In addition to the ISO27k standards that have already been allocated numbers, SC27 is considering further ISO27k standards and internal committee documents through a number of Study Periods (SPs) leading normally to New Work Item Proposals (NWIPs), at which point (if agreed by SC 27) some become standards projects and are allocated ISO27k numbers ... and we set up the corresponding pages on this website to see them through to publication (or not, as the case may be).
Investigation of need for guidelines on Security Operation Center (SOC) SP
Since the design and management of an SOC is not common knowledge (except for organizations that already have one), this could be an interesting standard.
The SP took up where a previous one on “Incident response within ICT security operation” left off.
Personal comments: hopefully this will complement ISO/IEC 27035.
Guidelines for security and privacy in Internet of Things (IoT) SP
Presumably the standard in intended to cover information risks and security controls for IoT, with a special emphasis on privacy (the previous SP on “Guidelines for security in Internet of Things (IoT)” was terminated).
ISO/IEC JTC1/Working Group 7 (not SC 27) is preparing an architectural standard to define the terms and concepts that users and other standards committees can use in due course. WG 7 is mainly concerned with sensor networks, hence their interest in the Internet of Things such as smart grid, smart city etc., where various devices with various sensors are able to link up and pass along information. There are substantial confidentiality, privacy, integrity and availability issues with some of the implementations, hence an information security standard seems likely to follow. However, there seems to be more to the Internet of Things than smart grids and sensor networks, hence SC 27 also initiated a study period in this area.
Big data security capability maturity model (BDS-CMM) NWIP proposal
A NWIP has been proposed to develop a CMM-style standard covering “big data”.
According to the proposal, BDS-CMM would be used to assess the big data security capability level of organizations, taking account of four capability aspects: responsibilities, processes, technology/tools and staff skills in the area of big data security management.
In more detail, it would:
- Describe in a structured and standardized way a framework of best practices in the form of a process management and capability improvement model;
- Describe best practices addressing data security issues throughout the data lifecycle;
- Be extensible and applicable to any organization objectives;
- Present an organized set of practices and goals for data security.
Personal comments: I have two concerns with this proposal. First, despite the name, “big data”, as the term is generally understood and used, is not merely a straightforward extension of current data/IT trends towards bigger volumes of data as implied in the proposal. It refers to using different forms of data analysis to reveal useful patterns in truly enormous and dynamic data sets, well beyond the capabilities or realm of conventional data processing. Second, although CMM is a useful construct for measuring and driving maturity, I’m not convinced SC27 is well placed to specify ‘best practices’ in the area of big data security - or small data security for that matter. Good practices, fair enough ... but isn’t that what the ISO27k series already does?
Use of ISO27k for governmental/regulatory requirements SP
This project is exploring the use of ISO27k in connection with governmental oversight of organizational information security arrangements. The proposal is to generate an internal committee Standing Document listing authorities such as governments and regulatory bodies that demand or recommend compliance with the ISO27k standards in various laws and regulations.
Personal comments: whereas organizations that are legally obliged to comply with ISO27k standards should determine the requirements for themselves, a Standing Document may prove useful in reminding committee members that changes to the standards can have significant implications for users. It may also have marketing benefits, proving that the ISO27k standards have real value and purpose.
The call for contributions for this study period is seeking inputs regarding:
- Feedback on the working definition of cybersecurity €“Safeguarding of society in the digital age” Should "from digital risks" be included in the definition? Should "people, organization, nation" be added to "society" in the definition? Should this be the basis for our definition or are there suitable alternatives?
- Should it be cybersecurity OR cyber security OR cyber-security?
- Which of the following actions should SC27 undertake: development of a stand-alone document that explains cybersecurity; systematic revision of WG1 and WG4 standards portfolio and a series of actions such as revise, rename, develop new, or retire; development of an international cybersecurity framework standard.
- Suggestions for communication plan and outreach (e.g., ask the ISO staff to add cybersecurity, cyber security, and cyber-security as the key words to include in the online search for SC27 standards).
- Feedback on whether "cybersecurity" should be included in SC27 committee name and its standing documents.
- Feedback on how the perspective of "cyber resilience" should be handled in this study period.
- Additional listings and summaries of existing cybersecurity efforts not already mentioned in Annex A of WG 1 N784 (Cybersecurity SP Rapporteurs Report for New Zealand meetings).
Personal comments: the lack of clarity over terminology continues to dog this SP. The rapporteur noted, “The definition of Cybersecurity even the spelling of it need to be discussed and agreed as current definition is inconsistent”. That is obviously a stumbling block for a standard, particularly as all those areas are already covered by existing standards.
But, on past experience, that’s unlikely to prevent SC 27 pressing ahead regardless.
In practice, ‘cyber’ is used informally to refer to computing/IT, the Internet, serious nation-state or terrorist attacks on critical national infrastructures, artificial intelligence, electronics, robots, and no doubt other quite distinct things. These are not minor differences of interpretation or emphasis. They have markedly different implications for information risk and security.
Contributors also noted the amount of work going on around the world in the cybersecurity area, pointing out the trundling bandwagon as if that justifies anything, hence it is no surprise to see the rapporteur also note “Cybersecurity has emerged as a topic and must [sic] be addressed by SC 27 beyond a single standard, ISO/IEC 27032.”
Hmmm, call me a cynic but looks as if SC 27’s cunning plan can be summed up, once again, as: ready > fire > aim.
I’d suggest to SC 27 management that it is perfectly reasonable for the committee to demand that SPs generate a coherent and well-structured draft standard or donor document and a sound business case for SC 27 to avoid further work being canned (STOP being the new default). I’d be happy to help draft a Standing Document and business case template along those very lines, if asked nicely.
Guidelines for cyber resilience SP
A study period is ongoing on ‘cyber resilience’ or ‘Cyber resilience’ or ‘Cyber Resilience’ (various forms are used). The term is unclear, so one of the jobs for the study will (hopefully) be to define it, along with ‘adverse cyber events’ ....
Quoting from the call for contributions: “Cyber resilience refers to the ability (of an organization, business process or system) to continuously deliver the intended outcome despite adverse cyber events. Organizational resilience refers to the adaptive capacity of an organization in a complex and changing environment (ISO 22300). These definitions will be revisited and are likely to be revised as part of the study period.”
An interim report on the study period suggested that it might lead to a new standard for a cyber resilience management system, or possibly variants of 27001 or 27002, or a standard on integrating ISO 22301 with ISO27k.
An outline or skeleton for the standard referred to potentially incorporating the whole of information security management, rather than just the activities associated with maintaining critical business activities through and despite incidents affecting IT systems and networks ... calling into question the scope and purpose of this project.
The study was extended until April 2017.
A report from the SP noted the intention to use ISO/IEC 27009 to develop a sector-specific version of ISO/IEC 27001 specifically for resilience - a curious interpretation of the phrase “sector-specific”. If it gets the green light, it will produce a technical specification rather than an international standard, providing “guidance on the role and contribution played by ISO/IEC 27001 and ISO/IEC 27002, as well as other relevant standards, in building an organisational capability for cyber resilience.”
Despite the extended period, the call for comments failed to drum up ANY enthusiasm for this standard, with NO (0, zero, naught, null, nil, nada, nowt) contributions received. How this SP ever came into existence in the first place is one of life’s mysteries, shrouded behind the committee's governance arrangements.
Rather than simply kill it off, the moribund project has been merged with WG1’s other cybersecurity study periods.
Personal comments: this duck is dead, floating inexorably towards the weir. A reference to ‘adverse cyber events’ did not clarify the meaning of ‘cyber’. The call for contributions unhelpfully referred to “the digital (cyber) domain” as well, adding to the fog of confusion. Furthermore, in the context of information risk and security, ‘resilience’ normally refers to business continuity (the continuation of critical business activities) rather than adaptability, hence the initial definition was not exactly helpful. In short it was ill-conceived.
Cloud-related security studies
An SC 27 WG4 study on the possible need for cloud computing security standards identified three areas of interest, and spawned at least three further studies:
- Cloud security assessment and audit - assessing, evaluating, reviewing or auditing cloud security arrangements.
- Cloud-adapted risk management framework - interpreting/adapting/applying ISO27k and other risk management approaches to cloud computing [may recommend an annex to ISO/IEC 27005 concerning cloud risks, rather than a separate standard]. A second call for contributions primarily identified the need to consider the different context in cloud versus traditional in-house IT operations, which affects the risks. The concept of stretching the definition of an ‘organization’ to cover multiple legal entities who collaborate to deliver cloud services might also be an issue for the existing ISO27k standards. The study may recommend a Technical Report rather than an International Standard.
- Cloud security components - separating out the individual elements necessary to build cloud security,
A further new work item was proposed by ITU-T, on “Guidelines for Cloud Service Customer Data Security”, covering situations where the cloud service provider is required to secure the customers’ data (which is not always the case: sometimes the customer remains responsible).
Another NWIP has been proposed, along with an initial contribution for “The architecture of trusted connection to cloud services”, subsequently re-titled “Trusted connections for Internet based services”.
Oh and another: “The architecture for virtual root of trust on cloud platform”.
A short SP on “Emerging virtualization security” took inputs from the Cloud Security Alliance on NFV (Network Function Virtualization) covering virtual networks specifically, as opposed to virtual systems, storage and applications. Or reality.
Competences for information security testers and evaluators
“The scope of the proposed standard is to provide the minimum requirements for the competence of individuals performing testing and evaluation activities using ISO/IEC standards for evaluating or testing the security functionality of IT products.” [quoted from the NWIP].
The NWIP pointed out that a lack of standards in this area leads to inconsistencies in the conformance testing performed by testers and test labs.
Personal comments: the project looked set to go ahead with a standard ... but has since disappeared from my radar. Unless I missed it, it was not even mentioned at the WG1 plenary at the end of the Hamilton meeting. Possibly it was merged into the project on ISO/IEC 27021?
Risk Handling Library SP
This SP is proposing to develop another SD (committee internal Standing Document). Support for the SP has been lacklustre, partly because the purpose of the grandly named but curiously obtuse ”Risk Handling Library” (RHL) is unclear - not just badly described but arguably ill-conceived. Who is it aimed at? What benefits will it provide?
The SD may catalog risk-related content in both current and future/planned ISO27k standards. A draft produced in April 2017, was a simple spreadsheet referencing ISO27k and other standards that happen to mention risk. It didn’t cite the specific sections where risk is mentioned, nor is there any intention to include relevant sections of text - it’s basically just a bibliography.
Personal comments: it was resolved to continue this work, even though it appears to overlap with both the Terminology Working Group and SD6 “Glossary of IT Security Terminology”.
SC 27 has a knack of setting off with a flourish on journeys to unknown destinations by unclear routes for uncertain reasons, then promptly stumbling its way into tar pits and quagmires. Personally, I suspect the recurring nightmare has a governance cause ... and yet it could be seen as a means to release or stimulate free-thinking creativity. That would be fine if we didn’t have a mountain of more tedious and important, even urgent work on our plates already (27002 revision, 27005 re-revision, IoT security, cloud security, blah blah blah), or if the creativity extended to re-designing the way the committee operates. Adding yet more stuff to the top of the pile really isn’t helping matters. Or, to invert the simile, it’s tough to dig your way out of a hole ... so stop digging!
Information Security Library, ISL
A project is studying the need for an “Information Security Library” (ISL) standard explaining how all the standards within the remit of SC 27 fit together, and how organizations might choose to use them [which sounds to me a lot like the overview function of the present ISO/IEC 27000, albeit perhaps extending beyond the ISO27k standards to include privacy, identity management etc.]. Internally within SC 27, the ISL would drive the continued development of the standards, envisaging an accelerated timeframe for the more dynamic technology-driven IT security elements relative to the slower-evolving business-driven information security and governance parts.
A draft of SC 27 Standing Document 16 suggests developing the ISL as (in effect) a roadmap for SC 27’s activities. Maintaining/updating and extending Annex A of ISO/IEC 27001 would become the focal point of many if not all of SC 27’s projects.
Cybersecurity maturity model
A project has been proposed to develop a maturity model covering cybersecurity, defined inter alia as “preservation of confidentiality, integrity and availability of information in the Cyberspace”.
Personal comments: unfortunately, ‘the Cyberspace’ is inconsistently defined, hence it is far from clear what the maturity model would actually cover. I’m unsure who would benefit from such a maturity model anyway.
The following study periods have ended: ex-SPs, they are no more
Information security risks and opportunities
This study period took over from one on “Cloud and new technologies risk management”, specifically addressing clause 6.1 of ISO/IEC 27001, concerning the risks and opportunities that the organization intends to address with an ISMS, plus other parts of 27001 if appropriate. Paraphrasing the terms of reference for the study period, it is envisaged that the standard will address:
a) The integration of information security into the business, picking up on the ‘opportunities’ component of 27001 clause 6.1;
b) The whole lifecycle [of information, information risk, the business, the ISMS or something else - it’s not clear at this point];
c) Cloud and new data technologies;
d) ‘Advanced’ risk management topics, such as those ruled out of scope of the current by ISO/IEC 27005 revision project;
e) Situations where the ISMS covers an entire organization, a part, or a set of parts.
[Unless I’m missing the linkages, that looks to me like a rag-bag of distinct issues, loose ends from other projects thrown into the melting pot for a new project. I wouldn’t be surprised if the final product only covers some of those, and perhaps other stuff too. With such an apparent lack of clarity and focus on the scope at the outset, this project faces a bumpy road ahead unless the Study Period pins it down.]
Initial responses to the call for inputs have included:
- A proposal to document SWOT;
- A 6-page specification for inputs to this Study Period (!);
- A proposal to discuss the application of ISO/IEC 27001 in an organization that spans multiple jurisdictions, and/or that uses cloud computing;
- A proposal to clarify terminology when explaining intuitive activities;
- Comments to the effect that ‘risks and opportunities’ in 27001 refers to information risks and opportunities to improve the ISMS, and 27003 would be the best place to clarify that; and that any move to develop another risk management approach (instead of sticking with ISO 31000) is retrograde.
Personal comments: this SP was a non-starter. It’s not that the subject matter is unimportant (quite the contrary), rather that the initial SP outline lacked clear direction and purpose, especially since most of the proposed content would be better incorporated in other standards such as 27003, 27004, 27005 and 27014 (among others). Unfortunately, a fundamental issue with clause 6.1 remains unresolved - namely the committee’s confusion and conflation of risks relating to the management system with risks relating to information.