60601-4-5: “Medical electrical equipment — Part 4-5: Guidance and justification — Security-related technical requirements for security”
This technical report deals with cybersecurity of medical electrical equipment and systems and offers manufacturers guidance on considering cybersecurity aspects.
Lifts, escalators and moving walks
- ISO 8102-20: “Electrical requirements for lifts, escalators and moving walks — Part 20: Cybersecurity”
This standard addresses cybersecurity requirements specifically for lifts, escalators, and moving walks. It defines measures to protect against cyber threats throughout the lifecycle — from development through operation to decommissioning. The standard is oriented toward existing principles from IEC 62443 but adapts them to the specifics of vertical transportation technology.
Internet of Things
- ETSI EN 303 645: “CYBER — Cybersecurity for consumer Internet of Things: Baseline requirements”
This European standard defines cybersecurity requirements for consumer IoT devices. It aims to ensure a baseline level of security for these devices.
Norms and standards in cybersecurity not only serve technical quality assurance but are also key pillars of effective corporate governance. They help meet regulatory requirements, reduce risks, and strengthen trust in digital products and services. International cooperation in standard-setting and harmonization at the EU level ensure that companies can compete in a globalized market without losing sight of security.
Norms and standards are central tools for managing cybersecurity risks — provided they are used purposefully and in context. If you want to determine which standards make sense for your organization and how they align with regulatory requirements, this can be clarified in a non-binding consultation.
