ISO/IEC TS 27115-1
ISO/IEC TS 27115-1 — Information security, cybersecurity and privacy protection — Cybersecurity of system of systems — Part 1: Introduction and framework overview
(DRAFT)
Abstract
ISO/IEC TS 27115[-1] "provides the foundations and concepts for the cybersecurity evaluation of complex systems.
Two frameworks are defined:
[ISO/IEC TS 27115-2] is used to specify the cybersecurity of a complex system, including system of systems.
[ISO/IEC TS 27115-3] is used to evaluate the corresponding cybersecurity solutions.
The frameworks use basic architecture concepts:
to enable description of reference or solution cybersecurity architectures;
to support model-based, comprehensive and scalable security solutions and their evaluation; and
to allow for the definition of architecture-based cybersecurity profiles and hierarchies of profiles.”
[Source: adapted from ISO.org info page]
Introduction
Using concepts and terms similar to the Common Criteria such as Target Of Evaluation and security profile, this three-part Technical Specification intends to explain how to:
(a) Develop a security architecture (or design) for a complex system (a 'system of systems'); and
(b) Evaluate a complex system against the security architecture.
Scope
The Working Draft's formal definition of "complex system" as "a system or system of systems" is self-referential and unhelpful.
The WD introduction refers somewhat obtusely to complex systems:
The complexity of security and legislation for privacy, cybersecurity or AI (hinting, perhaps, at 'the complex system' being a computer system of some sort plus its associated security arrangements ... and perhaps the associated compliance framework/s?);
'Scaling up towards' ecosystems, or socio-technical systems (your guess is as good as mine on that one!);
Systems of systems ... which apparently means subsystems or discrete systems that interact to provide services, within an environment.
"System" is defined in the WD as "arrangement of parts or elements that together exhibit a stated behaviour or meaning that the individual constituents do not
Note 1 to entry: A system is sometimes considered as a product or as the services it provides.
Note 2 to entry: In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g. aircraft system. Alternatively, the word “system” is substituted simply by a context-dependent synonym (e.g. aircraft), though this potentially obscures a system principles perspective.
Note 3 to entry: A complete system includes all of the associated equipment, facilities, material, computer programs, firmware, technical documentation, services, and personnel required for operations and support to the degree necessary for self-sufficient use in its intended environment.
Structure
Main clauses (in a draft before being split into three parts):
5: Overview
6: Security architecture description - "concepts and elements supporting the framework for constructing a security architecture description"
7: Security architecture evaluation - evaluating systems against criteria declared in their security profiles
8: Architecture-based security profiles
9: Composed security profiles - compilation of security profiles from individual systems comprising system-of-systems
Annex A: Architecture foundations
Annex B: Guidance for elaborating a security architecture
Annex C: Guidance for evaluating a security architecture
Annex D: Security example for a network infrastructure
Status
The standard development project commenced in 2023.
It is now at Committee Draft stage ... and about to be split into three parts:
ISO/IEC TS 27115-1 Information security, cybersecurity and privacy protection —Cybersecurity of system of systems — Part 1: Introduction and framework overview (due out in 2027). Scope: This document provides a framework to specify the cybersecurity of complex systems, including systems of systems. The framework uses basic architecture concepts to enable description of reference or solution security architectures.
ISO/IEC TS 27115-2 Information security, cybersecurity and privacy protection — Cybersecurity of system of systems — Part 2: Security architecture evaluation (due in 2028). Scope: This document provides a framework to evaluate the cybersecurity of complex systems, including systems of systems, based on ISO/IEC TS 27115-1. The framework uses basic architecture concepts to support model-based, comprehensive and scalable security solutions and their evaluation.
ISO/IEC TS 27115-3 Information security, cybersecurity and privacy protection — Cybersecurity of system of systems — Part 3: Security profiles (due 2029). Scope: This document provides a framework to describe security profiles based on ISO/IEC TS 27115-1 and ISO/IEC TS 27115-2. The framework uses basic architecture concepts to enable the definition of architecture-based security profiles and composition of profiles.
Commentary
This is all Greek to me, patently not my area of expertise. It is theoretical or adademic rather than pragmatic. It doesn't help that the latest draft I've seen has hardly any usable references, most being replaced by "Error: Reference source not found", while what I presume are internal references within the text to particular figures (e.g. "Figure 11) or tables are completely missing (e.g. "The security process can be iterative, as shown on step H in ,"). So no clues there either.