ISO/IEC 27009:2016 — Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements
This standard is intended to guide those who would develop ‘sector-specific’ standards based on or relating to ISO/IEC 27001, where ‘sector’ is shorthand for “field, application area or market sector” ... and so the muddle begins.
Scope and purpose
Quoting from the FDIS scope:
”This International Standard defines the requirements for the use of ISO/IEC 27001 in any specific sector (field, application area or market sector). It explains how to include requirements additional to those in ISO/IEC 27001, how to refine any of the ISO/IEC 27001 requirements, and how to include controls or control sets in addition to ISO/IEC 27001 Annex A. This International Standard ensures that additional or refined requirements are not in conflict with the requirements in ISO/IEC 27001. The target audience of this International Standard are entities producing sector-specific standards that relate to ISO/IEC 27001.”
The introduction further states, in part:
“Sector-specific standards should be consistent with the requirements of the information security management system. This International Standard provides entities producing sector-specific standards with requirements on how to add to, refine or interpret the requirements of ISO/IEC 27001 and how to add or modify the guidelines of ISO/IEC 27002 for the sector-specific use.”
There are two main sections:
- Refined or additional management system requirements (adapting ISO/IEC 27001);
- Additional security controls going beyond ISO/IEC 27001 Annex A (extending ISO/IEC 27002).
Plus an annex giving a template for sector-specific standards, and another stating “how management system standards are built in accordance with the ISO/IEC Directives” (isn’t that what the ISO/IEC Directives are for?).
Status of the standard
The standard was published in June 2016.
A study period is in progress to develop “use cases” for the standard. Common sense has prevailed: the ‘use cases’ may be an internal committee document, guiding editorial teams on how to apply this standard.
A defect report has already been submitted on this shiny new standard while the ink is still wet. It turns out that the standard was unhelpful during the development of an energy sector-specific variant of ISO/IEC 27002, mostly because it refers to variants of 27001.
Why on Earth did SC 27 think it worthwhile developing and publishing an International Standard about developing standards? Surely that is an internal matter, in other words a ‘Standing Document’ for the committee if anything. Why publish it formally?
I am astounded that 96% of national standards bodies voted to publish this standard (albeit with 10 pages of comments on the FDIS version). I look forward to being proven unduly cynical in due course, when this standard becomes a commercial success, a smash hit for ISO/IEC. I have started marinating my hat ...
Who is expected to buy and use it? Presumably those mysterious “entities producing sector-specific standards”. Oh, that would be the committee then. If other bodies wish to create their own versions of any of the ISO27k standards, there’s nothing to stop them except copyright. I rather doubt any of them need to be told how to do it.
One national body has urged SC 27 to start applying/conforming with this standard now (even though it is still a draft) when developing industry-specific variants of ISO/IEC 27001 and/or 27002, otherwise “Why did SC 27 management approve a project to develop the Normative IS 27009 if they do not enforce its application?” (Good question!).
This standard is a shining example of the nonsense that happens when committees tie themselves up in red tape. I honestly can’t think of anyone that will benefit from the publication of this standard, even given its sage advice such as “Each control shall only contain one instance of the word “should””. It is white elephant, a waste of perfectly good ink, an inappropriate, unnecessary, unhelpful and costly diversion of SC 27’s finite resources. I’m sure Jim Hacker (the minister from BBC TV’s documentary series ‘Yes, Minister’) would be proud of it. It’s on a par with the worst excesses of the EU bureaucrats allegedly trying to set standards for the curviness of bananas.
Can anyone demonstrate a convincing business case for the development of this standard? Is there any evidence whatsoever of actual market demand, of an audience screaming out for advice in this area? Will the standards bodies sell so much as a single copy?
[Cue classic footage of tumbleweed blowing gently across the open desert ...]
There is a further, deeper concern about the very concept of sector-specific variants of 27001/27002. As with BS 7799 before them, the ISO27k standards have always been deliberately generic and broadly applicable to all sort and sizes of organization. Each organization is required to identify, assess and treat its particular information risks, using a structured and systematic management system of the same general form. The implementation guidance and accredited certification processes are well established and work just fine. Surely that is good enough?
Question: how many pages does it take to say “Skim over everything relevant that is adequately covered by other standards, focusing solely on anything specific or unique to your industry”?
Answer: approximately 10.
The entire standard could be replaced by the formulaic diagram, or a simple sentence, stating that a sector-specific standard is generated by adding, refining or interpreting the requirements in ISO/IEC 27001 and/or ISO/IEC 27002. Golly.
IMNSHO this standard should have been put out of its misery. The only thing going for it is that it is unlikely ever to be read or used once issued, except perhaps by the members of SC 27 and possibly other ISO committees. The editor’s response to the proposed abandonment of this standard evidently lacking an actual business case was: “A lot of explanation has been added, which hopefully addresses this issue.” Whether the added explanation magically expounds on a viable business case, or merely compounds the muddle of red tape, remains to be seen.
Cynical as ever, I remain convinced that this is yet another example of a governance failure within SC 27. It’s not the first standards project to have been initiated without proper consideration, scoping or justification, and once in motion they are extremely hard to stop.
April 2017 update: the fun continues. 3 different proposals have been made to revise the standard, change the scope and clarify its purpose to prevent it being misinterpreted and misused ... by the proposers and their esteemed colleagues. A fourth national body has chimed in with a proposal to withdraw this IS and revert to an SD that the committee can patch up without the expensive formalities of updating an IS. If only I had thought of that ;-)
OK, that’s more than enough of my plaintive bleating. I refuse to tax another synapse with this pointless nonsense. More valuable things to do with my time - turds to polish, motorbike ashtrays to clean, that sort of thing.