ISO/IEC 27015 Information technology — Security techniques — Information security management guidance for financial services (DRAFT)
A sector-specific guideline is being developed to help organizations within the financial services sector (i.e. banks, insurance companies, credit card companies etc.) implement ISMSs using the ISO27k standards.
Although this sector already has a swathe of risk and security standards such as ISO TR 13569 “Banking Information Security Guidelines”, SOX, Basel II (and now III) etc., the ISMS implementation guidance developed by SC27 will directly reflect ISO/IEC 27001 and 27002. Whether ISO/IEC 27015 adopts, replaces or sits alongside other finance sector security standards (including those developed by JTC1/SC68) remains to be seen.
The New Work Item scope for this standard said:
“This standard aims to support those sectors in fulfilling sector specific information security related legal and regulatory requirements through an internationally agreed and well-accepted framework. It aims to provide guidelines on how to meet baseline information security management requirements and implement appropriate controls and processes to meet confidentiality, integrity, availability and any other relevant security requirements. This standard should serve the financial and insurance sector as well as their business partners and customers. This standards follows the ISMS risk based approach and therefore this standard incorporates flexibility to address the following topics related to the protection of the organisations information assets:
-
The organisation’s business strategy and focused market segments;
-
Characteristics of different geographical and domestic regions;
-
The organisation’s specific services and products;
-
Applicable legal and regulatory constraints.
This standard does not intend to specify mandatory requirements but should rather serve as guidance how to provide visible evidence can be provided to business partners, customers and regulatory bodies that an organisation follows commonly agreed best practice levels for information security management.”
Latest available status info
The standard is moving slowly along. Comments from TC 68/SC 2 are being addressed by the drafting team in an attempt to gain their support for the standard. A letter ballot is being held on the possibility of releasing this as a Technical Report rather than a full International Standard. Publication may yet occur in 2012.
|
