ISO/IEC SD 27103 — Information technology — Security techniques — Cybersecurity and ISO and IEC standards [draft]
If “cybersecurity” is simply a part of information security, then existing information risk and security standards are directly relevant to cyber risk and security.
An Information Security Management System (ISMS) as specified in ISO/IEC 27001 and other ISO27k standards is generally accepted as a comprehensive management system, governance framework or structure with which to manage information risks, including “cyber” risks pertaining to IT and the Internet.
Scope of the standard
This committee Standing Document will explain how ISO27k plus other ISO and IEC standards can usefully be applied to cybersecurity.
Content of the standard
The SD will provide background context and explanation about the concepts and practices involved in proactively managing cyber risks, as already described in various standards. It will explicitly reference the ISO and IEC standards, probably down to the first-level subclauses (e.g. ISO/IEC 27001:2013 clause 9.3).
The SD is currently at first draft.
If this SD clarifies that cyber risk and cybersecurity are merely a part of information risk and security, it will hopefully clear up the widespread perception that cyber is something different, new and special, requiring a different management approach. In particular, since an ISO27k ISMS is a proven framework for managing information risk and security as a whole in all kinds of organizations and industries, it is suitable for managing cyber risks and cybersecurity as an integral part of the broader information risk and security landscape.
It’s now unclear whether this will be published as a Technical Report, or remain an internal committee Standing Document (in which case why would it have an ISO27k number??).
The fog of confusion is as dense as ever.
In short, don’t hold your breath for this one.