Cyber-insurance standard update

I've received the first Working Draft for the revision of ISO/IEC 27102:2019 - "Information security management - Guidelines for cyber-insurance".

With a new title already approved ("Information security, cybersecurity and privacy protection — Guidelines for applying ISO/IEC 27001 and related standards in support of cyber insurance") and a revised scope, the committee intends to refocus the second edition more explicitly on the Information Security Management System "to make this standard more relevant and provide readers with an immediate link to how an ISMS can be of benefit when considering cyber insurance".

The first edition's clause 8 "Role of ISMS in support of cyber-insurance" will presumably be expanded beyond the present 4 pages of guidance.

Personally, I think I'd like the second edition to extend or at least mention the possibility of going beyond 'cyber' (implying deliberate hacker or malware attacks on networked computer systems and digital data) since an ISMS is intended to protect information in all forms including valuable intellectual property for instance, plus knowledge, plus paperwork (such as executed insurance policies!) against all manner of threats including accidents, errors and omissions, misinformation, disinformation and more.

Likewise, other forms of insurance can potentially complement 'cyber-insurance' (whatever that means - and I'm stil not sure), such as:

• Product liabilities

• Key person risks

• Business interruption

• Property theft or damage

• Professional indemnity

• Fidelity, corporate malfeasance, misappropriation, embezzlement and other insider threats

• Fraud and other impropriety

• Financial risks

• Safety and employment-related risks

• Contractual risks and liabilities

Another aspect is that insured and insurer have a common interest in reducing the probability and impact of various incidents affecting information, forming a basis for a shared understanding and collaboration. The better an insured organisation's understanding and treatment of its information risks (with which the insurer can help, given access to information on a wider variety of organisations, industries, situations, risks, controls and incidents), the less need to call on insurance and (hopefully) therefore the lower its premiums. That suggests addressing the insurer's perspective on its business risks associated with its policies. This is important for all concerned in case of systemic risks including significant/widespread infrastructure incidents such as those increasingly associated with climate change and war.

So, lots here for me to contemplate. What about you? There's an opportunity to get involved in the revision project through your national standards body, to debate things with peers on the ISO27k Forum, and to influence my thinking along the way.