ISO/IEC 27011:2016 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations
This ISMS implementation guide for the telecomms industry was developed jointly by ITU-T and ISO/IEC JTC1/SC 27, with the identical text being published as both ITU-T X.1051 and ISO/IEC 27011.
Scope and purpose
“Establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security controls in telecommunications organizations based on ISO/IEC 27002; [and]
Provides an implementation baseline of information security controls within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities, services and information handled, processed or stored by the facilities and services.”
[Quoted from the FDIS of the new version in preparation.]
Status of the standard
The standard was first published in 2008.
It was revised to reflect the 2013 versions of ISO/IEC 27001 and 27002 and published in December 2016.
In addition to minor variations/explanations of the core content of ISO/IEC 27002, there is an ‘extended control set’ with additional advice for telecoms organizations on access controls, physical and environmental security, communications security and compliance. It includes further guidance on network security, covering “cyber attacks” and network congestion.
ITU-T proposed extending ISO/IEC 27011 with two new parts, namely:
- Security management Guidelines for Small and Medium-sized telecommunications organizations [X.sgsm]: a guide to the implementation of information security management based on X.1051 (ISO/IEC 27011);
- Asset Management Guidelines [X.amg]: a guide to good asset management practices for telecoms organizations.
Those are not part of the FDIS of ISO/IEC 27011. Perhaps they will be separate standards?