In addition to the ISO27k standards that have already been allocated numbers, SC27 is considering further ISO27k standards through a number of Study Periods leading normally to New Work Item Proposals, at which point (if agreed) they are generally allocated ISO27k numbers and get their own separate pages on this site.
Security Information and Event Management (SIEM) (NWIP)
The Study Period on SIEM concluded with a New Work Item Proposal on the same title. A preliminary draft and ISO27k number is expected soon.
Electronic discovery (Study Period)
This was proposed by US as a useful addition to the digital evidence and incident investigation related standards in progress. The proposed standard is supported by the UK, but both the UK and US acknowledge that the courts have the ultimate authority to accept or reject evidence, hence the standard (if it proceeds) may offer guidance to those investigating and presenting forensic evidence.
Coordination of Investigative Projects (Study Period)
In view of the numerous digital evidence and incident investigation related projects under way, it has been decided to review their relationship and numbering, and determine the next steps.
Cloud Security Technology Standards (Study Period)
This will continue from the completed study period on Cloud Security and Privacy. SC27/WG4 is taking the lead, with a 2 year timeframe to generate the terms of reference. Meanwhile, the cloud security requirements for supply chain will be covered a new part 6 of ISO/IEC 27036, titled “Security of Cloud Services”.
Personal Information Management System (Study Period)
It is proposed to develop a standard specifying a Personal Identification Management System (PIMS) based on ISO/IEC 27001 and possibly ’29100. The idea to define common ground for the management of personal information, providing confidence in its management and facilitating compliance assessment against general privacy principles, data protection laws and good practices.
Issues to be addressed during the study period include assessing the viability of the project, and deciding whether to address “privacy”, “Personally Identifiable Information” and/or “personal information”.
Taxonomy (Study Period)
As a result of a previous proposal to restructure ISO/IEC 27002 completely, a study period is under way to consider the merits of defining a taxonomy of information security, being a framework defining the main information security domains and their relationships. This may yet evolve into an internal guideline for SC27, providing greater consistency and coherence to all the ISO27k projects.
ICT Supply Chain Security (Study Period)
A study period is considering the value of a standard covering information security aspects of supply chain relations - for example the secure handling of valuable information about orders and prices between business partners.
ISO/IEC 27011-27019?: further sector-specific ISMS implementation guidelines
A suite of ‘sector-specific’ ISMS implementation guidelines was originally planned to help certain industries implement the ISO27k standards. These would offer advice on the application of typical information security controls already noted in ISO/IEC 27002 within each industry, but may include new information security controls that are specific to certain industries. Aside from ISO/IEC 27011 for the telecomms industry and ISO/IEC 27015 for the financial services sector, the idea has run out of steam, and even 27015 is struggling.
ISO/IEC 27001 and 27002 are well written, broadly applicable and popular standards, in fact it is difficult to think of ways in which more detailed or specific guidance might be needed in certain industries beyond that provided in the generic standards.