ISO27k-aligned security awareness service
ISO/IEC 27101
Creative security awareness materials

Creative security awareness materials for your ISMS

Copyright © 2018 IsecT Ltd.

ISO/IEC 27101 — Information technology — Security techniques — Cybersecurity framework development guidelines [draft]


The standard will offer guidance for those developing cybersecurity frameworks.


Scope of the standard

The standard will define “a minimum set of concepts ... to help ease the burden” of those who are creating and implementing cybersecurity frameworks.


Content of the standard

5 Overview

6 Concepts

    6.1 Identify

    6.2 Protect

    6.3 Detect

    6.4 Respond

    6.5 Recover


A minimalist first Working Draft is available to members of SC27. 


Personal notes

This appears to be a kind of meta-standard (a standard about developing standards), jumping aboard the cybersecurity bandwagon.

Its intended audience is poorly defined:

  • Those who are “creating” cybersecurity frameworks presumably means standards bodies, hence this might be another SC27 internal guideline, a Standing Document in the lingo.
  • Those who are “implementing” cybersecurity frameworks presumably means the users of those standards.

I can barely guess what this project is doing at this stage: the outline structure suggests perhaps a set of considerations or controls operating at different stages of the incident lifecycle.

The WD1 introduction hints at aligning ‘cybersecurity frameworks’ defined self-referentially as “a basic set of concepts used to organize and communicate cybersecurity activities”.  Unfortunately, ‘cybersecurity’ is not actually defined, hence this is yet another ISO27k standards project casually ducking a critical issue as if we won’t notice.

WD1 further confuses matters with a diagram that shows stuff feeding into an ISMS ... clearly implying strong similarities to information security management after all.  Gosh, fancy that.


< Previous standard      ^ Up a level ^      Next standard >