|
The ISO/IEC 27000-series numbers up to ISO/IEC 27059 have been ‘reserved’ by ISO/IEC committee JTC1/SC27 for information security standards currently issued, in preparation or planned. Not all of the reserved numbers are in use or allocated yet but below is information on other potential ISO27k standards likely to be progressed by ISO/IEC JTC1/SC27.
Please note that SC27’s remit extends well beyond the ISO27k standards, covering identity management, biometrics and other aspects of information security. Some of the work items noted below probably will not end up as ISO27k standards.
If and when ISO27k numbers are allocated for these projects, we will create separate pages for them.
ISO/IEC 27011-27019?: Sector-specific ISMS implementation guidelines
A suite of ‘sector-specific’ ISMS implementation guidelines are planned to help certain industries implement the ISO27k standards. These are likely to contain advice on the application of typical information security controls already noted in ISO/IEC 27002 within each industry, but may include new information security controls that are specific to certain industries.
ISO/IEC 27011 will be the first of the series. It provides ISMS implementation guidance for the telecomms industry and was developed by or in conjunction with ITU-T, and jointly numbered X.1051. Publication is imminent.
ISO/IEC 27012 will probably be the next, providing ISMS implementation guidelines for eGovernment services.
ISO/IEC 27015 will provide ISMS implementation guidelines for the financial services sector.
Other industry sectors may also be covered by similar ISMS implementation guidelines, such as:
-
“The energy sector” and/or “utilities” - electricity generation and distribution, oil and gas refining and distribution etc.;
-
“The healthcare sector” potentially including primary/local healthcare, hospitals, health boards, pharmaceuticals and more. As with the finance sector, it remains to be determined what will happen to ISO 27799 and other healthcare information security standards developed independently of SC27 and thus officially outside of ISO27k;
-
“The defense sector” (armed forces and defense contractors/suppliers, perhaps including aerospace?) for whom security and information security are clearly vital, although national interests may preclude or at least complicate international cooperation on common ISMS guidelines;
-
“The transportation sector” potentially including train and bus companies, airlines etc. [however a proposed project to develop ISMS implementation guidelines for the automotive sector, specifically, was abandoned];
-
“The food sector” potentially ranging from primary production (farms) through wholesale distribution to retail outlets (shops);
-
“The media sector” (news, publishing etc.) for whom information is of course a vital input and the primary product;
-
Other sectors: countries/nations define their most important and valuable industries differently. Holiday spots might define “the tourism sector” as vital, for instance, while something like “bauxite mining” might be crucial to just a few. ISMS implementation standards could potentially be developed to cover any sector although there are practical constraints such as the limited number of people working in SC27 (most of whom are volunteers with day-jobs to maintain) and the level of contributions required from each sector.
A proposed sector-specific ISMS standard for lotteries that was originally to be developed in association with the World Lottery Association has been canceled.
Information security for critical infrastructure (study period)
Following some confusion between this proposal and the sector-specific work outlined above, the study period on a proposed new project on critical infrastructure security was canceled by SC27 at the October 2008 meeting.
Several nations have defined “critical infrastructure” sectors but there are differences of scope and interpretation, and in some cases security of “critical national infrastructure” is covered by explicit legislation so ISO/IEC security standards would be irrelevant and perhaps even counterproductive. Nevertheless, the US Department of Homeland Security and others are keen to share their experience and encourage the spread of good practices. They will presumably now look for opportunities to contribute to the ongoing ISO27k standards projects.
Information security incident classification
ENISA envisaged the need for classification to facilitate information sharing between European (and other) countries: this work has been rolled into ISO/IEC 27035.
|
