ISO/IEC 27011:2008 Information technology — Security techniques — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
This ISMS implementation guide for the telecomms industry was developed jointly by ITU-T and ISO/IEC JTC1/SC 27, with the identical text being published as both ITU-T X.1051 and ISO/IEC 27011.
Scope and purpose
The summary states:
“For telecommunications organizations, information and the supporting processes, telecommunications facilities, networks and lines are important business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly and successfully continue their business activities, information security management is extremely necessary. This Recommendation provides the requirements on information security management for telecommunications organizations.
This Recommendation specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system (ISMS) within the context of the telecommunication's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual telecommunications or parts thereof.”
Status of the standard
The standard was published in 2008.
The standard is currently being revised to reflect the 2013 versions of ISO/IEC 27001 and 27002. ITU-T proposed extending ISO/IEC 27011 with two new parts, namely:
Security management Guidelines for Small and Medium-sized telecommunications organizations [X.sgsm]: a guide to the implementation of information security management based on X.1051 (ISO/IEC 27011);
Asset Management Guidelines [X.amg]: a guide to good asset management practices for telecoms organizations.
In addition to minor variations/explanations of the core content of ISO/IEC 27002, there will be an ‘extended control set’ with additional advice on access controls, physical and environmental security, communications security and compliance, plus some further guidance on network security, to suit the needs of telecoms organizations.
The revision is at FDIS stage. The title looks set to become “Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations”. It should be published during 2016.