ISO/IEC TR 27015:2012 Information technology — Security techniques — Information security management guidelines for financial services
This is a guideline intended to help financial services organizations (banks, insurance companies, credit card companies etc.) implement ISMSs using the ISO27k standards.
Although the financial services sector already labors under a vast swathe of risk and security standards (such as ISO TR 13569 “Banking Information Security Guidelines”, SOX and Basel II/III), the ISMS implementation guidance developed by SC 27 reflects ISO/IEC 27001 and 27002 along with various general-purpose security standards such as COBIT and the PCI-DSS requirements.
Scope and purpose
ISO/IEC TR 27015 amplifies and extends some of the recommendations in ISO/IEC 27002 for financial services organizations - for instance, recommending in section 6.2.2 that security awareness activities should cover customers, not just employees. It gives examples of the kinds of awareness message that, say, a bank would be well advised to broadcast to its employees e.g. concerning identity thieves’ use of keylogging Trojans, phishing and social engineering to steal login credentials from customers’ systems.
Overall, the additional guidance in ISO/IEC TR 27015 may not be revolutionary but it is a useful prompt to go beyond the basics suggested in ISO/IEC 27002 in a few areas.
Status of the standard
The standard was published in November 2012.
This is a Technical Report rather than an International Standard, which is usually ISO’s way of saying “This is a developing area of expertise that we are not entirely comfortable about”.
The standard is now being revised, primarily to reflect the 2013 releases of 27001 and 27002. A study period is supposedly establishing liaisons with other interested parties, planning the revision and preparing a draft ... but only three revisions have been proposed by one national body, so the revision appears to have generated negligible interest.
Some of the financial industry liaison bodies have proposed withdrawing this standard - an obvious sign that they do not value it, and that in fact it may be counterproductive (imposing yet another compliance hurdle in an already heavily regulated industry).
The limited amount of finance-sector-specific guidance this standard offers above that already available in ISO/IEC 27002, plus concerns over its relationship to finance sector standards developed by JTC1/TC68, linger on. Is there, in fact, a solid business case to continue working on this standard, or might SC 27’s finite resources be better spent on information risk and security standards in areas such as BYOD, cloud, IoT and IIoT, digital forensics and so forth? It would be good know whether there is any real demand for the existing standard or an updated standard among financial services organizations, implying the need for a market survey first, or at least some credible metrics concerning sales of the current version.