The ISO/IEC 27000-series numbers up to ISO/IEC 27059 have been ‘reserved’ by ISO/IEC committee JTC1/SC27 for information security standards currently issued, in preparation or planned. Not all of the reserved numbers are in use or allocated yet but below is information on other potential ISO27k standards likely to be progressed by ISO/IEC JTC1/SC27. 

Please note that SC27’s remit extends well beyond the ISO27k standards, covering identity management, biometrics and other aspects of information security. Some of the work items noted below may not end up as ISO27k standards.

ISO/IEC 27011-27019?: Sector-specific ISMS implementation guidelines

A suite of ‘sector-specific’ ISMS implementation guidelines are planned to help certain industries implement the ISO27k standards. These are likely to contain advice on the application of typical information security controls already noted in ISO/IEC 27002 within each industry, but may include new information security controls that are specific to certain industries.

ISO/IEC 27011 will be the first of the series. It provides ISMS implementation guidance for the telecomms industry and was developed by or in conjunction with ITU-T, and jointly numbered X.1051.

SC27 has not yet identified which other industry sectors will be covered. Many nations have defined “critical infrastructure” sectors but there are differences of scope and interpretation, and in some cases security of “critical national infrastructure” is covered by explicit legislation so ISO/IEC security standards would be irrelevant and perhaps counterproductive. Nevertheless, ISMS guidelines could prove useful for some combination of industry sectors such as:

• “The energy sector” and/or “utilities” - electricity generation and distribution, oil and gas refining and distribution etc.;
• “The finance sector” i.e. banking, insurance and financial services, credit/debit cards and more. Although this sector already has a swathe of risk and security standards such as ISO TR 13569 “Banking Information Security Guidelines”, the ISMS implementation guidance developed by SC27 will directly reflect ISO/IEC 27001 and 27002. Whether it adopts, replaces or sits alongside other finance sector security standards remains to be seen;
• “The healthcare sector” potentially including primary/local healthcare, hospitals, health boards, pharmaceuticals and more. As with the finance sector, it remains to be determined what will happen to ISO/IEC 27799 and other healthcare information security standards developed independently of SC27 and ISO27k;
• “The defense sector” (armed forces and defense contractors/suppliers, perhaps including aerospace?) for whom security and information security are clearly vital, although national interests may preclude or at least complicate international cooperation on common ISMS guidelines;
• “The transportation sector” potentially including train and bus companies, airlines etc. [however a proposed project to develop ISMS implementation guidelines for the automotive sector, specifically, was terminated by SC27 in Kyoto due to having received insufficient inputs. Broadening the scope to include manufacturing industry as a whole was felt to be pointless due to the huge breadth this would encompass, meaning that there would be little to add to ISO/IEC 27001 and 27002.];
• “The food sector” potentially ranging from primary production (farms) through wholesale distribution to retail outlets (shops);
• “The media sector” (news, publishing etc.) for whom information is of course a vital input and the primary product;
• Other sectors: countries/nations define their most important and valuable industries differently. Holiday spots might define “the tourism sector” as vital, for instance, while something like “bauxite mining” might be crucial to just a few. ISMS implementation standards could potentially be developed to cover any sector although there are practical constraints such as the limited number of people working in SC27 (most of whom are volunteers with day-jobs to maintain) and the level of contributions required from each sector.

Acquisition and security of digital forensic evidence (study period)

A Study Period has been launched by SC27 to determine whether a standard is needed on procedures for acquiring and protecting digital forensic evidence, particularly for cross-border crimes where evidence acquired in one country might be presented in the courts of a second.

Background

One of the most critical issues in forensic investigations is the acquisition and preservation of evidence in such a way as to ensure its integrity. As with conventional physical evidence, it is crucial for the first and subsequent responders to maintain the chain of custody of all digital forensic evidence, ensuring that it is gathered and protected through structured processes that are acceptable to the courts. More than simply providing integrity, the processes must provide assurance that nothing untoward can have occurred. This requires that a defined baseline level of information security controls is met or exceeded.

Digital forensic evidence can come from any electronic storage or communications media such as cellphones, computers, iPod's, video game consoles etc. By its nature, digital forensic evidence is particularly fragile - it can be easily damaged or altered due to improper handling, whether by accident or on purpose.

Currently, there are no standards available on acquiring digital evidence, the first step in the process. Law enforcement in respective nations have developed their own guidelines and procedures for the acquisition and protection of electronic evidence. However, this creates issues when cross-border crimes are committed since digital forensic evidence acquired in one country may need to be presented in the courts of another. Evidence that has potentially been acquired or protected without the requisite level of security is likely to be tainted and may be inadmissible in court.

Scope

The standard will provide detailed guidance on the acquisition of electronic evidence and maintenance of its integrity. It will define and describe the process of recognition and identification of the evidence, documentation of the crime scene, collection and preservation of the evidence, and the packaging and transportation of evidence. 

Purpose and justification

Every country has its own unique law system. A crime committed in one jurisdiction may not even be regarded as a crime in another. The challenge is to harmonize processes across borders so that the ever-growing cybercriminals can be prosecuted accordingly. Therefore, a means to allow and facilitate the exchange and use of reliable evidence (i.e. an international standard on acquiring digital evidence) is required.

Benefits of the standard include:

• Maintaining an assured minimum level of integrity of digital forensic evidence required for cross-border legal actions; and
• Assisting law enforcement and private sector organizations that gather and/or preserve and communicate digital forensic evidence for criminal investigations.

Information security incident management

A project was launched to revise and convert ISO/IEC TR 18044 into a full International Standard.

Information security incident classification

A project was launched to develop guidelines for classifying information security incidents. This work was proposed by ENISA who envisage the need for classification to facilitate information sharing between European (and other) countries.

Security of outsourcing

The study period has been extended to permit further inputs.

Home networking security

SC27 has terminated this work since the scope remains unclear. However, SC25 and ITU-T both appear to be undertaking work in this area.