ISO/IEC TR 27015:2012 — Information technology — Security techniques — Information security management guidelines for financial services
This is a guideline intended to help financial services organizations (banks, insurance companies, credit card companies etc.) implement ISMSs using the ISO27k standards.
Although the financial services sector already labors under a vast swathe of risk and security standards (such as ISO TR 13569 “Banking Information Security Guidelines”, SOX and Basel II/III), the ISMS implementation guidance developed by SC 27 reflects ISO/IEC 27001 and 27002 along with various general-purpose security standards such as COBIT and the PCI-DSS requirements.
Scope and purpose
ISO/IEC TR 27015 amplifies and extends some of the recommendations in ISO/IEC 27002 for financial services organizations - for instance, recommending in section 6.2.2 that security awareness activities should cover customers, not just employees. It gives examples of the kinds of awareness message that, say, a bank would be well advised to broadcast to its employees e.g. concerning identity thieves’ use of keylogging Trojans, phishing and social engineering to steal login credentials from customers’ systems.
Overall, the additional guidance in ISO/IEC TR 27015 may not be revolutionary but it is a useful prompt to go beyond the basics suggested in ISO/IEC 27002 in a few areas.
Status of the standard
The standard was published in November 2012.
This is a Technical Report rather than an International Standard, which is usually ISO’s way of saying “This is a developing area of expertise that we are not entirely comfortable with”.
The standard was due to be revised to reflect the 2013 releases of 27001 and 27002. Only three changes were proposed by one national body, implying negligible interest in maintaining this standard. Some of the financial industry liaison bodies and SC 27 experts have proposed withdrawing it instead - an obvious sign that they do not value it, and that in fact it may be counterproductive (imposing yet another compliance hurdle in an already heavily regulated industry) ... so the revision project has been cancelled and in due course ISO/IEC TR 27015 will be withdrawn.
The limited amount of finance-sector-specific guidance this standard offers above that already available in ISO/IEC 27002, plus concerns over its relationship to finance sector standards developed by JTC1/TC68, linger on. Personally, I think this standards project was ill conceived in the first place and should never have been launched, so the sooner it is put out of its misery the better - especially given the urgent need for SC27 to press ahead with many other priorities. This has been an expensive and unnecessary diversion down a blind alley.