In addition to the ISO27k standards that have already been allocated numbers, SC27 is considering further ISO27k standards and internal committee documents through a number of Study Periods (SPs) leading normally to New Work Item Proposals (NWIPs), at which point (if agreed by SC 27) some become standards projects and are allocated ISO27k numbers ... and we set up the corresponding pages on this website to see them through to publication (or not, as the case may be).
Big data security capability maturity model (BDS-CMM) NWIP proposal
A NWIP has been proposed to develop a CMM-style standard covering “big data”.
According to the proposal, BDS-CMM would be used to assess the big data security capability level of organizations, taking account of four capability aspects: responsibilities, processes, technology/tools and staff skills in the area of big data security management.
In more detail, it would:
- Describe in a structured and standardized way a framework of best practices in the form of a process management and capability improvement model;
- Describe best practices addressing data security issues throughout the data lifecycle;
- Be extensible and applicable to any organization objectives;
- Present an organized set of practices and goals for data security.
Personal comments: I have two concerns with this proposal. First, despite the name, “big data”, as the term is generally understood and used, is not merely a straightforward extension of current data/IT trends towards bigger volumes of data as implied in the proposal. It refers to using different forms of data analysis to reveal useful patterns in truly enormous and dynamic data sets, well beyond the capabilities or realm of conventional data processing. Second, although CMM is a useful construct for measuring and driving maturity, I’m not convinced SC27 is well placed to specify ‘best practices’ in the area of big data security - or small data security for that matter. Good practices, fair enough ... but isn’t that what the ISO27k series already does?
Incident Response within ICT Security Operation SP
This SP is drafting a possible standard covering the operational aspects of incident response in the ICT security context. It may include incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion, but (for some reason) exclude the establishment of a Security Operations Centre. Expert contributions are sought.
Personal comments: incident response is just one part or phase of the incident management process, and ICT is only part of information security. I don’t know why the SP is so myopic, but it will hopefully be an integral part that refers to the remainder of ISO/IEC 27035 for a more rounded perspective.
Use of ISO27k for governmental/regulatory requirements SP
This project is exploring the use of ISO27k in connection with governmental oversight of organizational information security arrangements. The proposal is to generate an internal committee Standing Document listing authorities such as governments and regulatory bodies that demand or recommend compliance with the ISO27k standards in various laws and regulations.
Personal comments: whereas organizations that are legally obliged to comply with ISO27k standards should determine the requirements for themselves, a Standing Document may prove useful in reminding committee members that changes to the standards can have significant implications for users. It may also have marketing benefits, proving that the ISO27k standards have real value and purpose.
The call for contributions for this study period asked for inputs regarding:
- How cybersecurity, IT security and information security relate;
- Definitions of basic terms; [Hey, great idea! Let’s start with ‘cyber’ please ... see the following SPs also]
- Existing cybersecurity standards; and
- Standardization gaps within scope of SC 27.
Personal comments: contributions received so far have referred quite vaguely, as far as I can tell, to cybersecurity as some sort of subset or mashup of information security, IT security, cyberspace security, network security etc. An immediate issue, then, is the lack of clarity over terminology. The rapporteur notes, “The definition of Cybersecurity even the spelling of it need to be discussed and agreed as current definition is inconsistent”. That is obviously a stumbling block for a standard, particularly as all those areas are already covered by existing standards.
But, on past experience, that’s unlikely to prevent SC 27 pressing ahead regardless.
In practice, ‘cyber’ is used informally to refer to computing/IT, the Internet, serious nation-state or terrorist attacks on critical national infrastructures, artificial intelligence, electronics, robots, and no doubt other quite distinct things. These are not minor differences of interpretation or emphasis. They have markedly different implications for information risk and security.
Contributors also noted the amount of work going on around the world in the cybersecurity area, pointing out the trundling bandwagon as if that justifies anything, hence it is no surprise to see the rapporteur also note “Cybersecurity has emerged as a topic and must [sic] be addressed by SC 27 beyond a single standard, ISO/IEC 27032.”
Hmmm, call me a cynic but looks as if SC 27’s cunning plan can be summed up, once again, as: ready > fire > aim.
I hope to get the chance to challenge this at the next SC 27 meeting, even if that means standing resolutely in front of the bandwagon.
Perhaps I’ll also take the opportunity to suggest to SC 27 management that it is perfectly reasonable for the committee to demand that SPs generate a coherent and well-structured draft standard or donor document and a sound business case for SC 27 to avoid further work being canned (STOP being the new default). I’d be happy to help draft a Standing Document and business case template along those very lines, if asked nicely.
Relationship between ISO/IEC standards and cybersecurity SP
There is a separate SP with a remarkably similar scope and purpose to the Cybersecurity SP above. How odd. A starter document/skeleton standard emphasizes how Cybersecurity (inconsistently capitalized and not actually defined) can be achieved through information security (gosh, imagine that!). It promotes the idea of using a ‘Cybersecurity framework’ (defined as “A set of components that provide the functions and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving cybersecurity throughout the organization”) ... which looks suspiciously like an ISMS to me.
Personal comments: the 20+ pages of draft standard add nothing substantial to the field and could simply have been replaced by either nothing at all, or maybe a sentence or two in ISO/IEC 27000, 27001 and/or 27002. Contributions to the SP suggested miscellaneous updates to the text but nobody seems willing to define ‘cybersecurity’ or related ‘cyber’ terms, hence it’s all moot. The SP team deftly ducked the terminology and related scope and objective issues, leaving the Cybersecurity SP to define ‘cybersecurity’ (!)
Guidelines for cyber resilience SP
A study period is ongoing on ‘cyber resilience’ or ‘Cyber resilience’ or ‘Cyber Resilience’ (various forms are used). The term is unclear, so one of the jobs for the study will (hopefully) be to define it, along with ‘adverse cyber events’ ....
Quoting from the call for contributions: “Cyber resilience refers to the ability (of an organization, business process or system) to continuously deliver the intended outcome despite adverse cyber events. Organizational resilience refers to the adaptive capacity of an organization in a complex and changing environment (ISO 22300). These definitions will be revisited and are likely to be revised as part of the study period.”
An interim report on the study period suggested that it might lead to a new standard for a cyber resilience management system, or possibly variants of 27001 or 27002, or a standard on integrating ISO 22301 with ISO27k.
An outline or skeleton for the standard referred to potentially incorporating the whole of information security management, rather than just the activities associated with maintaining critical business activities through and despite incidents affecting IT systems and networks ... calling into question the scope and purpose of this project.
The study was extended until April 2017.
A report from the SP noted the intention to use ISO/IEC 27009 to develop a sector-specific version of ISO/IEC 27001 specifically for resilience - a curious interpretation of the phrase “sector-specific”. If it gets the green light, it will produce a technical specification rather than an international standard, providing “guidance on the role and contribution played by ISO/IEC 27001 and ISO/IEC 27002, as well as other relevant standards, in building an organisational capability for cyber resilience.”
Despite the extended period, the call for comments failed to drum up ANY enthusiasm for this standard, with NO (0, zero, naught, null, nil, nada, nowt) contributions received. How this SP ever came into existence in the first place is one of life’s mysteries, shrouded behind the committee's governance arrangements.
Rather than kill it off, the moribund project has been merged with WG1’s other cybersecurity study periods.
Personal comments: this duck is dead, floating inexorably towards the weir. A reference to ‘adverse cyber events’ did not clarify the meaning of ‘cyber’. The call for contributions unhelpfully referred to “the digital (cyber) domain” as well, adding to the fog of confusion. Furthermore, in the context of information risk and security, ‘resilience’ normally refers to business continuity (the continuation of critical business activities) rather than adaptability, hence the initial definition was not exactly helpful. In short it was ill-conceived.
Cloud-related security studies
An SC 27 WG4 study on the possible need for cloud computing security standards identified three areas of interest, and spawned at least three further studies:
- Cloud security assessment and audit - assessing, evaluating, reviewing or auditing cloud security arrangements.
- Cloud-adapted risk management framework - interpreting/adapting/applying ISO27k and other risk management approaches to cloud computing [may recommend an annex to ISO/IEC 27005 concerning cloud risks, rather than a separate standard]. A second call for contributions primarily identified the need to consider the different context in cloud versus traditional in-house IT operations, which affects the risks. The concept of stretching the definition of an ‘organization’ to cover multiple legal entities who collaborate to deliver cloud services might also be an issue for the existing ISO27k standards. The study may recommend a Technical Report rather than an International Standard.
- Cloud security components - separating out the individual elements necessary to build cloud security,
A further new work item was proposed by ITU-T, on “Guidelines for Cloud Service Customer Data Security”, covering situations where the cloud service provider is required to secure the customers’ data (which is not always the case: sometimes the customer remains responsible).
Yet another NWIP has been proposed, along with an initial contribution for “The architecture of trusted connection to cloud services”.
Oh and another: “The architecture for virtual root of trust on cloud platform”.
A short SP on “Emerging virtualization security” took inputs from the Cloud Security Alliance on NFV (Network Function Virtualization) covering virtual networks specifically, as opposed to virtual systems, storage and applications. Or reality.
Competences for information security testers and evaluators
“The scope of the proposed standard is to provide the minimum requirements for the competence of individuals performing testing and evaluation activities using ISO/IEC standards for evaluating or testing the security functionality of IT products.” [quoted from the NWIP].
The NWIP pointed out that a lack of standards in this area leads to inconsistencies in the conformance testing performed by testers and test labs.
Personal comments: the project looked set to go ahead with a standard ... but has since disappeared from my radar. Unless I missed it, it was not even mentioned at the WG1 plenary at the end of the Hamilton meeting. Possibly it was merged into the project on ISO/IEC 27021?
Risk Handling Library SP
This SP is proposing to develop another SD (committee internal Standing Document). Support for the SP has been lacklustre, partly because the purpose of the grandly named but curiously obtuse ”Risk Handling Library” (RHL) is unclear - not just badly described but arguably ill-conceived. Who is it aimed at? What benefits will it provide?
The SD may catalog risk-related content in both current and future/planned ISO27k standards. A draft produced in April 2017, was a simple spreadsheet referencing ISO27k and other standards that happen to mention risk. It didn’t cite the specific sections where risk is mentioned, nor is there any intention to include relevant sections of text - it’s basically just a bibliography.
Personal comments: it was resolved to continue this work, even though it appears to overlap with both the Terminology Working Group and SD6 “Glossary of IT Security Terminology”.
SC 27 has a knack of setting off with a flourish on journeys to unknown destinations by unclear routes for uncertain reasons, then promptly stumbling its way into tar pits and quagmires. Personally, I suspect the recurring nightmare has a governance cause ... and yet it could be seen as a means to release or stimulate free-thinking creativity. That would be fine if we didn’t have a mountain of more tedious and important, even urgent work on our plates already (27002 revision, 27005 re-revision, IoT security, cloud security, blah blah blah), or if the creativity extended to re-designing the way the committee operates. Adding yet more stuff to the top of the pile really isn’t helping matters. Or, to invert the simile, it’s tough to dig your way out of a hole ... so stop digging!
Information Security Library, ISL
A project is studying the need for an “Information Security Library” (ISL) standard explaining how all the standards within the remit of SC 27 fit together, and how organizations might choose to use them [which sounds to me a lot like the overview function of the present ISO/IEC 27000, albeit perhaps extending beyond the ISO27k standards to include privacy, identity management etc.]. Internally within SC 27, the ISL would drive the continued development of the standards, envisaging an accelerated timeframe for the more dynamic technology-driven IT security elements relative to the slower-evolving business-driven information security and governance parts.
A draft of SC 27 Standing Document 16 suggests developing the ISL as (in effect) a roadmap for SC 27’s activities. Maintaining/updating and extending Annex A of ISO/IEC 27001 would become the focal point of many if not all of SC 27’s projects.
Cybersecurity maturity model
A project has been proposed to develop a maturity model covering cybersecurity, defined inter alia as “preservation of confidentiality, integrity and availability of information in the Cyberspace”.
Personal comments: unfortunately, ‘the Cyberspace’ is inconsistently defined, hence it is far from clear what the maturity model would actually cover. I’m unsure who would benefit from such a maturity model anyway.
Privacy enhancing data de-identification techniques
A NWIP, complete with a good donor document to get things off to a flying start, is proposing a standard on techniques to anonymize or pseudononymize data containing personal information, in support of ISO/IEC 29100 Privacy framework.
The following study periods have ended: ex-SPs, they are no more
Cyber insurance SP
Studied the possibility of developing a Technical Specification on ‘cyber insurance’. The term was unclear.
The audience for the standard might have be information security pro’s interested in taking up cyber insurance as a risk-sharing option, and/or the insurance industry providing such insurance.
Australia Standards kindly provided a substantial template as a potential starting point for the project, if it gets the go-ahead. Good start!
The study was extended until October 2016, then canned.
A revised scope and draft was produced, forming the basis of a NWIP with just 3 main clauses: concepts; sharing cybersecurity information between insurer and insured; and information required by the insurer. The proposed title was “Guidelines for cyber insurance”.
Personal comments: notably absent was any hint of the business case for using cyber insurance as a risk treatment option - the pros and cons, costs and benefits of so doing. And I have yet to see a meaningful definition of ‘cyber insurance’ that doesn’t lamely refer to the equally vague and undefined ‘cyber security’.
Internet of Things - security and privacy
Given that the term means different things to different people, a new work item to write a security standard for the Internet of things would pose an interesting challenge for SC 27 right now!
ISO/IEC JTC1/Working Group 7 (not SC 27) is preparing an architectural standard to define the terms and concepts that users and other standards committees can use in due course. WG 7 is mainly concerned with sensor networks, hence their interest in the Internet of Things such as smart grid, smart city etc., where various devices with various sensors are able to link up and pass along information. There are substantial confidentiality, privacy, integrity and availability issues with some of the implementations, hence an information security standard seems likely to follow. However, there seems to be more to the Internet of Things than smart grids and sensor networks, hence SC 27 also initiated a study period on the “Security and privacy issues on Internet of Things”.
The Study Project is looking into the need to address the following (more or less):
- Gateway security
- Network Function Virtualization (NFV) security
- Management and measurement of IoT security (metrics)
- Open Source assurance and security
- IoT risk assessment techniques
- Privacy and big data
- Application security guidance for IoT
- IoT incident response guidance.
Information security risks and opportunities
This study period took over from one on “Cloud and new technologies risk management”, specifically addressing clause 6.1 of ISO/IEC 27001, concerning the risks and opportunities that the organization intends to address with an ISMS, plus other parts of 27001 if appropriate. Paraphrasing the terms of reference for the study period, it is envisaged that the standard will address:
a) The integration of information security into the business, picking up on the ‘opportunities’ component of 27001 clause 6.1;
b) The whole lifecycle [of information, information risk, the business, the ISMS or something else - it’s not clear at this point];
c) Cloud and new data technologies;
d) ‘Advanced’ risk management topics, such as those ruled out of scope of the current by ISO/IEC 27005 revision project;
e) Situations where the ISMS covers an entire organization, a part, or a set of parts.
[Unless I’m missing the linkages, that looks to me like a rag-bag of distinct issues, loose ends from other projects thrown into the melting pot for a new project. I wouldn’t be surprised if the final product only covers some of those, and perhaps other stuff too. With such an apparent lack of clarity and focus on the scope at the outset, this project faces a bumpy road ahead unless the Study Period pins it down.]
Initial responses to the call for inputs have included:
- A proposal to document SWOT;
- A 6-page specification for inputs to this Study Period (!);
- A proposal to discuss the application of ISO/IEC 27001 in an organization that spans multiple jurisdictions, and/or that uses cloud computing;
- A proposal to clarify terminology when explaining intuitive activities;
- Comments to the effect that ‘risks and opportunities’ in 27001 refers to information risks and opportunities to improve the ISMS, and 27003 would be the best place to clarify that; and that any move to develop another risk management approach (instead of sticking with ISO 31000) is retrograde.
Personal comments: this SP was a non-starter. It’s not that the subject matter is unimportant (quite the contrary), rather that the initial SP outline lacked clear direction and purpose, especially since most of the proposed content would be better incorporated in other standards such as 27003, 27004, 27005 and 27014 (among others). Unfortunately, a fundamental issue with clause 6.1 remains unresolved - namely the committee’s confusion and conflation of risks relating to the management system with risks relating to information.
Information Security Code of Practice for the Aviation Industry
A study period evaluated the need for (in essence) a version of ISO/IEC 27002 customized/adapted for the aviation industry. The study was extended to give relevant bodies (such as ICAO, IATA, ITU-T, EASA, EUROCONTROL, FAA and EUROCARE) the opportunity to establish formal liaisons but the lack of engagement by those bodies, stemming from no demand for an ISO27k standard from the aviation industry, led to the study period and proposed standard being cancelled. It’s not that the intensely-regulated aviation industry doesn’t need information security, rather that an aviation version of 27002 would not be helpful.
Personal Information Management System
It was proposed to develop a standard specifying a Personal Identification Management System (PIMS) based on ISO/IEC 27001 and possibly ’29100. The idea was to define common ground for the management of personal information, providing confidence in its management and facilitating compliance assessment against general privacy principles, data protection laws and good practices.
Issues to be addressed during the study period include assessing the viability of the project, and deciding whether to address “privacy”, “Personally Identifiable Information” and/or “personal information”.