Two new ISO27k projects: ISMS guidance for the neglected mediums and the SME dilemma

Two new ISO/IEC JTC 1/SC 27/WG 1 standards projects are under way, raising fundamental questions about how we standardise and promote information security.

1. Practical ISMS implementation guidance

First, we are defining the scope and plan for a second part to ISO/IEC 27003 (possibly a distinct standard or some other format). This project aims to offer ISMS implementation advice for small, medium and large organizations, with a specific emphasis on the "mediums"—the middle-ground of organisations that are neither micro-businesses nor global mega-corps.

There is concern within the committee that implementation guidance might be misinterpreted by ISO/IEC 27001 conformity assessors as additional ISMS certification requirements. Personally, I suspect this is a non-issue; we can easily ensure the formal wording remains explicit on that point. More importantly, I feel this unfounded fear hinders our ability to offer genuine help to implementers.

Are there perhaps too many security consultants on the committee worried about losing custom? Or too many conformity assessors with their myopic view of auditing?

Maybe I am just cynical but we should tackle this frustrating impediment to progress.

2. InfoSec guidance for SMEs and micro-organizations

Second, there is a project to develop information security guidance specifically for SMEs, including the micro-organizations that constitute a huge proportion of the global economy. At present, these smaller players are not well served by the ISO27k suite.

Currently, the committee seems to be gravitating toward a checklist or shrunken controls catalogue based on ISO/IEC 27002, rather than the full risk-based, process-driven approach of ISO/IEC 27001. Various bodies have trodden this path before with disappointing results. While there is plenty of well-meaning SME security guidance available (see the appendix to our own guide Adaptive SME Security), there has been remarkably little enthusiastic uptake or industry consensus.

The core problem with 'checklist security' is the difficulty of mandating key controls while also allowing enough flexibility to suit differing SME business and risk contexts, with limited resources. Perhaps SMEs are simply too diverse for this level of standardization. I suspect most are understandably wary of further compliance pressure.

The path ahead

The scoping and planning for both projects will continue throughout this year. The goal is to produce draft standards with widespread committee and industry support, which means the door is open for creative input right now.

If you wish to get involved:

• Contact your national standards body about contributing to their SC27 "shadow committee" or cybersecurity standards team.

• Join the conversation on the ISO27k Forum, or comment below. If you disagree with my perspective or have better ideas for how we can support SMEs, do please chip-in.