ISO/IEC TR 27015:2012 Information technology — Security techniques — Information security management guidelines for financial services
A sector-specific guideline intended to help financial services organizations (banks, insurance companies, credit card companies etc.) implement ISMSs using the ISO27k standards.
Although the financial services sector already labors under a vast swathe of risk and security standards (such as ISO TR 13569 “Banking Information Security Guidelines”, SOX and Basel II/III), the ISMS implementation guidance developed by SC 27 reflects ISO/IEC 27001 and 27002 along with various general-purpose security standards such as COBIT and the PCI-DSS requirements.
Scope and purpose
ISO/IEC TR 27015 amplifies and extends some of the recommendations in ISO/IEC 27002 for financial services organizations - for instance, recommending in section 6.2.2 that security awareness activities should cover customers, not just employees. It gives examples of the kinds of awareness message that, say, a bank would be well advised to broadcast to its employees e.g. concerning identity thieves’ use of keylogging Trojans, phishing and social engineering to steal login credentials from customers’ systems.
Overall, the additional guidance in ISO/IEC TR 27015 may not be revolutionary but it is a useful prompt to go beyond the basics suggested in ISO/IEC 27002 in a few areas.
Status of the standard
The standard was published in November 2012.
This is a Technical Report rather than an International Standard, which is usually ISO’s way of saying “This is a developing area of expertise that we are not entirely comfortable about”.
Negative comments from several standards bodies on the final draft version indicate serious misgivings about the nature of the standard (e.g. the limited amount of finance-sector-specific guidance it offers, compared to the generic ISO/IEC 27002) and confusion over its relationship to other finance sector standards developed by JTC1/TC68. Reading between the lines, the standard is perceived to have limited value to the financial services companies it was intended to guide, which in turn suggests that this was perhaps an ill-conceived project - speaking of which, SC 27 needs to consider carefully the merit of ISO/IEC 27009. Time and again, ‘27002 (like its progenitor BS 7799) has proven valuable in many different organizations, industries and circumstances. It was always meant to be broadly applicable, and indeed it is.