ISO/IEC 27000
ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary
(fifth edition)
Abstract
“ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. [ISO/IEC 27000] is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations). The terms and definitions provided in [ISO/IEC 27000]: cover commonly used terms and definitions in the ISMS family of standards; do not cover all terms and definitions applied within the ISMS family of standards; and do not limit the ISMS family of standards in defining new terms for use.”
[Source: ISO/IEC 27000:2018]
Introduction
ISO/IEC 27000 gives an overview of Information Security Management Systems (and thus many of the ISO27k standards), plus a glossary that formally defines many (but not all) of the specialist terms as they are used within the ISMS standards.
Scope
ISO/IEC 27000 is focused on the 'core ISO27k standards' meaning ISO/IEC 27001 to 27008. Other ISO27k standards are covered to a lesser extent and many are not mentioned at all (including, of course, new standards published after 2018).
Structure
The standard has three main clauses:
3: Terms and definitions - a glossary formally defines 77 key terms as used in various ISO27k standards.
4: Information Security Management Systems - an overview introduces information security, risk and security management, and management systems.
5: ISMS family of standards - a reasonably clear though wordy description of the ISO27k approach and some of the ISO/IEC 27000-series of standards, from the perspective of the committee that wrote them.
Status
The first edition was published in 2009.
It was updated in 2012, 2014, 2016 and 2018.
The current 2018 fifth edition is available legitimately from ISO for free. This was a minor revision of the 2016 fourth edition with a section on abbreviations, and a rationalisation of the metrics-related definitions following the 2016 rewrite of ISO/IEC 27004.
The sixth edition of ISO/IEC 27000 is a work-in-progress. In accordance with ISO directives, the current edition’s vocabulary will be moved to an annex containing a “definition and explanation of commonly used terms in the ISO/IEC 27000 family of standards” - more specifically, the glossary will apply to ISO27k standards belonging to ISO/IEC JTC 1/SC 27/WG 1 (ISO/IEC 27001 to ISO/IEC 27011, ISO/IEC 27013, ISO/IEC 27014, ISO/IEC 27016, ISO/IEC 27017, ISO/IEC 27019, ISO/IEC 27021 to ISO/IEC 27024, ISO/IEC 27028 and ISO/IEC 27029). Terms will be grouped conceptually in the annex rather than alphabetically. However, various specialist terms used in ISO/IEC 27000 itself are to be defined in clause 3 as usual.
The new sixth edition will be a lot shorter, halving the page count.
Publication of the sixth edition is due this year. It is at Draft International Standard stage. The title is to become “Information security, cybersecurity and privacy protection — Information security management systems — Overview”.
Commentary
Clause 4 “Concepts and principles”, new to the sixth edition is intended to clarify the fundamentals underpinning information risk and security management.
The information security controls in ISO/IEC 27001 Annex A, 27002, 27010, 27011, 27017 and 27019 are to be termed “Candidate necessary information security controls” - a curious and ambiguous turn of phrase reflecting the committee’s persistent difference of opinion in this area. ‘Necessary’ is for the organisation to determine according to its evaluation of information risks relative to its risk appetite. ‘Candidate’ is clearly not ‘required’ and is less than ‘suggested’, but still some readers and inept auditors may feel the controls have to be implemented by default: they don't.
Given the chance, I would replace “information security risk” throughout the ISO27k standards with the shorter, simpler and more appropriate term “information risk”.
“Information security risk” is not formally defined as a complete phrase and doesn’t even make sense: it is presumably trying to indicate that we are talking about risk in the context of information security, but it could be interpreted as “risk to information security” which I guess would including things such as failing to identify novel risks, and lack of management support for the function: those are indeed risks, but they are not the focus of ISO27k.
“Information risk”, in contrast, is reasonably self-evident but, if the committee feels the desperate need for an explicit definition, I suggest something as simple as “risk relating to or involving information” or even “risk pertaining to information”, where both risk and information are adequately defined in dictionaries (whereas the current ISO27k definition of risk is unhelpful).
Thus far, I have failed to persuade the committee to accept this terminological change, which admittedly would ripple through most of the ISO27k standards. However, the sixth edition's clause 4.1.2 is expected to include the following concerning information:
“Information is an asset that, like other important business assets, is essential to an organization’s business and, consequently, needs to be suitably protected.”
OK, yes it deserves adequate protection, but it also deserves legitimate exploitation for business purposes. That duality is something that management should address systematically using the ISMS as a framework.
“It does not matter whether the information is owned by the organization
or is entrusted to its care by a third party, e.g., a customer.”
Patently ownership of information does matter, so that statement is plain wrong. Protection and exploitation of information matter to the owners of both business/commercial/proprietary and personal information (including that belonging to employees, by the way). Even public-domain information can be of value to society, groups or individuals, while inaccurate, outdated, incomplete, misleading, coercive, manipulative or malicious information is of concern regardless of who owns it.
I suspect that second sentence was supposed to build upon the first but somehow the linkage has been lost in translation, with unintended consequences.
Pressing ahead:
“Information can be stored in many forms, including digital form (e.g. data files
stored on electronic or optical media), material form (e.g. on paper), as well as
information in the form of knowledge. Information can be transmitted by various
means including courier, electronic or verbal communication. Whatever form
information takes, or how it is transmitted, it always needs appropriate protection.”
All good so far, but then ...
“In many organizations, information is dependent on information and
communications technology. This technology is often an essential
element in the organization and assists in facilitating the creation,
processing, storing, transmitting, protection and destruction of information.”
The final paragraph reveals the longstanding systemic bias towards technology (more specifically, Information Technology as opposed to, say, Operational, Communications or Smart Technologies) throughout the ISO27k standards. While clearly it is true that information security controls based on technology play a large part in protecting digital data, technology alone will never completely replace the need for humans to protect information as well, including the use of physical and organisational controls (such as policies, contracts and assurance measures). And, last but not least, the controls are specified, designed, used and managed by humans, while security incidents affect humans. In short, it’s humans all the way down.