Series: Additional Controls in ISO/IEC 27019:2024 for Energy Utilities

Organizational Controls 

The second edition of the information security standard ISO/IEC 27019:2024 was published in October 2024. It enhances the controls of ISO/IEC 27002:2022 by providing specific guidance for the energy utility industry. It also provides a set of 12 additional controls that aim to address the security needs of energy utilities. Two of those controls are organizational, four are physical and the remaining six are technological in nature. 

In this article series, we will analyze the implementation aspects of the new controls of ISO/IEC 27019:2024. The first article explores the organizational controls. 

Control 5.38: ENR – Identification of risks related to external business partners 

This control aims to identify and control the risks to an organization that can result from its relationships with external business partners. Implementation of this control would help the organization prevent security issues by identifying risks early and implementing measures to maintain the confidentiality, integrity and availability of its information systems. 

External business partners of an energy utility can include system operators at the production, generation, transmission and distribution levels. Examples of business partners are System Integrators, EPC (Engineering, Procurement, and Construction) Firms, Panel Builders, Renewable Energy Developers, Energy Storage Companies etc. Such partners usually have access to critical assets or confidential information of the energy utility. The resulting risks should be assessed and the contractual agreements should specify the measures to be implemented by the business partners that can help mitigate those risks. 

The contents and implementation of the following security policies and procedures may be impacted by this control: 

• Risk Management Policy – An organization should consider the potential impact of identified threats during the assessment of security risks related to external business partners, and preparation of risk treatment plans. 

• Access Control Policy – The nature of relationships with external business partners can influence access control decisions. For example, if a risk is known to impact critical systems or data, access to those resources may be restricted. 

• Supplier Security Policy – The results of risk assessment should be considered while selecting and managing suppliers and business partners. Processes should be defined for sharing information about threats with suppliers and partners. 

• Data Protection Policy – This policy ensures that data is gathered, stored and handled fairly, transparently and with respect towards individual rights. In cases where business partners have access to sensitive data, appropriate protection mechanisms should be implemented. 

• Incident Response Procedure – An organization should plan and implement the detection and containment of, and recovery from, incidents that may occur at the site of its business partners with the potential to impact its critical assets or confidential information. 

Control 5.39: ENR – Addressing security when dealing with customers 

This control aims to protect the assets of an energy utility from unauthorized access by its customers. Implementation of this control would help the organization prevent security breaches by identifying potential unauthorized access and hence, protect the confidentiality, integrity and availability of information systems. 

Energy utilities usually have complex relationships between asset owners, system operators, service providers and customers. A customer can either be internal or external. Internal customers are individuals or departments within the energy utility that rely on other parts of the utility for goods or services. For example, the transmission department relies on the generation department for supply of energy; hence, the transmission department is an internal customer of the generation department of an energy utility. External customers belong to one of the following categories: 

• Residential, encompassing households and individuals using energy for their homes; 

• Commercial, which includes businesses like retail stores, offices, restaurants and other non-industrial establishments; and 

• Industrial, which includes manufacturing plants, factories and other large-scale energy users. 

  
  

Customers maybe connected to the energy supply infrastructure and the related process control systems, and communication infrastructure. Besides, equipment of an energy utility may reside on a customer’s site. Examples of such equipment are solar panels, wind turbines, combined heat and power systems, fuel cells, batteries for storing electricity, smart meters etc. 

Before granting customers access to critical information or assets, the organization should assess the risks that may arise owing to such complex relationships and implement appropriate security measures. 

The contents and implementation of the following security policies and procedures may be impacted by this control: 

• Risk Management Policy – An organization should consider the potential impact of identified threats during the assessment of security risks related to internal and external customers, and preparation of risk treatment plans. 

• Access Control Policy – The nature of relationships with customers can influence access control decisions. 

• Acceptable Use Policy – If equipment of the energy utility is sited on the premises of customers, the acceptable use of such equipment needs to be specified. For example, solar and wind IPPs (independent power producers) should define the correct usage of solar panels and wind turbines for their commercial and industrial (C&I) customers. 

• Data Leakage Prevention Procedure – An organization should define the steps to prevent leakage of sensitive data that may occur owing to access of sensitive assets by its customers. 

  
  

How Sujosu Technology Can Help 

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include: 

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure. 

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks. 

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals. 

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively. 

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy. 

Partner with Sujosu Technology 

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.