ISO/IEC 27003:2010 Information technology — Security techniques — Information security management system implementation guidance
ISO/IEC 27003 provides implementation guidance to help those implementing the ISO27k standards.
Purpose of the standard
ISO/IEC 27003 guides the design of an ISO/IEC 27001-compliant ISMS, leading up to the initiation of an ISMS [implementation] project. It describes the process of ISMS specification and design from inception to the production of implementation project plans, covering the preparation and planning activities prior to the actual implementation, and taking in key elements such as:
Management approval and final authorization to proceed with the implementation project;
Scoping and defining the boundaries in terms of ICT and physical locations;
Assessing information security risks and planning appropriate risk treatments, where necessary defining information security control requirements;
Designing the ISMS;
Planning the implementation project.
The standard references and builds upon other ISO27k standards, particularly the normative standards ISO/IEC 27000 and ISO/IEC 27001.
Structure and content of the standard
Here is the structure, down to the second level headings:
2. Normative references
3. Terms and definitions
4. Structure of this international standard
4.1 General structure of clauses
4.2 General structure of a clause
5. Obtaining management approval for initiating an ISMS project
5.1 Overview of management approval for initiating the ISMS project
5.2 Clarify the organization’s priorities to develop an ISMS
5.3 Define the preliminary ISMS scope
5.4 Create the business case and the project plan for management approval
6 Defining ISMS scope, boundaries and ISMS policy
6.1 Overview on defining ISMS scope, boundaries and ISMS policy
6.2 Define organizational scope and boundaries
6.3 Define information communication technology (ICT) scope and boundaries
6.4 Define physical scope and boundaries
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries
6.6 Develop the ISMS policy and obtain approval from management
7 Conducting information security requirements analysis
7.1 Overview of conducting information security requirements analysis
7.2 Define information security requirements for the ISMS process
7.3 Identify assets within the ISMS scope
7.4 Conduct an information security assessment
8 Conducting risk assessment and planning risk treatment
8.1 Overview of conducting a risk assessment and risk treatment planning
8.2 Conduct risk assessment
8.3 Select the control objectives and controls
8.4 Obtain management authorization for implementing and operating an ISMS
9 Design the ISMS
9.1 Overview of designing an ISMS
9.2 Design organizational information security
9.3 Design ICT and physical information security
9.4 Design ISMS specific information security
9.5 Produce the final ISMS project plan
An ISMS implementation checklist
Roles and responsibilities for information security
Information about internal auditing
Information security policy structure
Monitoring and measuring the ISMS
Status of the standard
The standard was published in 2010 and is available for CHF172 from the ISO/IEC webstore.
A project to revise the standard is under way, with milestone dates being April 2015 for the first Committee Draft and publication a year later. The cunning plan is to update and re-align this standard with the revised version of ISO/IEC 27001 (and to an extent 27002 although the focus of the standard is on projects to implement the management system, rather than the controls).
Apparently SC 27 wants the standard to explain what needs to be done to implement ISO27k without specifying how to do it - an interesting challenge for an implementation guide!
A new title has been proposed: “Information technology — Security techniques —Information security management system — Guidance” along with a new scope “This International Standard provides guidance concerning requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) as specified in ISO/IEC 27001:2013.”
A new requirements-based structure has been provisionally agreed. As with the current version, it will offer advice on the management system rather than the information security controls.
One comment on the proposed revision noted that the current version of 27003 needs to be substantially revised to be of any real value. Another noted that the purpose and scope of the standard, relative to other ISO27k standards, needs to be clarified before progressing the update. Both comments strike a chord with me. However, the editors have given a clear direction that the first working draft will be a ‘light revision’ ...
The proposed new title drops the word “implementation”, leaving just the nonspecific “guidance”, while the proposed scope talks about ‘guidance concerning requirements’, a curious turn of phrase.