ISO/IEC 27003:2010 Information technology — Security techniques — Information security management system implementation guidance
ISO/IEC 27003 provides implementation guidance to help those implementing the ISO27k standards, covering the management system aspects in particular.
Purpose of the standard
ISO/IEC 27003 guides the design of an ISO/IEC 27001-compliant ISMS, leading up to the initiation of an ISMS implementation project. It describes the process of ISMS specification and design from inception to the production of implementation project plans, covering the preparation and planning activities prior to the actual implementation, and taking in key elements such as:
- Management approval and final authorization to proceed with the implementation project;
- Scoping and defining the boundaries in terms of ICT and physical locations;
- Assessing information risks and planning appropriate risk treatments, where necessary defining information security control requirements;
- Designing the ISMS;
- Planning the implementation project.
The standard references and builds upon other ISO27k standards, particularly the normative standards ISO/IEC 27000 and ISO/IEC 27001.
Structure and content of the standard
Here is the structure of the current, issued standard:
2. Normative references
3. Terms and definitions
4. Structure of this international standard
5. Obtaining management approval for initiating an ISMS project
6. Defining ISMS scope, boundaries and ISMS policy
7. Conducting information security requirements analysis
8. Conducting risk assessment and planning risk treatment
9. Design the ISMS
Annexes: an ISMS implementation checklist; Roles and responsibilities for information security; Information about internal auditing; Information security policy structure; and Monitoring and measuring the ISMS.
Status of the standard
The standard was published in 2010.
The standard is being substantially revised. The cunning plan is to update and re-align this standard with the revised 2013 version of ISO/IEC 27001, along with 27004 and 27005, and to a much lesser extent 27002. In other words, the revised version of this standard will offer advice on designing and implementing the management system part of the ISMS (as opposed to the information security controls) providing guidance for each main-text section of 27001 apart from risk management and metrics which are covered by 27005 and 27004 respectively.
The title will become: “Information technology — Security techniques — Information security management system — Guidance” along with a new scope “This International Standard provides guidance concerning requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) as specified in ISO/IEC 27001:2013.” Depending on how the project turns out, it may extend the present standard from a project-based ISMS implementation guide to a whole-of-life ISMS design-development-operations guide ... or it may end up being a guideline that explains the meaning and intent of ISO/IEC 27001.
Status: the revised standard is at FDIS stage, likely to surface in 2017.
Apparently SC 27 wanted the standard to explain what needs to be done to implement ISO27k without specifying how to do it - an interesting challenge for an implementation guide!
The idea of explaining and expanding on the rather curt and stilted formal language of ISO/IEC 27001 has merit. The 2013 version of ISO/IEC 27001 was severely constrained by the boilerplate text and pressure from ISO/IEC JTC1 to achieve commonality between all the management systems standards. That leaves plenty of room for pragmatic explanation and guidance.
I’m also intrigued at the idea that 27003 might in due course extend beyond the ISMS implementation project to offer advice on the operation, management, monitoring and improvement of the ISMS in the years that follow. We’ll see how it turns out ...
It should dovetail nicely with the other ISO27k standards and prove invaluable for users of the standards. This one’s a keeper.