Codes & Standards - Purchase
CSA ISO/IEC 27102:20
Information security management — Guidelines for cyber-insurance (Adopted ISO/IEC 27102:2019, first edition, 2019-08)
Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).
At the time of publication, ISO/IEC 27102:2019 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC.
This Standard has been formally approved, without modification, by the Technical Committee and has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group.
This document provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organization’s information security risk management framework.
This document gives guidelines for:
a) considering the purchase of cyber-insurance as a risk treatment option to share cyber-risks;
b) leveraging cyber-insurance to assist manage the impact of a cyber-incident;
c) sharing of data and information between the insured and an insurer to support underwriting, monitoring and claims activities associated with a cyber-insurance policy;
d) leveraging an information security management system when sharing relevant data and information with an insurer.
This document is applicable to organizations of all types, sizes and nature to assist in the planning and purchase of cyber-insurance by the organization.