ISO/IEC TS 27100
ISO/IEC TS 27100:2020 — Information technology — Cybersecurity — Overview and concepts
(first edition)
Abstract
ISO/IEC TS 27100 "provides an overview of cybersecurity. [ISO/IEC TS 27100]: describes cybersecurity and relevant concepts, including how it is related to and different from information security; establishes the context of cybersecurity; does not cover all terms and definitions applicable to cybersecurity; and does not limit other standards in defining new cybersecurity-related terms for use.”
[Source: ISO/IEC TS 27100:2020]
Introduction
According to this Technical Specification:
“Cybersecurity is a broad term used differently through the world. [ISO/IEC TS 27100] defines cybersecurity, establishes its context, and describes relevant concepts, including how cybersecurity is related to and different from information security.
Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks.”
Scope
Overview of cybersecurity: the standard explains various terms and concepts relating to cyber security and cyber risk management, contrasting them against information risk and security management.
"Cybersecurity is a broad term used differently through the world. Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Many of the information security controls, methods, and techniques can be applied to manage cyber risks ... Cybersecurity focuses on the risks in cyberspace, an interconnected digital environment that can extend across organizational boundaries, and in which entities share information, interact digitally and have responsibility to respond to cybersecurity incidents."
[Source: ISO/IEC TS 27100:2020]
Structure
Main sections:
4: Concepts
5: Relationship between cybersecurity and relevant concepts
6: Risk management approach in the context of cybersecurity
7: Cyber threats
8: Incident management in cybersecurity
Annex A: A layered model representing cyberspace
Status
The current first edition of this Technical Specification was published in 2020 and confirmed unchanged in 2024
Commentary
See also ISO/IEC 27032.
It seems to me two ‘cyber’ worlds coexist on parallel planes:
Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by highly capable and determined foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It could be a delaying tactic. However, I may be a semi-paranoid conspiracy theorist.
Plain old IT security, network security and Internet security in particular: protecting digital data in general against deliberate attacks. This is the everyday world, a subset of information security in fact. Move along please, nothing much to see here.
Rather than clarifying the concepts and terminology, moving the field forward, the standard muddies the waters - possibly the desired outcome of #1 above.
Thankfully, it is just 17 pages and I suspect is destined to become a little-known cul de sac off the information superhighway, despite the project team’s desire for ISO to promote it as a substantial contribution to the field. They claim “cybersecurity is simply an evolution of information security” and that the standard “provides much needed explanation in the environment of general confusion about the differences and similarities between cybersecurity and information security”: ‘in the environment of general confusion’ is a curious way of putting it. Ironic, that, for a standard that is meant to clarify things ...