ISO/IEC 27010 - Information technology -- Security techniques -- Information security management guidelines for sector-to-sector interworking and communications for industry and government (early draft - number and title uncertain)

A new work item/project was launched by SC27 at its Kyoto meeting in April 2008 to develop a multi-part standard providing guidance in relation to information security risks, controls, issues and/or incidents that span the boundaries between industry sectors and/or nations, particularly those affecting “critical infrastructure”.

Scope

This International Standard will provide guidance for information security interworking and communications between industries in the same sectors, in different industry sectors and with governments, either in times of crisis and to protect critical infrastructure or for mutual recognition under normal business circumstances to meet legal, regulatory and contractual obligations.

Purpose and justification

This standard will provide guidance on methods, models, processes, policies, controls, protocols and other mechanisms for same sector industries; industries of different sectors and governments to securely exchange information with the understanding that mutually recognized principles are respected.

Analysis of emerging and future risks clearly indicates the need to provide protection of interworking and communications between industry sectors as well as with government. In particular such protection is required to maintain operational conditions within business environments within and across industry sectors, for economic growth and national and global sustainability, as well as for critical infrastructure purposes in times of crisis.

Following this standard would ensure that partners communicating and exchanging with other partners follow agreed upon levels of known best practice criteria for information security management. Such levels would be according to given circumstances, from normal business transactions to emergency crisis.

This will be a multi-part standard covering the following:

Part 1 Overview, Model and Principles

Part 2 Interworking and Communications Policy

Part 3 Process Management and Control

Part 4 Crisis Management Protocols

Part 5 Economics of information security management

[Note: in contrast to the others, part 3 appears to be calling for a technical security standard for SCADA security. As such, it may be better developed as a separate standard rather than part of ISO/IEC 27010.]