ISO/IEC 27011:2008 Information technology — Security techniques — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
This ISMS implementation guide for the telecomms industry was developed jointly by ITU-T and ISO/IEC JTC1/SC 27, with the identical text being published as both ITU-T X.1051 and ISO/IEC 27011.
Scope and purpose
“Establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security controls in telecommunications organizations based on ISO/IEC 27002; [and]
Provides an implementation baseline of information security controls within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities, services and information handled, processed or stored by the facilities and services.”
[Quoted from the FDIS of the new version in preparation.]
Status of the standard
The standard was first published in 2008.
The standard is currently being revised to reflect the 2013 versions of ISO/IEC 27001 and 27002.
In addition to minor variations/explanations of the core content of ISO/IEC 27002, there will be an ‘extended control set’ with additional advice for telecoms organizations on:
- Access controls;
- Physical and environmental security;
- Communications security; and
- Compliance; plus
- Further guidance on network security (covering “cyber attacks” and network congestion).
The revised standard is at FDIS stage.
The title is “Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations”.
It should be published during 2016.
ITU-T proposed extending ISO/IEC 27011 with two new parts, namely:
- Security management Guidelines for Small and Medium-sized telecommunications organizations [X.sgsm]: a guide to the implementation of information security management based on X.1051 (ISO/IEC 27011);
- Asset Management Guidelines [X.amg]: a guide to good asset management practices for telecoms organizations.
Those are not part of the FDIS of ISO/IEC 27011. Perhaps they will be separate standards?