ISO/IEC 27011:2016 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations
This ISMS implementation guide for the telecomms industry was developed jointly by ITU-T and ISO/IEC JTC1/SC 27, with the identical text being published as both ITU-T X.1051 and ISO/IEC 27011.
Scope and purpose
“Establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security controls in telecommunications organizations based on ISO/IEC 27002; [and]
Provides an implementation baseline of information security controls within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities, services and information handled, processed or stored by the facilities and services.”
Content of the standard
In addition to minor variations/explanations of the core content of ISO/IEC 27002, there is an ‘extended control set’ with additional advice for telecoms organizations on access controls, physical and environmental security, communications security and compliance. It includes further guidance on network security, covering “cyber attacks” and network congestion.
Status of the standard
The standard was first published in 2008.
It was revised to reflect the 2013 versions of ISO/IEC 27001 and 27002 and published in 2016.
A corrigendum was published in 2018, correcting the title of clause 8.2.1.
A revision project is at 2nd Working Draft stage. The title will become “Information security, cybersecurity and privacy protection - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations”.
ITU-T proposed extending ISO/IEC 27011 with two new parts, namely:
- Security management Guidelines for Small and Medium-sized telecommunications organizations [X.sgsm]: a guide to the implementation of information security management based on X.1051 (ISO/IEC 27011);
- Asset Management Guidelines [X.amg]: a guide to good asset management practices for telecoms organizations.
Those are not part of ISO/IEC 27011:2016. Perhaps they will become separate standards, or will be incorporated into the 3rd edition?
< Previous standard ^ Up a level ^ Next standard >