In addition to the ISO27k standards that have already been allocated numbers, SC 27 is considering further ISO27k standards and internal committee documents through a number of Study Periods (SPs) leading normally to New Work Item Proposals (NWIPs), at which point (if agreed by SC 27) some become standards projects and are allocated ISO27k numbers ... and we set up the corresponding pages on this website to see them through to publication (or not, as the case may be).
Use of ISO27k for governmental/regulatory requirements SP
A SP has been started to explore the use of ISO27k in connection with (I think) governmental oversight of organization’s infosec arrangements. Details are sketchy at this stage but it appears to be developing an internal committee Standing Document listing regulatory bodies that specify or recommend compliance with the ISO27k standards in various industries etc.
The call for contributions for this study period asks for inputs regarding:
- How cybersecurity, IT security and information security relate;
- Definitions of basic terms; [Hey, great idea! Let’s start with ‘cyber’ please ...]
- Existing cybersecurity standards; and
- Standardization gaps within scope of SC27.
Relationship between ISO/IEC standards and cybersecurity SP
There is a separate SP with a remarkably similar scope and purpose to the Cybersecurity SP above. How odd. A starter document/skeleton standard emphasizes how Cybersecurity (inconsistently capitalized and not actually defined) can be achieved through information security (gosh, imagine that!). It promotes the idea of using a ‘Cybersecurity framework’ (defined as “A set of components that provide the functions and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving cybersecurity throughout the organization”) ... which looks suspiciously like a management system.
Personal comments: it is as if the authors are completely unfamiliar with the ISO27k standards. Perhaps they parachuted in from Mars? The 20+ pages of draft standard add nothing substantial to the field and could simply have been replaced by either nothing at all, or maybe a sentence or two in ISO/IEC 27000, 27001 and/or 27002.
Guidelines for cyber resilience SP
A study period is ongoing on ‘cyber resilience’ or ‘Cyber resilience’ or ‘Cyber Resilience’ (various forms are used). The term is unclear, so one of the jobs for the study will (hopefully) be to define it, along with ‘adverse cyber events’ ....
Quoting from the call for contributions: “Cyber resilience refers to the ability (of an organization, business process or system) to continuously deliver the intended outcome despite adverse cyber events. Organizational resilience refers to the adaptive capacity of an organization in a complex and changing environment (ISO 22300). These definitions will be revisited and are likely to be revised as part of the study period.”
An interim report on the study period suggested that it might lead to a new standard for a cyber resilience management system, or possibly variants of 27001 or 27002, or a standard on integrating ISO 22301 with ISO27k.
An outline or skeleton for the standard referred to potentially incorporating the whole of information security management, rather than just the activities associated with maintaining critical business activities through and despite incidents affecting IT systems and networks ... calling into question the scope and purpose of this project.
The study has been extended until April 2017, when a NWIP (design spec for a standard) is due.
A report from the SP noted the intention to use ISO/IEC 27009 to develop a sector-specific version of ISO/IEC 27001 specifically for resilience - a curious interpretation of the phrase “sector-specific”. If it gets the green light, it will produce a technical specification rather than an international standard, providing “guidance on the role and contribution played by ISO/IEC 27001 and ISO/IEC 27002, as well as other relevant standards, in building an organisational capability for cyber resilience.”
Personal comments: the reference to ‘adverse cyber events’ does not clarify the meaning of ‘cyber’. In practice, ‘cyber’ is used informally to refer to computing/IT, the Internet, serious nation-state or terrorist attacks on critical national infrastructures, artificial intelligence, electronics, robots, and no doubt other quite distinct things with markedly different implications for information risk and hence security requirements. [The call for contributions unhelpfully refers to “the digital (cyber) domain”, adding to the fog of confusion.] Furthermore, in the context of information risk and security, ‘resilience’ normally refers to business continuity (the continuation of critical business activities) rather than adaptability, hence the initial definition is not exactly helpful ... but I guess it’s a start. I just hope it is clearly defined before this turns into a standards project otherwise I fear we’ll end up with another ISO/IEC 27032.
Cloud-related security studies
An SC 27 WG4 study on the possible need for cloud computing security standards has identified three areas of interest, and spawned three further studies:
- Cloud security assessment and audit - assessing, evaluating, reviewing or auditing cloud security arrangements.
- Cloud-adapted risk management framework - interpreting/adapting/applying ISO27k and other risk management approaches to cloud computing [may recommend an annex to ISO/IEC 27005 concerning cloud risks, rather than a separate standard]. A second call for contributions primarily identified the need to consider the different context in cloud versus traditional in-house IT operations, which affects the risks. The concept of stretching the definition of an ‘organization’ to cover multiple legal entities who collaborate to deliver cloud services might also be an issue for the existing ISO27k standards. The study may recommend a Technical Report rather than an International Standard.
- Cloud security components - separating out the individual elements necessary to build cloud security,
A further new work item has been proposed by ITU-T, on “Guidelines for Cloud Service Customer Data Security”, covering situations where the cloud service provider is required to secure the customers’ data (which is not always the case: sometimes the customer remains responsible).
Yet another NWIP has been proposed, along with an initial contribution for “The architecture of trusted connection to cloud services”.
Oh and another: “The architecture for virtual root of trust on cloud platform”.
A short Study Period on “Emerging virtualization security” took inputs from the Cloud Security Alliance on NFV (Network Function Virtualization) i.e. virtual networks, specifically, as opposed to virtual systems, storage and applications.
Competences for information security testers and evaluators
“The scope of the proposed standard is to provide the minimum requirements for the competence of individuals performing testing and evaluation activities using ISO/IEC standards for evaluating or testing the security functionality of IT products.” [quoted from the NWIP].
The NWIP points out that a lack of standards in this area leads to inconsistencies in the conformance testing performed by testers and test labs.
The project looks set to go ahead.
Risk handling library SP
This SP concerns a new SD (SC27 committee internal Standing Document) to structure and coordinate SC27’s standards work according to the information risks the standards do, should or will address - a kind of programme management guide perhaps (which I thought was the purpose of the Information Security Library - see below). So far they have picked out a few privacy standards that cover “risk”.
The SP Terms of Reference have been revised. Support for the SP has been so-so but it is continuing. It is developing a specification for the SD which may list risk content in both current and future/planned ISO27k standards. A draft is due by April 2017.
Information Security Library, ISL
A project is studying the need for an “Information Security Library” (ISL) standard explaining how all the standards within the remit of SC 27 fit together, and how organizations might choose to use them [which sounds to me a lot like the overview function of the present ISO/IEC 27000, albeit perhaps extending beyond the ISO27k standards to include privacy, identity management etc.]. Internally within SC 27, the ISL would drive the continued development of the standards, envisaging an accelerated timeframe for the more dynamic technology-driven IT security elements relative to the slower-evolving business-driven information security and governance parts.
A draft of SC27 Standing Document 16 suggests developing the ISL as (in effect) a roadmap for SC27’s activities. Maintaining/updating and extending Annex A of ISO/IEC 27001 would become the focal point of many if not all of SC 27’s projects.
Cybersecurity maturity model
A project has been proposed to develop a maturity model covering cybersecurity, defined inter alia as “preservation of confidentiality, integrity and availability of information in the Cyberspace”.
Personal comments: unfortunately, ‘the Cyberspace’ is inconsistently defined, hence it is far from clear what the maturity model would actually cover. I’m unsure who would benefit from such a maturity model anyway.
Privacy enhancing data de-identification techniques
A NWIP, complete with a good donor document to get things off to a flying start, is proposing a standard on techniques to anonymize or pseudononymize data containing personal information, in support of ISO/IEC 29100 Privacy framework.
The following study periods have ended: they are ex-SPs
Cyber insurance SP
Studied the possibility of developing a Technical Specification on ‘cyber insurance’. The term is unclear.
The audience for the standard may be information security pro’s interested in taking up cyber insurance as a risk-sharing option, and/or the insurance industry providing such insurance.
Australia Standards kindly provided a substantial template as a potential starting point for the project, if it gets the go-ahead. Good start!
The study was extended until October 2016.
A revised scope and draft was produced, forming the basis of a NWIP with just 3 main clauses: concepts; sharing cybersecurity information between insurer and insured; and information required by the insurer. The proposed title is “Guidelines for cyber insurance”.
Personal comments: notably absent was any hint of the business case for using cyber insurance as a risk treatment option - the pros and cons, costs and benefits of so doing. And I have yet to see a meaningful definition of ‘cyber insurance’ that doesn’t lamely refer to the equally vague and undefined ‘cyber security’.
Internet of Things - security and privacy
Given that the term means different things to different people, a new work item to write a security standard for the Internet of things would pose an interesting challenge for SC 27 right now!
ISO/IEC JTC1/Working Group 7 (not SC 27) is preparing an architectural standard to define the terms and concepts that users and other standards committees can use in due course. WG 7 is mainly concerned with sensor networks, hence their interest in the Internet of Things such as smart grid, smart city etc., where various devices with various sensors are able to link up and pass along information. There are substantial confidentiality, privacy, integrity and availability issues with some of the implementations, hence an information security standard seems likely to follow. However, there seems to be more to the Internet of Things than smart grids and sensor networks, hence SC 27 also initiated a study period on the “Security and privacy issues on Internet of Things”.
The Study Project is looking into the need to address the following (more or less):
- Gateway security
- Network Function Virtualization (NFV) security
- Management and measurement of IoT security (metrics)
- Open Source assurance and security
- IoT risk assessment techniques
- Privacy and big data
- Application security guidance for IoT
- IoT incident response guidance.
Cloud security use cases and potential standardization gaps
This study period was cancelled before I had the chance to find out what it was up to. Sorry, I don’t know what it achieved.
Healthcare justification and design specification
This study period ended by concluding that SC27 should collaborate with TC 215 to align healthcare information security standards (such as ISO 27799) with ISO27k. Wow, fancy that. Talk about statin the bleedin obvious.
Information security risks and opportunities
This study period took over from one on “Cloud and new technologies risk management”, specifically addressing clause 6.1 of ISO/IEC 27001, concerning the risks and opportunities that the organization intends to address with an ISMS, plus other parts of 27001 if appropriate. Paraphrasing the terms of reference for the study period, it is envisaged that the standard will address:
a) The integration of information security into the business, picking up on the ‘opportunities’ component of 27001 clause 6.1;
b) The whole lifecycle [of information, information risk, the business, the ISMS or something else - it’s not clear at this point];
c) Cloud and new data technologies;
d) ‘Advanced’ risk management topics, such as those ruled out of scope of the current by ISO/IEC 27005 revision project;
e) Situations where the ISMS covers an entire organization, a part, or a set of parts.
[Unless I’m missing the linkages, that looks to me like a rag-bag of distinct issues, loose ends from other projects thrown into the melting pot for a new project. I wouldn’t be surprised if the final product only covers some of those, and perhaps other stuff too. With such an apparent lack of clarity and focus on the scope at the outset, this project faces a bumpy road ahead unless the Study Period pins it down.]
Initial responses to the call for inputs have included:
- A proposal to document SWOT;
- A 6-page specification for inputs to this Study Period (!);
- A proposal to discuss the application of ISO/IEC 27001 in an organization that spans multiple jurisdictions, and/or that uses cloud computing;
- A proposal to clarify terminology when explaining intuitive activities;
- Comments to the effect that ‘risks and opportunities’ in 27001 refers to information risks and opportunities to improve the ISMS, and 27003 would be the best place to clarify that; and that any move to develop another risk management approach (instead of sticking with ISO 31000) is retrograde.
Speaking personally, I’m glad to report that it looks as if this project was a non-starter: it’s not that the subject matter is unimportant (quite the contrary), rather that the initial outline lacked clear direction and purpose, especially since most of the proposed content would be better incorporated in other standards such as 27003, 27004, 27005 and 27014 (among others).
Information Security Code of Practice for the Aviation Industry
A study period evaluated the need for (in essence) a version of ISO/IEC 27002 customized/adapted for the aviation industry. The study was extended to give relevant bodies (such as ICAO, IATA, ITU-T, EASA, EUROCONTROL, FAA and EUROCARE) the opportunity to establish formal liaisons but the lack of engagement by those bodies, stemming from no demand for an ISO27k standard from the aviation industry, led to the study period and proposed standard being cancelled. It’s not that the intensely-regulated aviation industry doesn’t need information security, rather that an aviation version of 27002 would not be helpful.
Personal Information Management System
It was proposed to develop a standard specifying a Personal Identification Management System (PIMS) based on ISO/IEC 27001 and possibly ’29100. The idea was to define common ground for the management of personal information, providing confidence in its management and facilitating compliance assessment against general privacy principles, data protection laws and good practices.
Issues to be addressed during the study period include assessing the viability of the project, and deciding whether to address “privacy”, “Personally Identifiable Information” and/or “personal information”.