ISO/IEC 27003:2010 Information technology — Security techniques — Information security management system implementation guidance
ISO/IEC 27003 provides implementation guidance to help those implementing the ISO27k standards, the management system aspects in particular.
Purpose of the standard
ISO/IEC 27003 guides the design of an ISO/IEC 27001-compliant ISMS, leading up to the initiation of an ISMS implementation project. It describes the process of ISMS specification and design from inception to the production of implementation project plans, covering the preparation and planning activities prior to the actual implementation, and taking in key elements such as:
Management approval and final authorization to proceed with the implementation project;
Scoping and defining the boundaries in terms of ICT and physical locations;
Assessing information security risks and planning appropriate risk treatments, where necessary defining information security control requirements;
Designing the ISMS;
Planning the implementation project.
The standard references and builds upon other ISO27k standards, particularly the normative standards ISO/IEC 27000 and ISO/IEC 27001.
Structure and content of the standard
Here is the present structure:
2. Normative references
3. Terms and definitions
4. Structure of this international standard
5. Obtaining management approval for initiating an ISMS project
6 Defining ISMS scope, boundaries and ISMS policy
7 Conducting information security requirements analysis
8 Conducting risk assessment and planning risk treatment
9 Design the ISMS
An ISMS implementation checklist; Roles and responsibilities for information security; Information about internal auditing; Information security policy structure; and Monitoring and measuring the ISMS.
Status of the standard
The standard was published in 2010.
A project to revise the standard is under way, with publication due in 2016. The cunning plan is to update and re-align this standard with the revised 2013 version of ISO/IEC 27001, along with 27004 and 27005, and to a much lesser extent 27002. In other words, the revised version of this standard will offer advice on designing and implementing the management system part of the ISMS as opposed to the information security controls.
A proposal to merge 27003, 4 and 5 was rejected by SC 27.
A new title has been agreed: “Information technology — Security techniques — Information security management system — Guidance” along with a new scope “This International Standard provides guidance concerning requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) as specified in ISO/IEC 27001:2013.” The new version will again concern itself with the management system rather than the information security controls being managed. Depending on how the project turns out, it may extend the present standard from a project-based ISMS implementation guide to a whole-of-life ISMS design-development-operations guide ... or it may end up being a guideline that explains the meaning and intent of ISO/IEC 27001.
Apparently SC 27 wants the standard to explain what needs to be done to implement ISO27k without specifying how to do it - an interesting challenge for an implementation guide!
The idea of using ISO/IEC 27003 to explain and expand on the rather curt and stilted formal language of ISO/IEC 27001 has some merit. The 2013 version of ISO/IEC 27001 was severely constrained by the boilerplate text and pressure from ISO/IEC JTC1 to achieve commonality between all the management systems standards. That leaves room for some explanation and justification of the ISO27k approach to treating information security risks.
I’m also intrigued at the idea that 27003 might extend beyond the ISMS implementation project to offer advice on the operation, management, monitoring and improvement of the ISMS in the years that follow. We’ll see how it turns out.
I hope that, at the end of the day, it dovetails nicely with the other ISO27k standards, and proves itself invaluable for users of the standards. Otherwise all this work will be in vain, again.