ISO/IEC TR 27015:2012 Information technology — Security techniques — Information security management guidelines for financial services
This is a guideline intended to help financial services organizations (banks, insurance companies, credit card companies etc.) implement ISMSs using the ISO27k standards.
Although the financial services sector already labors under a vast swathe of risk and security standards (such as ISO TR 13569 “Banking Information Security Guidelines”, SOX and Basel II/III), the ISMS implementation guidance developed by SC 27 reflects ISO/IEC 27001 and 27002 along with various general-purpose security standards such as COBIT and the PCI-DSS requirements.
Scope and purpose
ISO/IEC TR 27015 amplifies and extends some of the recommendations in ISO/IEC 27002 for financial services organizations - for instance, recommending in section 6.2.2 that security awareness activities should cover customers, not just employees. It gives examples of the kinds of awareness message that, say, a bank would be well advised to broadcast to its employees e.g. concerning identity thieves’ use of keylogging Trojans, phishing and social engineering to steal login credentials from customers’ systems.
Overall, the additional guidance in ISO/IEC TR 27015 may not be revolutionary but it is a useful prompt to go beyond the basics suggested in ISO/IEC 27002 in a few areas.
Status of the standard
The standard was published in November 2012.
This is a Technical Report rather than an International Standard, which is usually ISO’s way of saying “This is a developing area of expertise that we are not entirely comfortable about”.
The standard is due to be revised, primarily to reflect the 2013 releases of 27001 and 27002. A study period has been agreed to establish liaisons with other interested parties and prepare a draft.
The limited amount of finance-sector-specific guidance this standard offers above that already available in ISO/IEC 27002, plus concerns over its relationship to finance sector standards developed by JTC1/TC68, linger on. At least one national body has indicated that the standard should be withdrawn rather than revised, saving a lot of work with limited benefit to the standard’s intended audience. I sympathise with that position: is there, in fact, a solid business case to continue working on this standard, or might SC 27’s finite resources be better spent on information risk and security standards in areas such as BYOD, cloud, IoT and IIoT, digital forensics and so forth? It would be good know whether there is any real demand for an update to the standard among financial services organizations, implying the need for a market survey first, or at least some credible metrics concerning sales of the current version.